umask settings for vfat ironkey memory stick

English Hardware
#1

For security I have decided to use an IronKey usb stick to keep my private key when using ssh. However, I am not able to use ssh because my ironkey mounts with permissions that are too loose for ssh.

My IronKey automounts:

:~> mount |tail -1
/dev/sr0 on /media/IronKey type iso9660 (ro,nosuid,nodev,uid=1000)

I unlock my secure drive:

:~> sudo ironkey
password:
Enter your IronKey password: *************
Unlock successful.
IronKey device names are cd: /dev/sr0 hdd: /dev/sdb
:~>

Now my secure drive is opened, but I have permissions set to 755 on all of my folders and files. These are too loose for ssh:

:~> ssh -i ‘/media/IronKey USB/key/id_dsa’ myremotecomputer.company.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0755 for ‘/media/IronKey USB/key/id_dsa’ are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /media/IronKey USB/key/id_dsa
Permission denied (publickey).
:~>

:~> mount |tail -2
/dev/sr0 on /media/IronKey type iso9660 (ro,nosuid,nodev,uid=1000)
/dev/sdb on /media/IronKey USB type vfat (rw,nosuid,nodev,shortname=lower,flush,utf8,uid=1000)
:~> ll ‘/media/IronKey USB/’
total 16
drwxr-xr-x 2 bill root 4096 2009-05-29 22:14 key

:~> ll ‘/media/IronKey USB/key’
total 8
-rwxr-xr-x 1 bill root 736 2009-05-29 22:14 id_dsa
:~>

The usb line in /etc/fstab gives me no clue on how or where my Ironkey gets it’s options for mounting. I see nothing in there about umask:

usbfs /proc/bus/usb usbfs noauto 0 0

Note that chmod doesn’t work for making the permissions more restrictive:

:~> chmod 700 ‘/media/IronKey USB/key’
:~> ll ‘/media/IronKey USB/key’
total 8
-rwxr-xr-x 1 bill root 736 2009-05-29 22:14 id_dsa
:~> ll ‘/media/IronKey USB/’
total 16
drwxr-xr-x 2 bill root 4096 2009-05-29 22:14 key
:~>

I can’t even do a manual mount with a more restrictive umask and get it to work:

:~ # mount -t vfat -o rw,nosuid,nodev,shortname=lower,uid=1000,utf8,umask=077 /dev/sdb /mnt/a
:~ # ll /mnt/a
total 20
drwxr-xr-x 4 bill root 4096 May 23 21:42 .Trash-1000
drwxr-xr-x 2 bill root 4096 May 29 22:14 key
:~ #

:~> cat /etc/issue
Welcome to openSUSE 11.1 - Kernel \r (\l).

:~> uname -a
Linux hostname 2.6.27.21-0.1-pae #1 SMP 2009-03-31 14:50:44 +0200 i686 i686 i386 GNU/Linux
:~>

My questions:

How can I mount my IronKey with the more restrictive permissions needed to keep my private keys on my IronKey?

Where are the options set for auto-mounting a vfat usb stick?

#2

Where are the options set for auto-mounting a vfat usb stick?
I can’t answer that, hope someone else knows. But maybe I can help with this part:
How can I mount my IronKey with the more restrictive permissions needed to keep my private keys on my IronKey?

Try this style of mount:
mount -t vfat -o uid=john,gid=users,umask=abcd,utf8=true /dev/sdb /home/john/win_drive

Pen drives sometimes can need /dev/sdb, sometimes /dev/sdb1
If you leave out umask=abcd, it will default to umask=0022 [drwxr-xr-x]

    * owner=rwx group=rwx other=rwx; i.e for drwxrwxrwx use umask=0000
    * owner=rwx group=rwx other=r-x; i.e for drwxrwxr-x use umask=0002
    * owner=rwx group=rwx other=---; i.e for drwxrwx--- use umask=0007
    * owner=rwx group=r-x other=r-x; i.e for drwxr-xr-x use umask=0022
    * owner=rwx group=--- other=---; i.e for drwx------ use umask=0077

References:
for umask: HowTo Mount NTFS Filesystem Partition Read Write Access in openSUSE 10, 11
for fat: openSUSE: HowTo set disk access permissions for Fat32 (VFAT) on a desktop PC

#3

Then make another good decision for security reasons and don’t use vfat for sensitive data.

#4

Can I use a file system other than vfat on an IronKey?

#5

NTFS has worked on usb pen drives for me. You could also try ext3, let us know if it works.