[pkg-cryptsetup-devel] Bug#903163: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard

Sun Sep 23 12:32:44 BST 2018

Hi Guilhem!

On 23/09/2018 05:57, Guilhem Moulin wrote:
> We already have some logic in place to wait until the source device is
> present, so we can as well wait until the card is present.

Note that GnuPG now supports multiple card readers at the same time. The
solution will fail then. Furthermore, it also precludes showing the nice
prompt with /which/ smartcard to insert for people with multiple
smartcards. Further reflection might reveal other cases where it is
suboptimal or wrong... How about copying the whole homedir without
random_seed, but first checking to make sure there are only smartcard
keys as private keys? I think the following does that:

--8<---------------cut here---------------start------------->8---
#!/bin/sh

UNSAFEKEYS=$(gpg --batch --with-colons --homedir /etc/keys --list-secret-keys | \
	gawk -F: '$1=="sec" || $1=="ssb" \
		{ if ($15 !~ /D27600012401.*/ && $15 != "#") { print $5 } }')

if [ -n "$UNSAFEKEYS" ]; then
	echo "Non-smartcard keys found:\n${UNSAFEKEYS}\nAborting" >&2
	exit 1
fi
--8<---------------cut here---------------end--------------->8---

It will only accept true OpenPGP smartcard keys (matched on ISO 7816
Application Identifier) or empty stubs (no secret key whatsoever). No
other secret key material should be necessary for this particular
application. Note that the dialect is dash; if run in bash, echo would
need -e.

Whatever the solution, I think it's a good idea to copy *.conf to the
GnuPG homedir as well (that's not an implementation detail, it's a
supported API).

I'm a bit worried that currently, the implementation detail that the old
pubring.gpg format is the same format as gpg --export is being used.
This is tripping up people upgrading to GnuPG 2.1, and I think it's a
better idea to avoid it here as well. The attached patch tries to do
this (but obviously doesn't combine well with the proposal of copying
the whole homedir, which would get this for free :-).

> By the way, I also added a local-bottom script to kill gpg-agent and
> scdaemon before execution is turned over to the init binary :-)

A good idea. If we copy a whole homedir, it might be needed to put the
homedir in its regular place for that. I suppose this is possible? I
think gpgconf can only manage daemons started with a default homedir.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Use-modern-keybox-format-for-gpg.patch
Type: text/x-patch
Size: 2118 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180923/fc0daae0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180923/fc0daae0/attachment.sig>