[pkg-gnupg-maint] missing feature in gnupg1 (1.4.21-3)

NIIBE Yutaka gniibe at fsij.org
Thu Mar 30 07:19:01 UTC 2017 

NIIBE Yutaka <gniibe at fsij.org> wrote:
> I'll try, because it would be an important regression for 2.1 if user
> can't use encrypted root partition with GnuPG.

Sorry, it took time for me to prepare VM environment by QEMU which pass
through USB device traffic.  Well, I learned.

Today, I can successfully mound encryptet root partition using Gnuk
Token with GnuPG 2.1 on Debian Stretch (in QEMU virtual environment).

So, I don't think it's a regression of GnuPG itself.  We need to update
existing scripts for cryptsetup because how to use GnuPG has been
changed.

Please find attached files, which I am using for encrypted root
partition.

I read this article by Peter Lebbing:

	http://digitalbrains.com/2014/gpgcryptroot

In decrypt_gnupg_scd, I write like this:

    if ! /lib/cryptsetup/askpass "Enter smartcard PIN for key $1: " | \
         /usr/bin/gpg-agent -q --homedir "$(dirname $1)" --daemon     \
         /usr/bin/gpg -q --homedir "$(dirname $1)"                    \
	              --pinentry-mode loopback --passphrase-fd 0      \
                      --decrypt $1; then
	return 1
    fi

It will ask you smartcard PIN by /lib/cryptsetup/askpass.  I use
/lib/cryptsetup/askpass because it seems for me that it is a kind of
practice for cryptsetup.

Since GnuPG 2.1 requires gpg-agent, gpg-agent is invoked as daemon mode
and gpg is invoked by gpg-agent.  After gpg process will be finished,
gpg-agent process will be also finished.  (Note that scdaemon will be
automatically invoked by gpg-agent.)

I specify --pinentry-mode of loopback mode and --passphrase-fd 0 so that
gpg receives PIN from standard input.
-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptgnupg_scd
Type: application/octet-stream
Size: 1525 bytes
Desc: cryptsetup script
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170330/ac276da0/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decrypt_gnupg_scd
Type: application/octet-stream
Size: 855 bytes
Desc: script in initramfs
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170330/ac276da0/attachment-0001.obj>

More information about the pkg-gnupg-maint mailing list