On Mon, 24 Sep 2018 at 14:11:02 +0200, Peter Lebbing wrote: > Well, the ultimate fail-safe migration mechanism is very > straight-forward. Export to /etc/cryptsetup-initramfs/pubkey.gpg, and in > the decrypt script, --import that first. I see you already use a > default, empty homedir anyway, might as well just --import to that.
Ah yeah, I hadn't thought about this, but that's nice and foolproof indeed, thanks! > I do wonder why you ended up creating the homedir manually, doesn't > GnuPG do that for you when it's the /default/ homedir? I can't just > try it out and see myself, I don't have a Debian testing handy :-). > Can build one, obviously. It's created automatically indeed, but pre-creating it silences a warning and I'm always afraid that adding `--quiet` would silence too much. (However I have no problem adding `--quiet` to `--import` since public key management operations have less moving parts. So with your trick above the manual creation should be moot.) > All the other issues but the trustdb issue are caused by the temporary > homedir. Oh, I misread you earlier in this thread and thought you were suggesting /etc/cryptsetup-initramfs pubring by using the directory as temporary homedir. My bad, sorry. Then shouldn't the following be enough, and save a temporary file? `| gpg --no-default-keyring --keyring … --trust-model=always --import` I like your above trick better, though: the command to generate keyrings is simpler, and not tied to a particular keyring format. -- Guilhem.
signature.asc
Description: PGP signature