Hi, On Sat, 07 Jul 2018 at 17:08:59 +0200, Guilhem Moulin wrote: > On Sat, 07 Jul 2018 at 12:05:13 +0100, Chris Lamb wrote: >> Programming Lang: Shell >> Description : Encrypt root volumes with an OpenPGP smartcard > > See also #888916 (we didn't find time to review Rian's code yet, > though). I did that now [0], and here is a review of Erik's and Peter's approach. (It's directed at upstream but since I don't use GitHub I'm commenting here instead :-P I wouldn't mind maintaining this in src:cryptsetup as I wrote earlier.) The two approaches are quite similar and my (hopefully constructive) criticism mostly applies to both. While IMHO neither can be merged in as is, there are good ideas from both so I'm sure together we can find a solution that fits all needs :-) cryptgnupg_sc: * Since the recent refactoring in 2:2.0.3-2, the ‘cryptgnupg_sc’ hook file changed drastically [0]. 2:2.0.3-2 wasn't released yet when the hook file was written, but now ‘cryptgnupg_sc’ needs to be modified accordingly :-P * Copying not only the (encrypted) key file and the public keyring, but also the private-keys-v1.d directory, sounds very odd to me. What is the rationale for doing so? AFAICT the whole point of the smartcard solution is avoid exposing private key material to the initramfs image. I'd suggest to hardcode /etc/cryptsetup-initramfs/pubring.gpg instead (or /etc/cryptsetup-initramfs/gnupghome/…). * We don't want to copy_exec() .so that are explicitly versioned, as the likelyhood of breaking things is high. See https://salsa.debian.org/cryptsetup-team/cryptsetup/blob/master/debian/initramfs/hooks/cryptopensc#L49 for an alternative solution. decrypt_gnupg_sc: * How common are the cards requiring pcscd(8) that don't work with the existing ‘decrypt_opensc’ keyscript but do work with the ‘decrypt_gnupg_sc’ keyscript? Cheers, -- Guilhem. [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888916#10
Attachment:
signature.asc
Description: PGP signature