[pkg-cryptsetup-devel] Bug#903163: ITP: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard

Peter Lebbing peter at digitalbrains.com
Wed Aug 1 16:51:43 BST 2018


Hi Guilhem and others,

On Mon, 30 Jul 2018 04:16:23 +0800 Guilhem Moulin <guilhem at debian.org>
wrote:
>  * Copying not only the (encrypted) key file and the public keyring,
>    but also the private-keys-v1.d directory, sounds very odd to me.
>    What is the rationale for doing so?

First, a new GnuPG --homedir /etc/keys is created, and in that homedir,
the smartcard stubs for the OpenPGP card are created (per README.md[1]).
This separate GnuPG homedir, specifically meant just for the unlocking
of the LUKS container, is then copied to the initramfs. If this were not
done, you'd have to do "gpg --card-status" in your initramfs to create
these stubs everytime you boot, before decryption. It'd get awkward if
you forgot to insert your smartcard, because adding --card-status makes
it a two-step process: first --card-status, second --decrypt. Right now,
if you forgot to insert your smartcard, the --decrypt would fail and be
retried. The failure would prompt you to insert your smartcard.

It's not copying your normal GnuPG private-keys-v1.d to initramfs,
that'd be not so clever. Still, in the interest of clarity, it warns the
user that if they dumped sensitive information in /etc/keys, they might
want to reconsider.

> decrypt_gnupg_sc:
>  * How common are the cards requiring pcscd(8) that don't work with the
>    existing ‘decrypt_opensc’ keyscript but do work with the
>    ‘decrypt_gnupg_sc’ keyscript?

It's more tied to the reader rather than the card. My own smartcard
reader works great with the internal CCID driver of GnuPG, and my
version of this script does not have pcscd. Erik Nellessen apparently
has a smartcard reader that is not supported by GnuPG, but the card in
it is still an OpenPGP smartcard, AFAIK. I'm glad I have a
GnuPG-supported reader myself, it makes it all a lot smoother.

HTH,

Peter.

[1]
<https://github.com/eriknellessen/gpg-encrypted-root/blob/master/README.md>

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180801/0381b833/attachment.sig>


More information about the pkg-cryptsetup-devel mailing list