Hi Guilhem and others, On Mon, 30 Jul 2018 04:16:23 +0800 Guilhem Moulin <[email protected]> wrote: > * Copying not only the (encrypted) key file and the public keyring, > but also the private-keys-v1.d directory, sounds very odd to me. > What is the rationale for doing so?
First, a new GnuPG --homedir /etc/keys is created, and in that homedir, the smartcard stubs for the OpenPGP card are created (per README.md[1]). This separate GnuPG homedir, specifically meant just for the unlocking of the LUKS container, is then copied to the initramfs. If this were not done, you'd have to do "gpg --card-status" in your initramfs to create these stubs everytime you boot, before decryption. It'd get awkward if you forgot to insert your smartcard, because adding --card-status makes it a two-step process: first --card-status, second --decrypt. Right now, if you forgot to insert your smartcard, the --decrypt would fail and be retried. The failure would prompt you to insert your smartcard. It's not copying your normal GnuPG private-keys-v1.d to initramfs, that'd be not so clever. Still, in the interest of clarity, it warns the user that if they dumped sensitive information in /etc/keys, they might want to reconsider. > decrypt_gnupg_sc: > * How common are the cards requiring pcscd(8) that don't work with the > existing ‘decrypt_opensc’ keyscript but do work with the > ‘decrypt_gnupg_sc’ keyscript? It's more tied to the reader rather than the card. My own smartcard reader works great with the internal CCID driver of GnuPG, and my version of this script does not have pcscd. Erik Nellessen apparently has a smartcard reader that is not supported by GnuPG, but the card in it is still an OpenPGP smartcard, AFAIK. I'm glad I have a GnuPG-supported reader myself, it makes it all a lot smoother. HTH, Peter. [1] <https://github.com/eriknellessen/gpg-encrypted-root/blob/master/README.md> -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
