[pkg-cryptsetup-devel] Bug#903163: Bug#903163: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard

[Guilhem Moulin]

On Mon, 24 Sep 2018 at 14:11:02 +0200, Peter Lebbing wrote:
> Well, the ultimate fail-safe migration mechanism is very
> straight-forward. Export to /etc/cryptsetup-initramfs/pubkey.gpg, and in
> the decrypt script, --import that first. I see you already use a
> default, empty homedir anyway, might as well just --import to that.

Ah yeah, I hadn't thought about this, but that's nice and foolproof
indeed, thanks!

> I do wonder why you ended up creating the homedir manually, doesn't
> GnuPG do that for you when it's the /default/ homedir? I can't just
> try it out and see myself, I don't have a Debian testing handy :-).
> Can build one, obviously.

It's created automatically indeed, but pre-creating it silences a
warning and I'm always afraid that adding `--quiet` would silence too
much.  (However I have no problem adding `--quiet` to `--import` since
public key management operations have less moving parts.  So with your
trick above the manual creation should be moot.)

> All the other issues but the trustdb issue are caused by the temporary
> homedir.

Oh, I misread you earlier in this thread and thought you were suggesting
/etc/cryptsetup-initramfs pubring by using the directory as temporary
homedir.  My bad, sorry.  Then shouldn't the following be enough, and
save a temporary file?

    `| gpg --no-default-keyring --keyring … --trust-model=always --import`

I like your above trick better, though: the command to generate keyrings
is simpler, and not tied to a particular keyring format.

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180925/2c91f0e4/attachment.sig>