Non-interactive PIN not accepted, gpg hangs

Laurent Blume laurent at elanor.org
Wed Sep 30 15:37:13 CEST 2015


Le 2015/09/30 14:45 +0200, Peter Lebbing a écrit:
> Processes dying tend to cause breakages in general. The issue here,
> though, is indeed that simply restarting the process isn't enough.
> That's where a custom pinentry could help.
> 
> In principle, it's not difficult to set up. If you want to account for
> processes randomly dying, then yes, it gets difficult, I agree. But a
> custom pinentry could save the day.

Ultimately, a lot will depend on that, LUKS volumes, file encryption
before transfer (GPG and SMIME), Apache secret keys (I've not dared yet
think about that one), maybe some others if the PCI auditor feels like it.

> I think it's not that bad, actually. I think in the general case your
> gpg-agent/scdaemon with loopback pinentry would be restarted
> automatically if it wasn't available. So you'd "just" have to switch to
> a normal pinentry when you need to do something requiring the Admin PIN.
> Is this really something you foresee happening though? I think switching
> keys on the card is going to be a downtime-incurring operation anyway,
> since it's not atomic. On-disk keys are much more flexible in that respect.

Yes, you are right. It will happen at least once a year, when expiring
keys have to be replaced. That really should be a smooth process, but
it's somewhat less critical.

> IMHO, you're using a device meant for personal usage as an HSM. It's
> possible, but your use case is a relatively unusual one, and might
> require some tweaking indeed.

Ah, that is a really good point.
The thing is, I asked around (on some other lists), and had a look at
HSM's, we even have a hundred thousands € worth of HSM, used for
something completely different.
But that's the thing: those very expensive thingies, they come with an
API and a manual, you «only» need to develop your application around it.
The NitroKey (and others like it) are both cheaper and easier to deploy
using off-the-shelf software (at least it looks so on paper).
That said, maybe the Pro model is not the right one, and I made a
mistake there out of ignorance.
My impression is that there are no middle-ground options between the
cheap, personal use device and the super-expensive brick.
If you do have suggestions, they're very welcome. I'm still assessing
feasibility, and able to change directions.

> I take it you mean /downstream/ official support, then. Upstream support
> is fine :). Anyway, a custom pinentry it is, then :). With 2.0. I
> wouldn't recommend 1.4 with agent, since it is less seamless, and you're
> gunning for seamless. When people recommend 1.4 for headless servers, I
> don't think they mean using a gpg-agent with scdaemon.

Pretty much, yes,. so 2.0 it will be. I might ask RedHat for some help,
but really not holding my breath there.

Laurent


 



More information about the Gnupg-users mailing list