[pkg-cryptsetup-devel] Question about smartcard and decrypt_opensc script
Pascal Vibet - ADACIS
pvibet at gmail.com
Thu Jul 12 18:56:13 BST 2018
Thanks a lot for your answers, i just want an advice when a person
forget his smartcard.
Cheers,
Le 12/07/2018 à 17:45, Guilhem Moulin a écrit :
> On Thu, 12 Jul 2018 at 15:41:17 +0200, Pascal Vibet - ADACIS wrote:
>> I have to boot on busybox, decrypt in CLI the encryptdisk disk (i don't
>> remove my luks password), chroot on my decrypted disk, remove old parameters
>> in /etc/crypttab file for using smartcard, apply modifications in initramfs
>> and reboot for use luks password.
> You don't have to chroot or do the subsequent steps at initramfs stage.
> Add the ‘break’ argument to the kernel command line, unlock the root
> device (and other devices that might be required at initramfs stage)
> from the initramfs debug shell, then exit to resume the normal boot
> process. Once in the main system, edit /etc/crypttab and update
> initramfs (no need to reboot).
>
>> Could you modify decrypt_opensc script for using another capabilty to
>> decrypt (like luks password) ?
> The same goes for all our key scripts: if the keyscript fails to produce
> its output for whatever reason (because a device is missing, lost or
> broken, or because the user forgot a pin or passphrase) then the user
> needs to find another way to unlock the disk.
>
> But I don't think we should automatically fall back to the passphrase
> prompt if the keyscript fails. Maybe the key can't by typed in because
> it contains NUL bytes or maybe it's just too long. Anyway falling back
> makes the assumption that a keyslot contains a typable passphrase (and
> that the user remember that passphrase). So probably not something
> that's true by default.
>
> Situations where the key script fails and drops to a debug shell should
> be exceptional; if that happens too often, then IMHO you should probably
> reconsider whether to use a key script in the first place.
>
>> i publish modifications to use luks password and usbkey on my github:
>> https://github.com/swoopla/smartcard-luks
>>
>> Could you give my a feedback on my proposition or/and my gihub ?
> While our list archive is public [0], discussion would have better
> visibility if it was in our BTS (severity ‘wishlist’). I don't use
> GitHub personally, and won't comment there.
>
More information about the pkg-cryptsetup-devel
mailing list