[pkg-gnupg-maint] missing feature in gnupg1 (1.4.21-3)

Micha Borrmann micha.borrmann at syss.de
Fri Mar 31 13:31:50 UTC 2017 

Hello,

thanks for researching about my problem.

Am 30.03.2017 um 09:19 schrieb NIIBE Yutaka:
> NIIBE Yutaka <gniibe at fsij.org> wrote:
>> I'll try, because it would be an important regression for 2.1 if user
>> can't use encrypted root partition with GnuPG.
> 
> Sorry, it took time for me to prepare VM environment by QEMU which pass
> through USB device traffic.  Well, I learned.
> 
> Today, I can successfully mound encryptet root partition using Gnuk
> Token with GnuPG 2.1 on Debian Stretch (in QEMU virtual environment).
> 
> So, I don't think it's a regression of GnuPG itself.  We need to update
> existing scripts for cryptsetup because how to use GnuPG has been
> changed.
> 
> Please find attached files, which I am using for encrypted root
> partition.
> 
> I read this article by Peter Lebbing:
> 
> 	http://digitalbrains.com/2014/gpgcryptroot
> 
> In decrypt_gnupg_scd, I write like this:
> 
>     if ! /lib/cryptsetup/askpass "Enter smartcard PIN for key $1: " | \
>          /usr/bin/gpg-agent -q --homedir "$(dirname $1)" --daemon     \
>          /usr/bin/gpg -q --homedir "$(dirname $1)"                    \
> 	              --pinentry-mode loopback --passphrase-fd 0      \
>                       --decrypt $1; then
> 	return 1
>     fi
> 
> It will ask you smartcard PIN by /lib/cryptsetup/askpass.  I use
> /lib/cryptsetup/askpass because it seems for me that it is a kind of
> practice for cryptsetup.
> 
> Since GnuPG 2.1 requires gpg-agent, gpg-agent is invoked as daemon mode
> and gpg is invoked by gpg-agent.  After gpg process will be finished,
> gpg-agent process will be also finished.  (Note that scdaemon will be
> automatically invoked by gpg-agent.)
> 
> I specify --pinentry-mode of loopback mode and --passphrase-fd 0 so that
> gpg receives PIN from standard input.

I used the printed command, it means, gpg-agent was called directly.
However, it is even the same than before with GnuPG 2.1.
I can decrypt only with the symmetric key but the PIN is not sent to my smart card. And the general key info is also not displayed.

The command gpg --card-info works fine (except the display of general key info is missing and the error message "gpg: cannot open /dev/tty': No such device or address").

As in gpg-agent.conf the debug is always on, I get a lot of messages on the console, too.
Here are the lines which are similar to the recorded lines before:

gpg-agent[290]: DBG: chan_10 -> SERIALNO --demand=D2760001240102010005000045EC0000
gpg-agent[290]: DBG: chan_10 <- ERR 100696144 No such device <SCD>
gpg-agent[290]: DBG: no device present
gpg-agent[290]: smartcard decryption failed: Card not present
gpg-agent[290]: command 'PKDECRYPT' failed: Card not present
gpg-agent[290]: DBG: chan_8 -> ERR 67108976 Card not present <GPG Agent>
gpg: decryption failed: Invalid cipher algorithm
gpg-agent[290]: DBG: chan_10 <- [eof]
gpg-agent[290]: DBG: chan_10 <- RESTART
gpg-agent[290]: DBG: chan_10 <- OK
cryptsetup (sda3_crypt): cryptsetup failed, bad password or options?
gpg: cannot open /dev/tty': No such device or address
Reader ...........: 058F:9540:X:0
Application ID ...: D2760001240102010005000045EC0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 000045EC
Name of cardholder: Micha Borrmann
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa2048 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 500
Signature key ....: F2E7 C6A5 9950 84ED 7AD6  0DD4 EDBE 26E7 14EA 5876
      created ....: 2016-02-17 15:26:16
Encryption key....: ADB2 069E 7A1A 6558 2966  47A1 4E81 F234 C254 AF58
      created ....: 2016-02-17 15:26:16
Authentication key: EEE0 138F C87E 164B E6D8  3ED9 3768 D170 FA56 C0D6
      created ....: 2016-02-17 15:26:16
General key info..: Enter smartcard PIN or passphrase for key /etc/keys/cryptkey.gpg:

The card is present, because gpg --card-info is able to read it.

Are there any other hints howto use GnuPG2 in initramfs to decrypt a root filesystem where the private key is on an OpenPGP Smartcard?

/Micha Borrmann

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3413 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170331/00bb4113/attachment.bin>

More information about the pkg-gnupg-maint mailing list