I have one as a 'last resort' option. It's got backups of BitWarden, Aegis and Standard Notes and is only connected to my machine during backups.
Privacy
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
I have this device and use it to store my keepassxc and onlykey backups, and it's useful to me because I've stopped using passwords (I only need to remember the pins for these devices which can unlock my keepass dbs that have everything else).
It seems secure enough for my use case, especially since the files I store in it are themselves encrypted (the onlykey backup still requires a pin), but I still want them to be difficult to access.
I've had to rely on it before but only because I didn't prepare a backup onlykey ahead of time- ideally it should be one of many recovery methods. But so far it's worked great for me.
Seems like it's a good starting point.
I wonder if you can encrypt the files prior to storing them on the key, which would then encrypt them a second time with a different method. Would the compromise the data in any meaningful way? Or would it mean that you had to decrypt the key and then decrypt the data a second time?
I believe you would have to decrypt them a second time. For example if you wanted to be real secure you could have the USB device, an encrypted folder that holds important documents and files you want to back up, and inside of that could be a password database that requires a Yubikey or similar device.
I believe what you are talking about is kind of like using a combination of cascading algorithms like AES->Twofish–>Serpent.
I could be wrong though. If I am I hope someone can correct me.
I use them in my job and I find them better than the software only solution and I like them when I have to use them for sensitive file transfers.
I see one use-case, If you're going w/ sth illegal as hell to a place where you might get arrested and searched for just being there i.e a protest, nuking your (illegal) data might save your ass.
Couldn't the data be cloned and cracked off device without having to worry about the pin code?
Yes, but it's meant to be difficult to do. Encryption algorithms are designed and chosen to be expensive to crack, so that you'd need NSA-level clusters to find the key in our lifetime.
I don't know if you could attack the encryption controller itself to brute-force the PIN to release the key. I assume in theory it's possible, but unless you're a very desirable target, they probably won't spend the effort, and attack something weaker. Like your cell phone, or your kneecaps.
If they did it right it'd not store the key, but instead use something like PBKDF2
I have a USB drive with a keypad on it, it stores my FIPS Compliant SSH-key for IL-5 government systems. I unlock it to add my key into my ssh-agent, and don't use it for anything else. Though it is an 8gig USB stick, so I could in theory run some kind of security/pen testing flavor of linux plus a VPN Client to connect to said systems.
Is there a specific benefit to that over something like a security key with a keypad, or even just a passphrase?
The government is slow, so using a yubikey isn't authorized, but the datasur pro is, and the private key does have a passphrase.