EEVblog Electronics Community Forum

Computing => Security => Topic started by: NY2KW on May 08, 2020, 07:58:07 pm

Title: HID SmartCard - How to encrypt files
Post by: NY2KW on May 08, 2020, 07:58:07 pm
I had to get an secure email through IdenTrust with my personal certificate.  No problem there.  Now I'm thinking how could I use this to encrypt specific files or folders on my PC.  I don't want to do the whole drive with Bitlocker and I want the flexibility of taking these filers to another PC and using my smart-card for secure access.   I googled and was surprised to see no simple software for personal smart-card use of this type.   Any advice appreciated

Title: Re: HID SmartCard - How to encrypt files
Post by: electrolust on September 11, 2020, 06:48:03 pm
this can't be done.
Title: Re: HID SmartCard - How to encrypt files
Post by: NY2KW on September 11, 2020, 09:54:58 pm
Thanks, finally got a reply.  Could you explain a bit as to why not?  Would be educational for me and others
Title: Re: HID SmartCard - How to encrypt files
Post by: electrolust on September 15, 2020, 06:22:23 pm
Smartcards are a purpose made device. They run only very specific applications. The application that would be installed on an identity card can only do signatures. You can't encrypt data with a signature.

The security of smartcards depends in part on you not being able to install new applications (or delete existing). So you can't modify the installed application profile.

Lastly, even if you could update for an "encryption" application, the performance of a smartcard is absolutely dismal. Do you want your hard drive to perform at 1200 baud modem speeds? It would be completely nonfunctional for all but the simplest and smallest type of documents. So regardless of any ability to do so, you are just far better off buying a USB drive and using BitLocker to encrypt that whole drive. Now you have the flexibility to take just those files to another PC.

You can buy a smartcard that has encryption feature. However for your use case it's just better to encrypt an external drive.

I know what you're thinking. "I want the added security of the physical smartcard". Wrong. If you lose or damage the smartcard, whoops, bye bye files. Password (passphrase) is far far better for all intents and purposes. Also, if you suspect or want to protect against compromise on that other PC, smartcard doesn't help you protect against that. If you want to be sure you aren't giving up your passphrase to the other PC, get a SED (self encrypting drive). These devices almost universally suck and are insecure, so you have quite a lot of homework to do there. So much so, that Windows used to detect SED and use it if available. But then they realized this is completely insecure and untrustworthy, so now Windows ignores SED feature and always does software encryption in the OS. That's not to say 100% of the SED drives are bad. Just good luck knowing which ones are good. I'd just use bitlocker.