[pkg-cryptsetup-devel] Bug#903163: Bug#903163: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard
Guilhem Moulin
guilhem at debian.org
Tue Sep 25 01:10:56 BST 2018
On Mon, 24 Sep 2018 at 14:11:02 +0200, Peter Lebbing wrote:
> Well, the ultimate fail-safe migration mechanism is very
> straight-forward. Export to /etc/cryptsetup-initramfs/pubkey.gpg, and in
> the decrypt script, --import that first. I see you already use a
> default, empty homedir anyway, might as well just --import to that.
Ah yeah, I hadn't thought about this, but that's nice and foolproof
indeed, thanks!
> I do wonder why you ended up creating the homedir manually, doesn't
> GnuPG do that for you when it's the /default/ homedir? I can't just
> try it out and see myself, I don't have a Debian testing handy :-).
> Can build one, obviously.
It's created automatically indeed, but pre-creating it silences a
warning and I'm always afraid that adding `--quiet` would silence too
much. (However I have no problem adding `--quiet` to `--import` since
public key management operations have less moving parts. So with your
trick above the manual creation should be moot.)
> All the other issues but the trustdb issue are caused by the temporary
> homedir.
Oh, I misread you earlier in this thread and thought you were suggesting
/etc/cryptsetup-initramfs pubring by using the directory as temporary
homedir. My bad, sorry. Then shouldn't the following be enough, and
save a temporary file?
`| gpg --no-default-keyring --keyring … --trust-model=always --import`
I like your above trick better, though: the command to generate keyrings
is simpler, and not tied to a particular keyring format.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180925/2c91f0e4/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list