Encrypt USB-HDD with LUKS using OpenPGP smartcard?

Ciprian Dorin Craciun ciprian.craciun at gmail.com
Mon Aug 6 08:38:45 CEST 2018


On Wed, Aug 1, 2018 at 7:32 PM Peter Lebbing <peter at digitalbrains.com> wrote:
> AFAIK, this is just systemd delegating passphrase querying to the
> physically present user. I suppose if you could somehow influence where
> it got the passphrase from, there might be a way to achieve it, but I
> have no idea how. That's all the direction I can provide.


I have a similar setup where at boot time I use GnuPG to decrypt my
drive with keys protected by GnuPG (instead of using LUKS).

I have managed to instruct GnuPG to use `systemd-ask-password` to
retrieve the password.  However I imagine that with some "tinkering"
one can implement a simple PIN-entry application to use
`systemd-ask-password`, and thus manage to make the whole setup work
with a smart card.

My script and systemd service file can be found at the following link:

  https://gist.github.com/cipriancraciun/c8a0dfb973b586053c167fec91093d9c

You just need to place these somewhere, update your paths (especially
in the `.service` file by replacing `store` and `lvm` with appropriate
tokens), and it should work by just updating your `/etc/fstab`.
(These were developed and tested only on OpenSUSE.)

Hope it helps,
Ciprian.


P.S.:  I really love GnuPG for its crypto-related features, but on the
flip-side I really hate it for it's "integration" related features
within environments where it shouldn't double fork processes (like its
agent), muck with the TTY (like when reading passwords by the agent),
and in general just be "well behaved"...



More information about the Gnupg-users mailing list