[pkg-cryptsetup-devel] Bug#903163: Adding OpenPGP smartcard support to LUKS
Kyle Rankin
kyle.rankin at puri.sm
Wed Nov 7 21:05:17 GMT 2018
On Tue, Nov 06, 2018 at 10:49:36PM +0100, Guilhem Moulin wrote:
> On Tue, 06 Nov 2018 at 11:15:57 -0800, Kyle Rankin wrote:
> > On Sun, Nov 04, 2018 at 02:38:29PM +0100, Guilhem Moulin wrote:
> >> On Sun, 04 Nov 2018 at 05:35:44 -0500, Chris Lamb wrote:
> >>>>> https://salsa.debian.org/cryptsetup-team/cryptsetup/tree/openpgp-smartcard
> >>>>
> >>>> Did you have time to look at this branch yet? (Just rebased it on top
> >>>> of ‘debian/2%2.0.5-1’ and applied a couple of changes.)
> >>>
> >>> Oh dear, I was not aware this was blocking on my end.
> >>
> >> Oops sorry for the bad communication, should have poked you earlier
> >> in October then :-P
> >>
> >>> Kyle, how'd you feel about checking this branch out?
> >
> > Providing me the deb would remove any risk that any bugs I find were caused
> > by some mistake on my part in merging and building that branch, so if you
> > could provide me the deb that would be much appreciated, that way we are at
> > least a QA team of two :)
>
> There is no merging involved as I rebased the branch on top of master :-)
>
> But fair enough, you can use the cryptsetup packages from my private APT
> repository:
>
> echo "deb http://guilhem.org/debian sid main" >>/etc/apt/sources.list
> apt-key add /tmp/7420DF86BCE15A458DCE997639278DA8109E6244.asc
> apt update
> apt upgrade
>
> The OpenPGP key used to sign the ‘Release’ file (and the source
> packages) is the one I'm using for Debian uploads; its primary key has
> the following fingerprint:
>
> 7420 DF86 BCE1 5A45 8DCE 9976 3927 8DA8 109E 6244
>
> Alternatively, you can manually download & install the binary packages
> from
>
> https://guilhem.org/debian/pool/main/c/cryptsetup/
>
> (Only ‘cryptsetup-initramfs’ and ‘cryptsetup-run’ are relevant in this
> context: the former for the initramfs boot scripts, the latter for the
> decryption script and documentation.)
>
> Cheers,
> --
> Guilhem.
I've tested these debs and can confirm everything works. I was also able to
add this support to an existing LUKS root partition by just using
luksAddKey and making sure the crypttab was updated and update-initramfs
was run. Note that in the case of a root partition, boot splash needs to be
disabled so you can enter the GPG PIN.
-Kyle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20181107/56bcfff1/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list