Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create a physical, removable USB-based Keychain System
Taking a page from the good folks over at 2600.org, I've made the Keychain a physical key that has to be plugged into your computer to have access to all your passwords, using a USB hard drive (those little 16 to 128MB drives that start at around $30). It's cool, and it does add a bit of security to your system in case your laptop gets stolen, or your computer crashes and you lose all your passwords.

What you do is insert your USB drive into your USB slot, and copy your existing Keychain file over to the USB drive (in your home directory, ~/Library -> Keychain). Open up Keychain Access (/Applications -> Utilities -> Keychain Access), and go to File -> Add Keychain. Navigate to your USB drive, and select your keychain file. Once done, remove your old Keychain file from your Keychain folder, and voila, you have a removable Keychain (you might want to keep a backup of your keychain file though, just in case!).

Every time you log in, plug in your USB drive; for the best results, I usually plug it in before the computer has finished booting. The first time you use a program that accesses the Keychain, it will ask to unlock your keychain password; type the password in, and your keychain works from your USB drive.

The caveats I've discovered are this: to unplug your USB drive nicely (i.e. eject it from the desktop using the OS), you have to log out. Mind you, when I put my debugger hat on, I just unplugged the USB drive without doing it nicely all the time, and I haven't had a problem yet. Also, any programs that you have booting as a login item (like MSN messenger) will not work using the USB Keychain, because it seems the drive gets mounted after the login items are run.

I don't know if everyone will find it useful, and it's definitely not as technical as a lot of the articles I've read around here, but I've used macosxhints as a resource enough, I thought I'd contribute an idea.
    •    
  • Currently 3.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[25,339 views]  

Create a physical, removable USB-based Keychain | 36 comments | Create New Account
Click here to return to the 'Create a physical, removable USB-based Keychain' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a physical, removable USB-based Keychain
Authored by: kevinv on May 27, '03 10:41:53AM

I keep my SSH private key on a USB disk too. Then I edited my .ssh_config to point to the the USB drive to get the key. That way I can turn off password log-ins for my servers (I have a long pass-phrase on the ssh key) and get more secure server.

the file with the ssh key in it has to be read only by just the user -- which you can't do with a DOS formatted drive so I had to format my card as either UFS or HFS+ (I forget which I used).



[ Reply to This | # ]
You want me to do what?
Authored by: AMacAddict on May 27, '03 11:49:12AM

I'll agree that not everyone will find this useful, but only because it requires action on the part of the user. Anyone else in computer support will probably understand this instantly. The problem is not the idea, rather the same problem encountered in the importance of backing up your computer. Everyone should do it, all the time, but it's rare that it's taken seriously. Ask someone if they want better security, and the answer will undoubtedly be yes. Ask the same person to spend a little money and time to get it, and see what happens. This is the future of security, but until your new Mac comes with a Keychain keychain (heh) people won't do it. It will be more up to Apple to support this kind of sensible solution to security in software/hardware. I can't wait until you are wirelessly authenticated by the tiny device in your pocket or built into your watch as you approach any computer, and logged out when you walk out...



[ Reply to This | # ]
You want me to do what?
Authored by: Anonymous on May 27, '03 01:06:17PM
I can't wait until you are wirelessly authenticated by the tiny device in your pocket or built into your watch as you approach any computer, and logged out when you walk out...

That might be an interesting business opportunity.. I'm surprised someone hasn't already done it, given the Apple already supports bluetooth.

Jim

[ Reply to This | # ]
You want me to do what?
Authored by: Hanji on May 29, '03 03:04:28PM

It seems that a watch or a device in a pocket would be a lot easier to steal than a password...
And if someone does get it, you'd be helpless to get in and change the password to lock them out again
So it would have to be used in conjunction with biometrics or some other method of identifiying users.



[ Reply to This | # ]
You want me to do what?
Authored by: Barty on May 27, '03 01:06:47PM

>>> I can't wait until you are wirelessly authenticated by the
>>> tiny device in your pocket or built into your watch as you
>>> approach any computer, and logged out when you walk
>>> out...
Maybe I'm wrong, but i think you can already do that with a TI68 and associated sharwares... Bluetooth authentication coming from your phone (yes, the one you always keep in your pocket).

---
Veni, Vidi, Barty !



[ Reply to This | # ]
You want me to do what?
Authored by: phlash on May 27, '03 03:31:25PM

you mean like clicker? http://homepage.mac.com/jonassalling/Shareware/index.html



[ Reply to This | # ]
You want me to do what?
Authored by: marook on May 27, '03 04:05:19PM

>I can't wait until you are wirelessly authenticated by the tiny
>device in your pocket or built into your watch as you approach
>any computer, and logged out when you walk out...

Well, like suggested, this is possible by Saling Clicker, and your Sony/Ericsson Bluetooth enabled phone.

It's called Proximity sensing, and works like a charm.
But that is only one of several other cool things Clicker does...

---
/Marook



[ Reply to This | # ]
Clicker for Tungsten T...?
Authored by: Han Solo on May 27, '03 10:36:30PM
... or any other BlueTooth device besides the Sony Ericsson phones? Or a program with similar capabilities for alternative BlueTooth devices? TIA.

[ Reply to This | # ]
Well...
Authored by: AMacAddict on May 29, '03 07:35:40AM

What I meant is I can't wait until there's wireless pocket authentication that's easy, built-in, and available to everyone, not just people with a certain phone or gadget, supported third-party. When this happens, your pocket I.D. could carry your login prefs and other such things, so if you went to work, or a friend's house, or a public computer, you'd get logged in, presented with your own desktop, with your own user home connected via internet. Seamless transitions wherever you go...



[ Reply to This | # ]
Fingerprint security & keychains
Authored by: anandman on May 27, '03 01:58:56PM
I actually have a USB hard drive with a built-in fingerprint reader that works well with the Mac [BioSlimDisk]. This allows for even greater security than a normal USB drive. With this drive, once you get it setup, you have to use your fingerprint after you plug it in before it will mount. The nice thing about this particular one is that it doesn't require a special driver on the Mac.

As for storing the Keychain on the USB drive, I found that if you ever eject the drive, Mac OS X automatically saves the Keychain (from memory presumably) back into the default location in ~/Library/Keychains and uses that instead of the one on your USB drive. Annoying! I would really like the OS to complain if it can't find the Keychain file because the USB drive is missing.

[ Reply to This | # ]

Fingerprint security & keychains
Authored by: tcurtin on May 27, '03 04:09:52PM
could you maybe get around this by making an alias or a ln -s link from the standard position to the USB drive? Hopefully, the OS would try to overwrite and wouldn't be able to. As a bonus, even if it started trying to use the standard location again, it would still point at the USB drive! I did something along these lines with my mail directory to store it on an encrypted disk image - works like a charm.

Btw, to make the link, enter the following from a terminal window:
ln -s /Volumes/USBDISKNAMEHERE /wherever/the/standard/file/location/is

[ Reply to This | # ]

Fingerprint security & keychains
Authored by: anandman on May 30, '03 03:42:07AM

I tried creating a link as well and this resulted in the same thing whenever the Mac found that the link was broken because the USB drive was missing.

-anand



[ Reply to This | # ]
Fingerprint security & keychains
Authored by: ocelot_wreak on May 27, '03 06:19:27PM

Can you tell us where you got one ([BioSlimDisk), as there don't appear to be any available at the regular geek-like electro-outlets, or anything retail on Google?

Curious minds want to know...

Regards,
ocelot wreak



[ Reply to This | # ]
Fingerprint security & keychains
Authored by: davidnorton on May 27, '03 10:39:13PM
I did some looking (fingerprint security?! wow!) and found it on devdepot.com for $145 for 128MB. It's a cool product, but too expensive for me. The hint is sweet though -- I am going to buy an el-cheapo USB disk just for this reason when I buy a laptop.

[ Reply to This | # ]
Fingerprint security & keychains
Authored by: 007 on Dec 31, '03 09:58:49AM

I think you got hosed....

I bought the latest biometric USB drive from
Imagenix.com
and got 128Mbytes for only 149.95
and the fingerprint sensor chip is 200x200 pixels (4 times the old technology).
Cheaper and better !!!



[ Reply to This | # ]
Create a physical, removable USB-based Keychain
Authored by: foniks2020 on May 27, '03 06:53:12PM

Does anyone know or has tried using one Keychain for multiple machines? I would love to be able to share my account passwords between my laptop and my tower. No more having to sync up the Keychain.



[ Reply to This | # ]
Create a physical, removable USB-based Keychain
Authored by: launchpad on May 28, '03 01:25:29PM

I haven't tried it, but it should work; you just go to each machine you want to use the USB drive, and using the Keychain Access program like in the main post; you delete the default key, open the key on your USB drive, and make it the default.

What I was thinking of doing next, extending your idea here a bit, is using this USB drive password trick in conjunction with Network Home folders for the users on my network. That way the users have to plug in their USB drive to get access to their passwords.



[ Reply to This | # ]
Create a physical, removable USB-based Keychain
Authored by: carsten on May 27, '03 11:31:01PM

Sounds like this hint would work with an iPod too, so long as you have its disk mode turned on to mount it in the Finder.

The iPod's dimensions are not as tiny (key-like) as the little USB hard drives though, so it may not be as cool a trick for impressing your cooworkers. ;)



[ Reply to This | # ]
PGP keys
Authored by: paulrob on May 28, '03 04:08:27AM

I keep my important data encrypted on my Mac with PGP - I live in a bad part of town, and am sometimes surprised to see my Mac still around when I get home!

I keep all the keys for PGP on my iPod and I've told PGP where they are. No problems at all - except you've got to remember to hook it up. Which sort of brings us back to the comment made earlier by AMacAddict. A security system that requires you to physically do something is not really security at all because people eventually slip up.



[ Reply to This | # ]
PGP keys
Authored by: slytle on May 28, '03 07:29:46AM

"A security system that requires you to physically do something is not really security at all because people eventually slip up."

This is just another layer of security. You still have it password protected, right? So now, instead of someone having to guess your passwords, they have to find your ipod or usb drive, figure out how to use it, if they aren't very computer literate, and then guess your passwords. Just one more layer to discourage people. Nothing is 100% secure. The object of security is to make it difficult enough that people will just give up...



[ Reply to This | # ]
PGP keys
Authored by: launchpad on May 28, '03 01:32:30PM

Agreed. Good security has a lot of layers - physical, electronic, etc.

Have you also enabled the mac-version of a BIOS password using 'Open Firmware Password'? Might be a nice extra bit of security, since it sounds like it's an issue where you are.



[ Reply to This | # ]
Create a physical, removable Home
Authored by: englabenny on May 28, '03 10:18:43AM

Anyone who has tried to put their entire home folder on a USB-keychain-disk? I think that would be really cool, if you had a disk with enough space... It is doable, right?



[ Reply to This | # ]
Create a physical, removable Home
Authored by: 77ric on May 28, '03 04:56:51PM

i believe this is possible with an iPod, or it was pre-Jaguar, you just copied your home to the ipod and then modify the home location in NetInfo Manager then delete your home folder from your mac, just make sure that you plug in the iPod before you log in.

essentially it would be like moving your home folder to another disc or partition.



[ Reply to This | # ]
Create a physical, removable Home
Authored by: IslandDan on May 29, '03 10:39:15AM

Did it yesterday with a few command lines. But USB 1.1 is _slow_ and Apple does not yet support USB 2.0 nor are USB 2.0 flash drives available yet. Even with USB 2.0 flash drives the flash memory is inherently slow.



[ Reply to This | # ]
Sony makes it.
Authored by: phillipc on Jun 06, '03 10:44:18AM

They have had a USB 2.0 in 128 & 256 since about Feb.

---
PhillipC



[ Reply to This | # ]
Create a physical, removable USB-based Keychain
Authored by: mbolding on May 28, '03 05:46:15PM

If you lock the keychain you can unmount the drive just fine.
At least that works for me....



[ Reply to This | # ]
Create a physical, removable USB-based Keychain
Authored by: IslandDan on May 28, '03 07:35:11PM

Get a secure USB drive, that is one that requires a password to access it and then if it is lost or stolen the passwords will be safe. I put my KeyChain and ssl certs on it so I can use any computer to access my sites.



[ Reply to This | # ]
Create a physical, removable USB-based Keychain
Authored by: cybermill on May 29, '03 03:33:06AM

I would like to see a key for all laptops as just part of the hardware. If you remove the key the laptop is unusuable until you get another key at which you could reformat the drive but could not recover the data. This came up when my brother recently lost his laptop and all his good info passwords, accounts etc was on the drive. If all drives where encrypted by default then only when the appropriate key was present would the local drives become decrypted. This of course would not be a usb key that sticks off the side of the laptop but something more elegant that is integrated to the design of the machine.Course you could have multiple keys, just in case.

---
Cybermill Communications
http://www.cybermill.com http://www.merchantmaker.com

Providing Ecommerce and interactive website development and
hosting s



[ Reply to This | # ]
Create a physical, removable USB-based Keychain
Authored by: IslandDan on May 29, '03 10:42:29AM

>brother recently lost his laptop and all his good info passwords, accounts etc

This is why a USB drive is a good place to store this kind of information -- he would still have it and the theif would not.



[ Reply to This | # ]
Create a physical, removable USB-based Keychain
Authored by: IslandDan on May 30, '03 08:12:43AM

I noticed that CompUSA has an advertised special at the moment for a 128MB Lexar Media Jump Drive (USB Drive) for $29.95--at least at my local store. This is below their cost!

Interestingly enough they are advertising another brand on their checkout monitors for $79.95--go figure!



[ Reply to This | # ]
Create a physical, removable USB-based Keychain
Authored by: tnagpal on Jun 01, '03 02:49:30PM

So has anyone solved the issue of the keychain saving the file to the default location if the usb keychain is removed?



[ Reply to This | # ]
after testing
Authored by: davidnorton on Jun 04, '03 11:02:04PM
Here is what I have figured out from my testing (I just bought a Lexar 128MB JumpDrive at Amazon.com for $30 after a $10 rebate):

  • I really needed to clean out my keychain file! Half of it was stuff I didn't need anymore.
  • I kept the primary keychain on the hard disk and keep the 'family' passwords on it, since they probably wouldn't be happy if they couldn't check email when I'm not around with my drive.
  • I could eject the USB drive by dragging it to the trash only if there were no applications open that used that keychain. Once I quit those, I can eject the drive and unplug it. I didn't even need to lock the keychain.
  • When the drive was not mounted, going to a website that normally grabbed a password from my keychain instead just displayed the page normally. When checking email in Mail it asked me for my email password.

    No new files have been created in my keychains folder. This is probably due to keeping the primary keychain (see above).

    [ Reply to This | # ]
  • more testing
    Authored by: davidnorton on Jun 05, '03 03:23:56PM
    If I login with the drive plugged in, I can't nicely eject the drive until I logout.

    Better to plug the drive in after I log in.

    [ Reply to This | # ]

    More on this front...
    Authored by: launchpad on Jun 18, '03 08:12:53PM

    Just saw this article on a beefed-up, commercial version of the underlying problem addressed by this solution. It is a solution in between what I originally wrote and the sub-thread here on the biometric USB hard drive.

    http://www.macminute.com/2003/06/18/sonypuppy



    [ Reply to This | # ]
    Put it on your keyring and use it like a key
    Authored by: digitalone on Jun 20, '03 01:32:29AM

    This is just a suggestion, and I haven't checked into the viability of this, but you set it up so the USB drive doesn't work with the keychain. You could have a script in place that when a drive is mounted with that specific name or UUID, it executes a script on the key itself. This could contain ANY kind of security method, PGP, automatic, a password prompt, whatever level you want. You can lock the screen and unlock it through scripts, and enter passwords and call keychains. This way, as long as your chosen security method is valid on any machine you set up, this system will allow you not to have to change any keychains and the like, giving you access to multiple computers.

    My idea is have the USB drive act as a key. When I insert it, it locks or unlocks the computer. This way I don't have to leave the key in. I can open my laptop, stick the key in and unlock it, then put my keys back in my pocket. When I put it away, I can just pop it back in, and after it locks I can put it away.

    Just an idea.

    Sean



    [ Reply to This | # ]
    Create a physical, removable USB-based Keychain
    Authored by: jonbauman on Mar 08, '05 11:08:47AM

    I tried this with my new iPod Shuffle. Even if I have the keychain unlocked and applications using the keychain open (Mail), it lets me eject the shuffle without complaint. If I open iChat after ejecting, iChat just asks for the password. If I plug the shuffle back in, and relaunch iChat, it works fine, I don't even have to re-unlock the keychain.

    ---
    jon

    [ Reply to This | # ]