[pkg-cryptsetup-devel] Bug#903163: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard

Peter Lebbing peter at digitalbrains.com
Sun Sep 23 15:00:30 BST 2018


On 23/09/2018 13:32, Peter Lebbing wrote:
> How about copying the whole homedir without
> random_seed, but first checking to make sure there are only smartcard
> keys as private keys?

O dear, this might not be enough. The agent can also hold non-OpenPGP
keys. SSH keys are an example of what I'm actually using myself.

This might need some more thought... I'm not really happy with the "wait
for a random smartcard to be available and import that as stubs"
solution, but copying the whole homedir might need some more tuning as
well... Or we just accept that people who put data in a directory named
cryptsetup-initramfs should expect that this data ends up in their
initramfs, and limit our safety checks. We can still document it,
obviously, with a clearly phrased warning that although the key itself
is encrypted, nothing else is.

Anyway, Guilhem, thanks for working on this!

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180923/eab77f2b/attachment.sig>


More information about the pkg-cryptsetup-devel mailing list