[pkg-cryptsetup-devel] Question about smartcard and decrypt_opensc script
Guilhem Moulin
guilhem at debian.org
Thu Jul 12 16:45:13 BST 2018
On Thu, 12 Jul 2018 at 15:41:17 +0200, Pascal Vibet - ADACIS wrote:
> I have to boot on busybox, decrypt in CLI the encryptdisk disk (i don't
> remove my luks password), chroot on my decrypted disk, remove old parameters
> in /etc/crypttab file for using smartcard, apply modifications in initramfs
> and reboot for use luks password.
You don't have to chroot or do the subsequent steps at initramfs stage.
Add the ‘break’ argument to the kernel command line, unlock the root
device (and other devices that might be required at initramfs stage)
from the initramfs debug shell, then exit to resume the normal boot
process. Once in the main system, edit /etc/crypttab and update
initramfs (no need to reboot).
> Could you modify decrypt_opensc script for using another capabilty to
> decrypt (like luks password) ?
The same goes for all our key scripts: if the keyscript fails to produce
its output for whatever reason (because a device is missing, lost or
broken, or because the user forgot a pin or passphrase) then the user
needs to find another way to unlock the disk.
But I don't think we should automatically fall back to the passphrase
prompt if the keyscript fails. Maybe the key can't by typed in because
it contains NUL bytes or maybe it's just too long. Anyway falling back
makes the assumption that a keyslot contains a typable passphrase (and
that the user remember that passphrase). So probably not something
that's true by default.
Situations where the key script fails and drops to a debug shell should
be exceptional; if that happens too often, then IMHO you should probably
reconsider whether to use a key script in the first place.
> i publish modifications to use luks password and usbkey on my github:
> https://github.com/swoopla/smartcard-luks
>
> Could you give my a feedback on my proposition or/and my gihub ?
While our list archive is public [0], discussion would have better
visibility if it was in our BTS (severity ‘wishlist’). I don't use
GitHub personally, and won't comment there.
--
Guilhem.
[0] http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180712/91b1d3df/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list