High Security on Mac/Linux Using GPG and a ThumbDrive

Using the free Gnu Privacy Guard and a USB thumb drive (which are often given away in promotionals and should be available for under $10 in small storage capacities), you can implement a strong (AES) encryption system to protect sensitive files on your computer. The process divides the means to decrypting sensitive data into three distinct components:

  • the encrypted file(s)–on your computer
  • the private key needed to decrypt the files–on your thumbdrive
  • the password required in combination with the private key to decrypt files–in your head

The process is simple and affords a great degree of security to your encrypted files, because all three components must be assembled to decrypt the data–a difficult task for a laptop thief or even a nosey coworker to accomplish, especially if you remove your thumb drive from your computer when you are not using it.

Mounting a USB device in Linux is slightly trickier than on a Mac. For a good discussion of the issues, see this post. Once you have the device mounted, copy your .gnupg directory to the device (e.g. cp -r .gnupg /Volumes/cryptkey). Then, once you have verified the directory exists and the files look good, remove the .gnupg from your home directory and set up a symbolic link to the directory on the USB device (e.g. ln -s /Volumes/cryptkey/.gnupg .gnupg). Now you can only use gnupg when the device is mounted. Always remember to properly unmount the USB device (i.e. drag the icon to the trash on a Mac) before physically removing it, or you could damage the contents. This approach is particularly useful when combined with a GPG email plugin. For Thunderbird, for example, I use enigmail.