[Pkg-cryptsetup-devel] gpg support for cryptsetup and decrypt_* scripts

[Christoph Anton Mitterer]

Hi.

I have the following setup:
-all my partitions (including root) are encrypted using cryptsetup/luks
-I use an USB-stick (of course unencrypted) for booting. This stick
contains the an inird with the gpg encrypted key for cryptsetup-luks

Currently I manually customize the initrd with a keyscript and so on...
but I'd like to have this automated.

1) I've seen that there's an unfinished decrypt_gpg script. When will
this be finished?

2) The current scripts (like decrypt_ssl) have a cardcoded max-tries.
Can us change this to use the crypttab paramter?

3) As the keyscripts output is directly passed to cryptsetup one cannot
use echo "Enter your passphrase" or give status messages like this.
I've seen that you write to stderr instead (at least in some cases).
Wouldn't it be better to write to /dev/tty?

4) The initramfs-tools hooks automatically copy the keyscript into the
initramdisk.
But do they also copy the key itself? Probably not, and if I think about
it, this is probably unwanted, as the key might be stored on a different
device, etc.
But it would be nice if it (depending on the choosen keyscript)
automatically copies gnupg, openssl, openct etc. to the iniramdisk?
Is this possible and will you add this feature?

5) The decrypt_* scripts seem to use /usr/bin/... e.g. /usr/bin/gpg, but
normally you have all these in /bin within an initramdisk (or not?).
So can these scripts be modified to work in an initramdisk, too?

6) As decrypt_gpg is not yet finished I wrote my own very primitive
script (it does nothing than gpg --decrypt $1).
But with this I have the problem that gpg complains:
/dev/tty: No such device or address

But the device exists. I know about --no-tty + --passphrase-fd 0 but
this isn't a solution as it prints the passpharse in cleartext.
And read -s is only available with bash, not with sh.

Thanks for your help,
Chris.