[pkg-cryptsetup-devel] Bug#560034: please include the "Cryptsetup OpenPGP Scripts"

Christoph Anton Mitterer christoph.anton.mitterer at physik.uni-muenchen.de
Tue Dec 8 14:11:01 UTC 2009


Package: cryptsetup
Version: 2:1.1.0~rc2-1
Severity: wishlist
Tags: patch

Hi Jonas.

Finally, the scripts to support OpenPGP encrypted keys within cryptsetup
are finished.

Attached you'll find a key-script, a hook-script for initramfs-tools,
and an extensive documentation.


Apart from supporting more OpenPGP implementations (currently only GnuPG
as you've wished) I consider the scripts to be in a rather final and
"perfect" state (of course except possible bugs, typos and newer
features).

I know you dislike many checks and complicated features but I truly
think that everything that's done right now has to be done.
Removing parts (e.g. the base64 encoding, caching of the read and the
decrypted key) would remove features (e.g. support for non-ascii-armored
keys / different commands for reading like cat/passdev / the guarantee
that only a correctly decrypted key is written to stdout ...
respectively).


As you see, I've retained the name "decrypt_openpgp" for the key-script
(instead of decrypt_gpg). I think it's more correct like this. gpg is
"just" an implementation,.. and it's not gpg what's decrypted, but an
OpenPGP Message.
But I've chosen the name of the hook-script to fit your current scheme.

I'd suggest to remove the current decrypt_gpg as decrypt_openpgp
provides everything of it plus more.


For the scripts to work, Debian bug #557329 has to be resolved and as a
personal wish, please also take a quick look at #557405. Both should be
easy to fix.


As you can see from the documentation, I use ":" as a separator for
options in crypttab.
I think it should be possible to change this to "," which is already
used for the last field.
This would be a cosmetic improvement but I think it would have also some
draw backs. Perhaps we can discuss this off list.



Looking forward to hear your comments and see the scripts included in
the cryptsetup package,
Christoph.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CryptsetupOpenPGPScripts.tar.bz2
Type: application/x-bzip-compressed-tar
Size: 8595 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20091208/92a34f6b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3387 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20091208/92a34f6b/attachment-0001.bin>


More information about the pkg-cryptsetup-devel mailing list