FSFE Fellower Card + LUKS on Startup

Werner Koch wk at gnupg.org
Wed Nov 4 17:20:50 CET 2009 

On Tue,  3 Nov 2009 20:17, snope at snope.org said:

> wiki: https://wiki.ubuntu.com/SmartCardLUKSDiskEncryption. However, in this 
> HowTo, they use a MultiFlex Smartcard and load the key file on the card. In 
> the startup process, the keyfile is read out and sent to LUKS. This step is 
> really simple but how can this work with the gnupg smartcard? 

Our card has 4 simple PIN protected data fields which can be used for
that.  I think it is not fully documented how to access them. Here are
some hints:

If all 4 private DOs are set and you start gpg --card-edit, you will see

  Private DO 1 .....: This is private DO 1
  Private DO 2 .....: This is private DO 2

After entering the command "verify", entering your PIN followed by
"list" you get:

  Private DO 1 .....: This is private DO 1
  Private DO 2 .....: This is private DO 2
  Private DO 3 .....: This is private DO 3

After entering the command "admin verify", entering your Admin PIN
followed by "list" you get:

  Private DO 1 .....: This is private DO 1
  Private DO 2 .....: This is private DO 2
  Private DO 3 .....: This is private DO 3
  Private DO 4 .....: This is private DO 4

Thus you can see that DO 1 and 2 are always readable; thus not usable
for your application.  DO3 is readabale after presenting the PIN and DO4
is reaabale after resentng the Admin PIN.  Now let us change a DO:

  Command> privatedo 1
  Private DO data: Changed DO 1
  >

You had to enter your PIN for that to work.  With DO2 you need the Admin
pin.  Same goes for DO3 (PIN) and DO4 (Admin PIN).  Thus for your
application I suggest to use DO3.  You may store up to 254 bytes there
(some cards evenmore).  You may also read data in from a file:

  Command> privatedo 1 <FILE

To read this out and ask for a passphrase you need to write some code
which runs "gpg --command-fd N --with-colons --status-fd M
--edit-card". An easier way to do this is to use gpg-agent or just
scdaemon:

  $ gpg-connect-agent 
  > scd getattr PRIVATE-DO-1
  S PRIVATE-DO-1 Changed+DO+1
  OK

If you would have asked for DO3 the Pinentry would have popped up and
asked you for the PIN.  With scdaemon you leave out the "scd " but you
must be prepared to return the PIN on request (as reply to an INQUIRY
line).  

> I think it is not a problem to decrypt the key file in the startup process, 
> isn't it!? Is it possible to access the card reader (omnikey 4040) and the 
> smartcard via gpg from the initrd ram disk? Has anyone ever tried it in a 

I have not experience with initrd.

Another option would be to wait a while and use the new g13 tool which
is part of the new development branch of GnuPG.  It is fully integrated
into GnuPG and provides a platform independent replacement for LUKS.
For now only Encfs is supported but the system is designed to support
all kinds of backends (Even one on top of LUKS is possible).  The
advantage of G13 is that you use real public key cryptography and thus
your actual private key never leaves the card - it is only used to
encrypt the bulk encryption key(s). 


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list