[pkg-cryptsetup-devel] Bug#903163: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard

Guilhem Moulin guilhem at debian.org
Sun Sep 23 16:17:14 BST 2018


On Sun, 23 Sep 2018 at 16:00:30 +0200, Peter Lebbing wrote:
> I'm not really happy with the "wait for a random smartcard to be
> available and import that as stubs" solution,

Note that in principle we can wait for a smartcard with a given serial
number to be inserted, with `gpg-connect-agent 'SCD SERIALNO openpgp'
/bye` or similar.

> but copying the whole homedir might need some more tuning as
> well... Or we just accept that people who put data in a directory named
> cryptsetup-initramfs should expect that this data ends up in their
> initramfs, and limit our safety checks.  We can still document it,
> obviously, with a clearly phrased warning that although the key itself
> is encrypted, nothing else is.

If we want this to be widely used we should make initramfs image
generation as quiet as possible.  Users (understandably) become worried
— and file bugs — when kernel upgrades or similar produce warnings,
especially when early boot stage is involved ;-)
 
> Anyway, Guilhem, thanks for working on this!

Well, thank you for the original code! :-)

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180923/8fc05669/attachment.sig>


More information about the pkg-cryptsetup-devel mailing list