Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

2018-08-15 Thread Ciprian Dorin Craciun 
On Wed, Aug 15, 2018 at 1:57 PM Peter Lebbing  wrote:
> >   https://gist.github.com/cipriancraciun/c8a0dfb973b586053c167fec91093d9c
>
> Hey, that systemd service file seems to basically grab cryptsetup
> handling from the clutches of systemd, enabling all sorts of operations
> not possible with systemd's cryptsetup handling! That's really clever!


Basically I just looked at how a similar file was generated by systemd
for other `/etc/crypttab` targets and adapted.

Ciprian.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

2018-08-15 Thread Peter Lebbing 
On 06/08/18 08:38, Ciprian Dorin Craciun wrote:
> My script and systemd service file can be found at the following link:
> 
>   https://gist.github.com/cipriancraciun/c8a0dfb973b586053c167fec91093d9c

Hey, that systemd service file seems to basically grab cryptsetup
handling from the clutches of systemd, enabling all sorts of operations
not possible with systemd's cryptsetup handling! That's really clever!

I'm saving this for future reference, thanks.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

2018-08-06 Thread Ciprian Dorin Craciun 
On Wed, Aug 1, 2018 at 7:32 PM Peter Lebbing  wrote:
> AFAIK, this is just systemd delegating passphrase querying to the
> physically present user. I suppose if you could somehow influence where
> it got the passphrase from, there might be a way to achieve it, but I
> have no idea how. That's all the direction I can provide.


I have a similar setup where at boot time I use GnuPG to decrypt my
drive with keys protected by GnuPG (instead of using LUKS).

I have managed to instruct GnuPG to use `systemd-ask-password` to
retrieve the password.  However I imagine that with some "tinkering"
one can implement a simple PIN-entry application to use
`systemd-ask-password`, and thus manage to make the whole setup work
with a smart card.

My script and systemd service file can be found at the following link:

  https://gist.github.com/cipriancraciun/c8a0dfb973b586053c167fec91093d9c

You just need to place these somewhere, update your paths (especially
in the `.service` file by replacing `store` and `lvm` with appropriate
tokens), and it should work by just updating your `/etc/fstab`.
(These were developed and tested only on OpenSUSE.)

Hope it helps,
Ciprian.


P.S.:  I really love GnuPG for its crypto-related features, but on the
flip-side I really hate it for it's "integration" related features
within environments where it shouldn't double fork processes (like its
agent), muck with the TTY (like when reading passwords by the agent),
and in general just be "well behaved"...

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

2018-08-01 Thread Damien Cassou 
Dirk Gottschalk via Gnupg-users  writes:
> Is it possible to encrypt an external USB drive in LUKS format with an
> OpenPGP smartcard? The device is, until now, only passphrase encrypted
> and mounted on detect.
>
> Would it be possible to let gpg ask for the PIN of the card, it it's in
> locket state?

what I do is to have the external HDD encryption passphrase in a GnuPG
encrypted file of my main hard disk. Then, a bash script takes care of
(1) getting the passphrase from the encrypted file, (2) mount the
external disk with the passphrase. That way, you can use your smartcard.

All my passwords are in GnuPG encrypted files and handled by
https://www.passwordstore.org/.

-- 
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

2018-08-01 Thread Peter Lebbing 
On 01/08/18 18:16, Dirk Gottschalk wrote:
> Coult this be raplaces by the smartcard
> to use the gpg key in some way?

AFAIK, this is just systemd delegating passphrase querying to the
physically present user. I suppose if you could somehow influence where
it got the passphrase from, there might be a way to achieve it, but I
have no idea how. That's all the direction I can provide.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

2018-08-01 Thread Dirk Gottschalk via Gnupg-users 
Hi,

Am Mittwoch, den 01.08.2018, 18:06 +0200 schrieb Peter Lebbing:
> On 01/08/18 17:41, Dirk Gottschalk via Gnupg-users wrote:
> > Is it possible to encrypt an external USB drive in LUKS format with
> > an
> > OpenPGP smartcard?
> 
> On a system with systemd: no, I don't think this can be done. Systemd
> doesn't want to implement cryptsetup keyscripts, and those would be
> needed.
> 
> On a different system: it depends. What system are we talking about?
> :-)

I am using Fedora and it uses SystemD. On the other hanjd, the HDD is
mounted when plugged in via GVFS and Gnome asks for the passphrase or
reads it from gnome's keyring. Coult this be raplaces by the smartcard
to use the gpg key in some way?

I tried to use g13 with dm-crypt, but this seems not to work on Frdora
for an unknown reason.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

2018-08-01 Thread Peter Lebbing 
On 01/08/18 17:41, Dirk Gottschalk via Gnupg-users wrote:
> Is it possible to encrypt an external USB drive in LUKS format with an
> OpenPGP smartcard?

On a system with systemd: no, I don't think this can be done. Systemd
doesn't want to implement cryptsetup keyscripts, and those would be needed.

On a different system: it depends. What system are we talking about? :-)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Encrypt USB-HDD with LUKS using OpenPGP smartcard?

2018-08-01 Thread Dirk Gottschalk via Gnupg-users 
Hi.

Is it possible to encrypt an external USB drive in LUKS format with an
OpenPGP smartcard? The device is, until now, only passphrase encrypted
and mounted on detect.

Would it be possible to let gpg ask for the PIN of the card, it it's in
locket state?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users