Q I've been toying with the idea of keeping a file full of passwords and other valuable data on a USB key that I've encrypted with GnuPG. The idea is to be able to plug it into any PC and then decrypt and read the file. I would want to put GPG itself on to the key so that I can always do this without having to install GPG on the PC and thus without leaving any trace of my data in the machine's records. How can I do this, and is it even wise?
A You'd need to include your private key on the USB stick too, so the only thing protecting your data would be the passphrase. In that case, you're effectively using a single passphrase and nothing else to protect your data. Whether this is an acceptable risk to take can only be your decision - but if you do decide to go ahead, make this password unique and secure. It's not impossible, though - you can build a statically linked GPG executable with all the libraries it needs included in the one program file.
Download the GnuPG source code from www.gnupg.org, unpack it and cd to the directory this created. After that, run the following commands:
export CFLAGS="-static" ./configure --enable-static make
You will need a compiler (GCC) and autotools installed to build from source, or to install the build essentials if you're using Ubuntu. If the ./configure stage throws up errors about missing programs or libraries but they are installed, check your package manager for a -dev or -devel version of the relevant package. These contain header files that are not required to use the software, but are needed when you want to compile other software that uses it. You may well find that having these headers will solve the problem.
There is no need to run make install since you don't want to install this version to your path. Instead your new GPG2 program is in the g10 directory, so check that it's been statically linked with:
ldd g10/gpg2
which should tell you this isn't a dynamic executable. Now you can copy it to your USB stick, but once again we advise you use a strong passphrase on your key.
Since using GnuPG means carrying your private data on an easily lost or stolen device, you should also generate a separate pair of keys. Or you could try an alternative, such as Ccrypt (http://ccrypt.sourceforge.net). This uses 256-bit AES to encrypt and decrypt files, so it's secure enough, and it's linked to the libraries you will find on any Linux box. It contains the commands ccencrypt and ccdecrypt, both of which do what they say on the tin, along with ccat, which displays the contents of an encrypted file without writing an unencrypted version to disk. So, you could pull out just your banking password with
ccat passwords.cpt | grep mybank
leaving no trace of the unencrypted information on the device or, more importantly, the host computer.