Bug#903163: ITP: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard
Hi, On Sat, 07 Jul 2018 at 17:08:59 +0200, Guilhem Moulin wrote: > On Sat, 07 Jul 2018 at 12:05:13 +0100, Chris Lamb wrote: >> Programming Lang: Shell >> Description : Encrypt root volumes with an OpenPGP smartcard > > See also #888916 (we didn't find time to review Rian's code yet, > though). I did that now [0], and here is a review of Erik's and Peter's approach. (It's directed at upstream but since I don't use GitHub I'm commenting here instead :-P I wouldn't mind maintaining this in src:cryptsetup as I wrote earlier.) The two approaches are quite similar and my (hopefully constructive) criticism mostly applies to both. While IMHO neither can be merged in as is, there are good ideas from both so I'm sure together we can find a solution that fits all needs :-) cryptgnupg_sc: * Since the recent refactoring in 2:2.0.3-2, the ‘cryptgnupg_sc’ hook file changed drastically [0]. 2:2.0.3-2 wasn't released yet when the hook file was written, but now ‘cryptgnupg_sc’ needs to be modified accordingly :-P * Copying not only the (encrypted) key file and the public keyring, but also the private-keys-v1.d directory, sounds very odd to me. What is the rationale for doing so? AFAICT the whole point of the smartcard solution is avoid exposing private key material to the initramfs image. I'd suggest to hardcode /etc/cryptsetup-initramfs/pubring.gpg instead (or /etc/cryptsetup-initramfs/gnupghome/…). * We don't want to copy_exec() .so that are explicitly versioned, as the likelyhood of breaking things is high. See https://salsa.debian.org/cryptsetup-team/cryptsetup/blob/master/debian/initramfs/hooks/cryptopensc#L49 for an alternative solution. decrypt_gnupg_sc: * How common are the cards requiring pcscd(8) that don't work with the existing ‘decrypt_opensc’ keyscript but do work with the ‘decrypt_gnupg_sc’ keyscript? Cheers, -- Guilhem. [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888916#10 signature.asc Description: PGP signature
Bug#903163: ITP: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard
Hi, > ITP: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard FYI clarifying the copyright situation here: https://github.com/eriknellessen/gpg-encrypted-root/issues/1 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#903163: ITP: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard
On Sat, 07 Jul 2018 at 17:08:59 +0200, Guilhem Moulin wrote: > (And 3rd-party hooks using our previous — internal — interface are > most likely all broken right now.) I mean the ones trying to read and parse our internal cryptroot configuration file (the crypttab(5)-like file stored in the initramfs). -- Guilhem. signature.asc Description: PGP signature
Bug#903163: ITP: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard
Hi Chris, On Sat, 07 Jul 2018 at 12:05:13 +0100, Chris Lamb wrote: > Programming Lang: Shell > Description : Encrypt root volumes with an OpenPGP smartcard Since it's just a standalone shell script it might make sense to ship it with ‘cryptsetup-initramfs’ instead :-) See also #888916 (we didn't find time to review Rian's code yet, though). Also that hook is making assumption about our own hook's internals, and as such is not compatible with cryptsetup-initramfs ≥2:2.0.3-2. (FWIW Rian's hook has the same problem.) Unfortunately, until last month and #901795 nobody asked us to publish an interface to be used by 3rd-party hook files. (And 3rd-party hooks using our previous — internal — interface are most likely all broken right now.) Cheers, -- Guilhem. signature.asc Description: PGP signature
Bug#903163: ITP: gpg-encrypted-root -- Encrypt root volumes with an OpenPGP smartcard
Package: wnpp Severity: wishlist Owner: la...@debian.org X-Debbugs-CC: debian-de...@lists.debian.org * Package name: gpg-encrypted-root Version : 0~20170708+git980a0488-1 Upstream Author : Erik Nellessen * URL : https://github.com/eriknellessen/gpg-encrypted-root Programming Lang: Shell Description : Encrypt root volumes with an OpenPGP smartcard This package adds support for encrypted root volumes installing a LUKS "password" that is unlocked by an OpenPGP smartcard. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-