[pkg-cryptsetup-devel] Bug#1053900: cryptsetup: Support multiple OpenPGP SmartCards in "decrypt_gnupg-sc"

Christoph Chvojka christoph at chvojka.at
Fri Oct 13 21:35:48 BST 2023


Package: cryptsetup
Version: 2:2.6.1-5


New feature description
"/usr/lib/cryptsetup/scripts/decrypt_gnupg-sc" currently only supports
one OpenPGP Key.
Please add an option to support multiple OpenPGP Keys.


Further description
To enable this an option would be to replace the current call of
"decrypt_gpg" like in this patch:
--- /usr/lib/cryptsetup/scripts/decrypt_gnupg-sc	2023-04-21
00:54:29.000000000 +0200
+++ decrypt_gnupg-sc	2023-10-13 22:24:16.044055384 +0200
@@ -40,5 +40,10 @@
     exit 1
 fi
 
-decrypt_gpg "$1"
+key_email=$(run_gpg --batch --quiet --no-tty --card-status | sed -nE
"s/.*<(.*)>.*/\1/p")
+if [ -f "$1-${key_email}" ]; then
+  decrypt_gpg "$1-${key_email}"
+else
+  decrypt_gpg "$1"
+fi
 exit $?



Additionally "/usr/share/initramfs-tools/hooks/cryptgnupg-sc" needs to
be adapted to also include the available files for the individual
OpenPGP Keys.
Based on the above code an individual CRYPTTAB_KEY would have as suffix
"-${key_email}".
If the CRYPTTAB_KEY is "cryptkey.gpg" an individual one
for firstname.lastname at debian.org would be like
"cryptkey.gpg-firstname.lastname at debian.org".

With this adaption "decrypt_gnupg-sc" would try to use the individual
CRYPTTAB_KEY first put fallback to the generic CRYPTTAB_KEY if it can't
be found. If multiple individual CRYPTTAB_KEY are provided it would
pick the right one based on the e-mail address of the key.

Thx & Kind regards,
Christoph



More information about the pkg-cryptsetup-devel mailing list