decrypt luks with gnupg Card: determine if cardreader has pinpad

Jan Kowalsky jankow at datenkollektiv.net
Tue Mar 31 13:25:22 CEST 2015


Hi all,

I'm new on the list ...

while experimenting with scripts for using gnupgCard for unlocking a
luks-encrypted device I'm searching a possibility for determining if a
attached cardreader has a pinpad or not.

I used the script of Peter Lebbing
http://www.digitalbrains.com/2014/gpgcryptroot and changed it a bit for
cardreaders with pinpads.

I'd like to use the same script also for cardreaders without pinpad -
but then I have to determine, if a cardreader has one or not. Is their
any possibility for getting this information?

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/lib/cryptsetup/scripts/decrypt_gnupg_sc:

    #!/bin/sh

    # quick hack for starting pcscd
    pcscd &

    decrypt_gpg () {
            # we check for attachted cardreader
            # cardreaders with pinpad: they have to be attached before
booting
            # for cardreaders without pinpad: just attach them later, if
the script already
            # asks for Passphrase or PIN
            if gpg2 --card-status > /dev/null 2>&1 && sleep 2; then
                    echo "Please use the pinpad of your cardreader for
PIN entry." >&2
                    if ! /usr/bin/gpg2 --homedir "$(dirname $1)" \
                            --trustdb-name /dev/null --decrypt $1; then
                            return 1
                    fi
                    return 0
            else
                    echo "Performing GPG key decryption ..." >&2
                    if ! /lib/cryptsetup/askpass \
                            "Enter passphrase for key $1, or PIN for
your cardreader: " | \
                            /usr/bin/gpg -q --batch --homedir "$(dirname
$1)" \
                            --trustdb-name /dev/null --passphrase-fd 0
--decrypt $1; then
                            return 1
                    fi
                    return 0
            fi
    }

    if [ ! -x /usr/bin/gpg2 ]; then
            echo "$0: /usr/bin/gpg2 is not available" >&2
            exit 1
    fi

    if [ -z "$1" ]; then
            echo "$0: missing key as argument" >&2
            exit 1
    fi

    decrypt_gpg "$1"
    exit $?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I wrote a howto (in german) in addition to the one from Peter Lebbing
(thanks a lot!):
https://wiki.datenkollektiv.net/public/gnupg/luks_gnupg_card

For getting cardreaders with pinpad working we need gnupg2 inside the
initramdisk. But it works.

Best Regards
Jan



More information about the Gnupg-users mailing list