/dev/tty problem and other questions

Christoph Anton Mitterer christoph.anton.mitterer at physik.uni-muenchen.de
Tue Feb 19 13:00:51 CET 2008 

Hi.

I'm writing a support script for using dm-crypt/luks for root-filesystem
encryption, that will be used from an initramfs.
The iniramfs-scripts parse /etc/cryptab which specifies the file that
contains the key. It also allows to specify a so called keyscript, that
is invoked with the keyfile as parameter.
Those keyscripts are used to support stuff like
ssl/openct/opensc-encrypted keys and are expected to write (only) the
key to stdout.

Unfortunately there is no finished script to support gpg encrypted
key-files and I'd like to write one, but I have some problems:



1) When using a basic test-keyscript like

#!/bin/sh
gpg --decrypt "$1"

and I boot from the initramfs I'll get the following error:
gpg:cannot open /dev/tty: No such device or address.
and gpg doesn't offer a prompt to enter the passphares

Of course I've googled around but I found no practical solution.
The --no-tty --pasphrase-fd 0 is not a solution as it will print the
password in cleartext.

read -s only available in bash but not sh.


Any ideas here?



2) gpg creates some files in ~/.gnupg which is not a real problem in the
initramfs but I'd like to avoid this, so no files should be written to
disk at all.
Is this fully achieved by using --no-options or do I have to use other
stuff like --no-random-seed-file or something else?



3) As everything written to stdout is used as key, I must secure that
only the decrypted data is written to stdout.
I know the --batch option but it doesn't specify if it prints anything
(except the decrypted data) to stdout and it also disables promting for
the passphrase (see point 1).

Of course error meassages should still be printed, but are they always
written to stderr? What about informal messages (like no mdc detected)?
Are they written to stderr or stdout?



4) As I cannot check the return value of gpg if the decryption succeeded
(the output from the keyscript is piped to cryptsetup) I must have other
means to check whether the decryption was successful. Any ideas here?
And what does gpg write to stdout, if the decryption fails?



Thans and best wishes,
Chris.

More information about the Gnupg-users mailing list