[pkg-cryptsetup-devel] Bug#945783: decrypt_gnupg-sc: Add possibility to use password fallback

Erik Nellessen erik.nellessen at posteo.de
Thu Nov 28 15:37:18 GMT 2019 

Package: cryptsetup
Version: 2:2.1.0-5+deb10u2
Severity: wishlist

This wishlist bug is a follow up to bug #903163: https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=903163

In bug #903163 it was requested to add OpenPGP smartcard support to unlock
encrypted volumes. The feature has already been added and the bug has been
resolved.

The work was based by the solution that Peter Lebbing first created and I
adapted for the debian stretch release. It can be found here:
https://gitlab.com/eriknellessen/gpg-encrypted-root/

The use case was to decrypt the root volume at boot time. I could verify (with
the help of Peter Lebbing and Guilhem Moulin) that it is possible to decrypt
the root volume at boot time with a smartcard using the new cryptsetup
features. I documented how to do it here: https://gitlab.com/eriknellessen/gpg-
encrypted-root/blob/cryptsetup-tutorial/CRYPTSETUP.md

One feature however does not yet work with the cryptsetup solution. In the
former solution from my GitLab repository, it is possible to have a password
fallback decryption in case the smartcard gets broken/stolen/lost/etc. The
cryptsetup solution does not offer such a possibility yet (as far as I can
see). I tried using the former approach by encrypting the decryption key both
with the public key from the smartcard and a password, but this did not work.
At boot time, I was never asked for a password but got a bunch of error
messages (I can provide those error messages if necessary). I documented the
steps I took here: https://gitlab.com/eriknellessen/gpg-encrypted-
root/blob/cryptsetup-tutorial-password-fallback/CRYPTSETUP.md

I would like to find a possibility to decrypt the root volume with a password
when having set up the smartcard decryption. Extending the decrypt_gnupg-sc
script to also allow password decryption could be a way. Then there is also the
concept of key slots in cryptsetup. Falling back to another key slot when one
is not working might also be an option. Are there any other ways I am missing?

In the end, I would like to have the setup for the root volume smartcard
decryption included in the debian installer. When finding a solution for the
password fallback problem, it would be interesting for me to see how it
complies with the debian installer.



-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup depends on:
pn  cryptsetup-initramfs  <none>
pn  cryptsetup-run        <none>

cryptsetup recommends no packages.

cryptsetup suggests no packages.

More information about the pkg-cryptsetup-devel mailing list