[pkg-cryptsetup-devel] Bug#1000540: cryptsetup-suspend: does not resume with GPG keyfile, smartcard and gnupg-sc

bugx bugx at mailbox.org
Wed Nov 24 17:35:51 GMT 2021 

Package: cryptsetup-suspend
Version: 2:2.4.2-1
Severity: important
X-Debbugs-Cc: bugx at mailbox.org



Dear Maintainers, Guilhem, Jonas, (and Tim),

First of all: thanks a lot for maintaining cryptsetup-suspend!

I changed my LUKS-Encryption to using a gpg-keyfile, together with a nitrokey
Pro (and gnupg-sc). Booting works without any problems, but when resuming from
suspend, instead of the pinentry-field (I'm using pinentry-curses) there's just
the message "No key available with this passphrase". This is repeatedly printed
(about every second), and the CPU immediately runs hot - so, just forcing a
shutdown helps.

The keyfile/initramfs/cryptsetup is done exactly in the way the gnupg-sc-doc
outlines this; the GPG-keyfile is pinned to Slot 1, whereas Slot 0 houses my
(conventional) former passphrase. I'm running a debian system with kernel 5.14
and KDE; cryptsetup from debian testing (2.4.2-1).

To verify this behaviour, I set up a debian stable (bullseye) with gnome and no
further modifications, except cryptsetup pinned from debian testing. I used my
nitrokey Pro first, and afterwards configured a Yubikey with the same GPG key:
Exactly the same behaviour on this out-of-the-box system.

There also is no fallback to my (conventional) former passphrase (Slot 0)
(which is good: this shouldn't be happening if not set). If LUKS-setup is done
with GPG keyfile, smartcard and gnupg-sc, resuming (and decrypting) should run
from the external (smart-card-) private key.

Would be awesome if somebody of you could find the time to fix this bug!

All the best


-- Package-specific info:

-- System Information:
Debian Release: parrot
  APT prefers testing
  APT policy: (50, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-9parrot1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de:en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup-suspend depends on:
ii  cryptsetup-initramfs  2:2.4.2-1
ii  initramfs-tools-core  0.140
ii  kbd                   2.3.0-3
ii  libc6                 2.31-13+deb11u2
ii  libcryptsetup12       2:2.4.2-1
ii  systemd               247.3-6

cryptsetup-suspend recommends no packages.

cryptsetup-suspend suggests no packages.

-- no debconf information

More information about the pkg-cryptsetup-devel mailing list