[pkg-cryptsetup-devel] Bug#916374: cryptsetup-initramfs: keyscript=decrypt_gnupg-sc yields a debug shell if the first smartcard can't unlock the key
Guilhem Moulin
guilhem at debian.org
Thu Dec 13 18:48:07 GMT 2018
Package: cryptsetup-initramfs
Version: 2:2.0.6-1
Severity: wishlist
If the wrong card is plugged at boot time, then our loop tries again and
again with the following message:
gpg: encrypted with 2048-bit RSA key, ID DEADBEEFDEADBEEF, created 2018-12-13
"test test"
gpg: decryption failed: No secret key
Nothing to read on input.
cryptsetup: ERROR: root_crypt: cryptsetup failed, bad password or options?
Until it gives up (the delay is configurable with the ‘rootdelay’ boot
parameter) and the user is dropped to an initramfs debug shell.
If multiple cards are plugged in at the same time then only the one with
the lowest bus index is polled; so if it's the right one everything is
fine, and otherwise it fails like above.
A dirty fix would be to ask owners of multiple devices to specify the
reader ID of the right device in /etc/cryptsetup-initramfs/conf-hook (or
even /etc/cryptsetup-initramfs/scdaemon.conf). However that won't work
if one needs to use multiple devices at initramfs stage (for instance if
the rootfs and the resume device must be unlocked using two different
smartcards).
Alternatively, we could scan for all available CCID readers at initramfs
stage. According to the scdaemon(1) manpage the list can be obtained
with the following command:
echo scd getinfo reader_list \
| gpg-connect-agent --decode | awk '/^D/ {print $2}'
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20181213/7b114706/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list