Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

Peter Lebbing peter at digitalbrains.com
Fri Nov 9 16:12:19 CET 2018

Daniel, many thanks for thinking about this! I'm sorry I didn't respond

On 07/10/2018 03:01, Daniel Kahn Gillmor wrote:
> Does this make sense?  you just need to make sure you tie the version of
> gpg and the keyring into the same initramfs build time.

The problem is that the gpg invocation is not at the time of building
the initramfs. gpg is only invoked once during setup of the
smartcard-encrypted root. In the end, the --export during setup and
--import during early boot is probably the best alternative; since it's
an --import to an empty keyring, this shouldn't waste much time during
every boot anyway.

I have an idea about elegantly handling the fact that the smartcard stub
is not known during boot, since there doesn't seem to be a stable
interface to transferring these stubs, and invoking gpg at initramfs
build time will leave a running gpg-agent, which is rather avoided. I'll
work this out when I have the time.

> I don't know the answer to this about using concatenated TPKs as
> keyring.  Maybe Werner can weigh in?

Yes, I think it's useful to know what is a stable interface and what is
not, so I hope he will.

Thank you,


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181109/2016a564/attachment.sig>

More information about the Gnupg-users mailing list