gnupg smartcard on boot for LUKS on sid debian howto ?

tux.tsndcb at free.fr tux.tsndcb at free.fr
Wed Apr 16 22:19:28 CEST 2014 

Hello,

Thanks for your answer, I've already see your article and I asked to me many questions.

But in my case I've already crypted lvm partition with a passphrase, so can I only generated key.txt file and encrypt it with my gnupg key and add in cryptab file :

/etc/cryptab : 
sda5_crypt UUID=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy /etc/gpg_luks/luks-key.txt none luks,keyscript=/usr/local/sbin/decrypt_luks.sh
sda5_crypt UUID=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy none luks,discard 
<target name> <source device>         <key file>      <options>
crypto /dev/sda2 none luks,keyscript=/usr/local/sbin/decrypt_luks.sh
sda7_crypt UUID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx none luks,discard


But in the debian case, it's seems than I neeed to use /lib/cryptsetup/scripts/decrypt_gnupg, but I've not really exemple on that.

Best Regards

----- Mail original -----
De: "Thomas Harning Jr." <harningt at gmail.com>
À: "tux tsndcb" <tux.tsndcb at free.fr>
Cc: "Peter Lebbing" <peter at digitalbrains.com>, gnupg-users at gnupg.org
Envoyé: Mercredi 16 Avril 2014 21:32:22
Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ?


I believe this blog article could be a useful reference: 
https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu/ 



This happens to work beautifully w/ the Yubikey NEO and the GPG Applet 


The article does omit any backup measures, so I added a separate long passphrase to use in the backup case - but to use it requires the initial boot UI to fail and I manually unlock the volumes and resume boot w/o the gnupg unlock. 



On Wed, Apr 16, 2014 at 11:40 AM, < tux.tsndcb at free.fr > wrote: 


Hello Peter, 

Actually, I'm on a fresh sid Debian installed, I've use during install crypted LVM volume for all my partitions excepted for /boot. 

So now I've two files like these : 

/etc/fstab 
# /etc/fstab: static file system information. 
# 
# Use 'blkid' to print the universally unique identifier for a 
# device; this may be used with UUID= as a more robust way to name devices 
# that works even if disks are added and removed. See fstab(5). 
# 
# <file system> <mount point> <type> <options> <dump> <pass> 
/dev/mapper/sda5_crypt / btrfs ssd,discard,noatime 0 1 
# /boot was on /dev/sda1 during installation 
UUID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /boot btrfs ssd,discard,noatime 0 2 
/dev/mapper/sda7_crypt /data btrfs ssd,discard,noatime 0 2 
... 

and 

/etc/cryptab : 
sda5_crypt UUID=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy none luks,discard 
sda7_crypt UUID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx none luks,discard 
.... 

In a first time, I want to add a key.gpg file solution, so in the firt time I want it ask to me the pincode for the key.gpg file, and if it's wrong or broken ask me the usual passphrase. 


So could you explain us step by step, how to add this key.gpg as passphrase on a existing lvm crypted partition and how to have gnupg smartcard activate on boot to decrypt the key.gpg file ? 

Thanks in advanced for your return. 

PS : my gnupg smartcard works actually fine on a terminal on xsession. 

Best Regards 

_______________________________________________ 
Gnupg-users mailing list 
Gnupg-users at gnupg.org 
http://lists.gnupg.org/mailman/listinfo/gnupg-users 




-- 

Thomas Harning Jr. ( http://about.me/harningt )

More information about the Gnupg-users mailing list