Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-21 Thread tux . tsndcb 
Hello Peter,

Don't worry I can understand.

I will look your new way, and yes pinpad usage is may be the problem, I will 
look for that also (but as I have see on rescue mode after boot PINPAD askpass 
PIN works fine to pinpad, may be and surely the problem is during boot phase).

Many thanks again for your time and your new way (I will give you my result 
test).

Best Regards.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-21 Thread Peter Lebbing 
On 21/05/14 15:24, tux.tsn...@free.fr wrote:
> Could you tel me what reader you use ?

I'm sorry that I currently don't have the time to help you properly.

I used an SCM SCR3310 while "developing" the scripts, but on my main PC (which I
did not use), I use an SCM SPR532.

Yesterday, I suddenly realised that your problem might be related to the fact
you have a pinpad. The script uses cryptsetup's askpass program to pass a PIN or
passphrase to gpg on stdin; perhaps it goes wrong because this is combined with
input from a pinpad, which would be an odd way to call gpg.

The scripts are pretty simple bash scripts; you could adapt them or try the
invocations done in the script from a root terminal and see what they do.

Oh, which reminds me. At least on Jessie, the askpass program disables echoing
and never re-enables it, so you can't see what you are typing after calling it.
(Blindly) type "reset" and press enter to reset your terminal settings, which
re-enables character echoing. I suppose it's a bug and should be reported.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-21 Thread tux . tsndcb 
Hello Peter,

Could you tel me what reader you use ?

Thanks in advanced.

Best Ragards

- Mail original -
De: "tux tsndcb" 
À: "Peter Lebbing" 
Cc: gnupg-users@gnupg.org
Envoyé: Mardi 20 Mai 2014 17:28:20
Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ?

Hello Peter,

More informations may be help you to help me :

If I boot on rescue mode, same issue during boot phase :

- PIN code wrong (not asked on my smartcard reader, and if I write it on 
keyborad => wrong) but passphase OK.

After boot if I enter on "root" mode after type root password (so console mode).

If I type  the same commands :

gpg --card-status --debug-ccid-driver => I have no error, so normaly it is 
good, isn't it ?

and if I done :

echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print 
$2}'
answer
0982:0008:00F5:0

same good result.

If I try :

gpg --card-edit
admin
verify

PIN code is well asked on my smartcard reader and works well.

So is it possible to add a "debug mod" on your script to have more informations 
during boot phase ?

Thanks in advance for your help

Best Regards


- Mail original -
De: "tux tsndcb" 
À: "Peter Lebbing" 
Cc: gnupg-users@gnupg.org
Envoyé: Mardi 20 Mai 2014 16:03:58
Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ?

Hello Peter,

If I done :

gpg --card-status --debug-ccid-driver => I have no error, so normaly it is 
good, isn't it ?

and if I done :

echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print 
$2}'
answer
0982:0008:00F5:0

it is well my smartcard reader with my smartcard detected.

so do you have an idea with it's wrong on boot ?

Here /etc/keys files :

-rw-r--r-- 1 root root  769 mai   18 17:43 cryptkey.gpg
-rw--- 1 root root 4975 mai   18 18:05 pubring.gpg~
-rw--- 1 root root 4975 mai   18 18:05 pubring.gpg
-rw--- 1 root root 5050 mai   18 18:05 secring.gpg
-rw--- 1 root root 7807 mai   19 18:29 gpg.conf


Here my gpg.conf file :

utf8-strings
keyserver hkp://keys.gnupg.net
auto-key-locate local
verbose
default-key {YOURKEY}
require-cross-certification

Do I've missing an option in this gpg.conf file ?

Thanks in advanced for your return

Best Regard

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-20 Thread tux . tsndcb 
Hello Peter,

More informations may be help you to help me :

If I boot on rescue mode, same issue during boot phase :

- PIN code wrong (not asked on my smartcard reader, and if I write it on 
keyborad => wrong) but passphase OK.

After boot if I enter on "root" mode after type root password (so console mode).

If I type  the same commands :

gpg --card-status --debug-ccid-driver => I have no error, so normaly it is 
good, isn't it ?

and if I done :

echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print 
$2}'
answer
0982:0008:00F5:0

same good result.

If I try :

gpg --card-edit
admin
verify

PIN code is well asked on my smartcard reader and works well.

So is it possible to add a "debug mod" on your script to have more informations 
during boot phase ?

Thanks in advance for your help

Best Regards


- Mail original -
De: "tux tsndcb" 
À: "Peter Lebbing" 
Cc: gnupg-users@gnupg.org
Envoyé: Mardi 20 Mai 2014 16:03:58
Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ?

Hello Peter,

If I done :

gpg --card-status --debug-ccid-driver => I have no error, so normaly it is 
good, isn't it ?

and if I done :

echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print 
$2}'
answer
0982:0008:00F5:0

it is well my smartcard reader with my smartcard detected.

so do you have an idea with it's wrong on boot ?

Here /etc/keys files :

-rw-r--r-- 1 root root  769 mai   18 17:43 cryptkey.gpg
-rw--- 1 root root 4975 mai   18 18:05 pubring.gpg~
-rw--- 1 root root 4975 mai   18 18:05 pubring.gpg
-rw--- 1 root root 5050 mai   18 18:05 secring.gpg
-rw--- 1 root root 7807 mai   19 18:29 gpg.conf


Here my gpg.conf file :

utf8-strings
keyserver hkp://keys.gnupg.net
auto-key-locate local
verbose
default-key {YOURKEY}
require-cross-certification

Do I've missing an option in this gpg.conf file ?

Thanks in advanced for your return

Best Regard

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-20 Thread tux . tsndcb 
Hello Peter,

If I done :

gpg --card-status --debug-ccid-driver => I have no error, so normaly it is 
good, isn't it ?

and if I done :

echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print 
$2}'
answer
0982:0008:00F5:0

it is well my smartcard reader with my smartcard detected.

so do you have an idea with it's wrong on boot ?

Here /etc/keys files :

-rw-r--r-- 1 root root  769 mai   18 17:43 cryptkey.gpg
-rw--- 1 root root 4975 mai   18 18:05 pubring.gpg~
-rw--- 1 root root 4975 mai   18 18:05 pubring.gpg
-rw--- 1 root root 5050 mai   18 18:05 secring.gpg
-rw--- 1 root root 7807 mai   19 18:29 gpg.conf


Here my gpg.conf file :

utf8-strings
keyserver hkp://keys.gnupg.net
auto-key-locate local
verbose
default-key {YOURKEY}
require-cross-certification

Do I've missing an option in this gpg.conf file ?

Thanks in advanced for your return

Best Regard

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-19 Thread tux . tsndcb 
Hello Peter

- Mail original -
De: "Peter Lebbing" 
À: "tux tsndcb" 
Cc: gnupg-users@gnupg.org
Envoyé: Lundi 19 Mai 2014 20:01:38
Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ?

> But I've always :
> 
> gpg: pcsc_etablish_context failed: no service (0x8010001d) gpg: card
> reader not evailable
> 
> may be it's problem on boot with 60-gnupg.rules file ? This file
> works fine after boot because smartcard redaer works fine.

Is your card reader supported by GnuPG's internal CCID driver or do you
need pcscd for the smartcard to work? Related question: Is pcscd usually
running?

As I said, your smartcard reader really needs to be supported by GnuPG's
internal driver, it will not work if pcscd is needed. The messages seem
to indicate that pcscd is needed.

Yes of course, it's for that than I'm very surprise to see pcsc invocated, my 
smartcard reader is a Vega Alpha supported by gnupg internal drivers, on my 
debians I don't install pcscd and libccid because it is not necessary, works 
fine with PINPAD only with gnupg internal drivers with this smartcard reader

It's officially confirmed at this link : 
http://wiki.gnupg.org/CardReader/PinpadInput?highlight=%28vega%29

On debian (jessie and sid) I can sign, encrypt use ssh support and poldi with 
this reader and my smartcard and use PINPAD fully supported.

Best Regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-19 Thread Peter Lebbing 
Hello,

> First good news, as I tell you during initramfs generation, I see no
> trace for /etc/key/cryptkey.gpg, but this file is obligatory OK
> because passphrase works on boot (with gpg.conf in /etc/keys) (may be
> it it's because my test is for /data/test encrypted FS and not /)

Indeed you will only get the messages when it's the root drive you want
to unlock. I haven't tested other configurations. I think it ought to
work for other volumes that are unlocked on boot.

> But I've always :
> 
> gpg: pcsc_etablish_context failed: no service (0x8010001d) gpg: card
> reader not evailable
> 
> may be it's problem on boot with 60-gnupg.rules file ? This file
> works fine after boot because smartcard redaer works fine.

Is your card reader supported by GnuPG's internal CCID driver or do you
need pcscd for the smartcard to work? Related question: Is pcscd usually
running?

As I said, your smartcard reader really needs to be supported by GnuPG's
internal driver, it will not work if pcscd is needed. The messages seem
to indicate that pcscd is needed.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-19 Thread tux . tsndcb 
Hello Peter,

First good news, as I tell you during initramfs generation, I see no trace for 
/etc/key/cryptkey.gpg, but this file is obligatory OK because passphrase works 
on boot (with gpg.conf in /etc/keys) (may be it it's because my test is for 
/data/test encrypted FS and not /)

But I've always :

gpg: pcsc_etablish_context failed: no service (0x8010001d)
gpg: card reader not evailable

may be it's problem on boot with 60-gnupg.rules file ? This file works fine 
after boot because smartcard redaer works fine.

Best Regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-18 Thread tux . tsndcb 
Hi Peter,

Thanks for your answer

- Mail original -
De: "Peter Lebbing" 
À: "tux tsndcb" 
Cc: gnupg-users@gnupg.org
Envoyé: Dimanche 18 Mai 2014 22:04:18
Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ?

On 18/05/14 18:51, tux.tsn...@free.fr wrote:
> I need to check to use gnupg_ccid instead pcsc on your script

pcscd is not installed in the initramfs :). So your reader should be
supported by the internal driver of GnuPG for it to work.

Yes it is support by gnupg_ccid driver

You might have noticed you can optionally put a gpg.conf in /etc/keys
(or wherever your key is) and it will be copied and used in the initramfs.

I will test with it 

PS : I've done new tests with update-initramfs -u -vv -k all to have verbose 
generated initramfs, but I see no /etc/keys/secring.gpg or 
/etc/keys/cryptkey.gpg, is it normal ?
but I see well : Calling hook cryptgnupg_sc and Calling hook cryptgnupg_sc

Best Regards.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-18 Thread Peter Lebbing 
On 18/05/14 22:25, tux.tsn...@free.fr wrote:
> PS : I've done new tests with update-initramfs -u -vv -k all to have
> verbose generated initramfs, but I see no /etc/keys/secring.gpg or
> /etc/keys/cryptkey.gpg, is it normal ? but I see well : Calling hook
> cryptgnupg_sc and Calling hook cryptgnupg_sc

No, that means something is wrong. It will always call the hook, even
when you don't use encrypted volumes at all. But when the hook
determines it has nothing to do, it will exit without any messages. So
apparently the hook thinks you don't need it to do anything. That's bad,
mm'kay.

HTH,

Peter.

PS: Yeah, scripts don't think. I think. I /hope/. I kill those things
sometimes.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-18 Thread Peter Lebbing 
On 18/05/14 18:51, tux.tsn...@free.fr wrote:
> I need to check to use gnupg_ccid instead pcsc on your script

pcscd is not installed in the initramfs :). So your reader should be
supported by the internal driver of GnuPG for it to work.

You might have noticed you can optionally put a gpg.conf in /etc/keys
(or wherever your key is) and it will be copied and used in the initramfs.

Good luck,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-18 Thread tux . tsndcb 
Hi Peter,

My first return on jessie, on boot ask me PIN to decrypt but failed, but it is 
normal, here messages :

Performing GPG key decryption
Enter Smartcard PIN or passphrase for key /etc/keys/cryptkey.gpg
gpg pcsc_establish_context failed : no service (0x8010001d)
gpgh card reader not available

But it's normal because I use PINPAD reader and I can only use gnupg_ccid 
driver so pcscd is not installed on my PC.

I need to check to use gnupg_ccid instead pcsc on your script

Best Regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-18 Thread tux . tsndcb 
Hi Peter,

- Mail original -
De: "Peter Lebbing" 
À: "tux tsndcb" , gnupg-users@gnupg.org
Envoyé: Dimanche 18 Mai 2014 12:52:52
Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ?

On 16/05/14 16:06, tux.tsn...@free.fr wrote:
> I answer my self, after, many many tests done, in fact it isn't
> actually possible to do it under sid debian => root cause bug on
> systemd :

That's a pity it doesn't work on sid. I've been meaning to look into
this since you brought it up, and I finally made some time to do it.
Since I think Sid is a nasty kid who plays much too roughly with my
toys, I used Jessie, and it does work there. Looking at the Debian bug,
I think they'll fix it.

Many thanks for your return. This Week-end I've done new tests, and the tempory 
solution than I've applied is to install sysvinit-core that remove systemd-sysv 
and now under sid debian, keyfile is ok on boot to decrypt LUKS FS, but I 
haven't already test it with smartcard (just with encrypt keyfile with gpg).

Yes this will be probably fix, because it should be on the standard stable 
Jessie install

What I would really like, by the way, is if you clicked an unopened
encrypted volume in your file manager, and it would prompt for your PIN
through pinentry. But that doesn't work yet. Unlocking the root
filesystem and other filesystems that are unlocked on boot does work.

Actually the problem for me is on boot.

You can check out what I did on
<http://digitalbrains.com/2014/gpgcryptroot>.

I haven't tried it on Wheezy yet (I will), but I think it will work
there as well.

I will test this on Jessie and sid (now it's same than Jessie with 
sysvinit-core).

I give you my return ASAP about it.

Best Regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-18 Thread Peter Lebbing 
On 16/05/14 16:06, tux.tsn...@free.fr wrote:
> I answer my self, after, many many tests done, in fact it isn't
> actually possible to do it under sid debian => root cause bug on
> systemd :

That's a pity it doesn't work on sid. I've been meaning to look into
this since you brought it up, and I finally made some time to do it.
Since I think Sid is a nasty kid who plays much too roughly with my
toys, I used Jessie, and it does work there. Looking at the Debian bug,
I think they'll fix it.

What I would really like, by the way, is if you clicked an unopened
encrypted volume in your file manager, and it would prompt for your PIN
through pinentry. But that doesn't work yet. Unlocking the root
filesystem and other filesystems that are unlocked on boot does work.

You can check out what I did on
.

I haven't tried it on Wheezy yet (I will), but I think it will work
there as well.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-16 Thread tux . tsndcb 
Hi all,

I answer my self, after, many many tests done, in fact it isn't actually 
possible to do it under sid debian => root cause bug on systemd :

Debian Bug report logs - #618862
systemd: ignores keyscript in crypttab

link here : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618862

Best Regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-05-09 Thread tux . tsndcb 
Hi Thomas,

I believe this blog article could be a useful reference: 
https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu/ 

I've tested it on my sid debian with my pinpad reader, but the mean matter, 
it's on boot my debian failed to acces to my smartcard.

Does somebody have sucessfully used it's smartcard to do that ?

Thanks in advanced for your return.

Best Regards.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-04-20 Thread tux . tsndcb 
Hello Peter,

I've read the README.gnupg file in cryptsetup, and it is indicate 3 steps to do 
:

1) First, you'll have to create the encrypted keyfile by:

# dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
--no-default-keyring --keyring /dev/null --secret-keyring /dev/null \
--trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg

2) Formate the partition with this cryptkey.gpg key file

# /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/crytpkey.gpg | \
cryptsetup --key-file=- luksFormat /dev/

3) Modifie the /etc/crypttab file :

cdev1   /dev/  /etc/keys/cryptkey.gpg  
luks,keyscript=decrypt_gnupg



But in fact I've a problem in the step 1, because if I use the command line :

# dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
--no-default-keyring --keyring /dev/null --secret-keyring /dev/null \
--trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg

It is not my gnupg key use to encrypt this cryptkey.gpg file, so it will be not 
my gnupg key on my smartcard use to decrypt it.

How can I modify in this command line to use my gnupg key to generate this 
cryptkey.gpg ?

Thanks in advanced for your return.

Best Regards.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-04-18 Thread tux . tsndcb 
Hello all,

Someone has an idea to do that please and how to do that ?

All help is appreciated.

Thanks in advanced.

Best Regards.

- Mail original -
De: "tux tsndcb" 
À: "Thomas Harning Jr." 
Cc: gnupg-users@gnupg.org
Envoyé: Mercredi 16 Avril 2014 22:19:28
Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ?

Hello,

Thanks for your answer, I've already see your article and I asked to me many 
questions.

But in my case I've already crypted lvm partition with a passphrase, so can I 
only generated key.txt file and encrypt it with my gnupg key and add in cryptab 
file :

/etc/cryptab : 
sda5_crypt UUID=yy /etc/gpg_luks/luks-key.txt none 
luks,keyscript=/usr/local/sbin/decrypt_luks.sh
sda5_crypt UUID=yy none luks,discard 

crypto /dev/sda2 none luks,keyscript=/usr/local/sbin/decrypt_luks.sh
sda7_crypt UUID=xx none luks,discard


But in the debian case, it's seems than I neeed to use 
/lib/cryptsetup/scripts/decrypt_gnupg, but I've not really exemple on that.

Best Regards

- Mail original -
De: "Thomas Harning Jr." 
À: "tux tsndcb" 
Cc: "Peter Lebbing" , gnupg-users@gnupg.org
Envoyé: Mercredi 16 Avril 2014 21:32:22
Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ?


I believe this blog article could be a useful reference: 
https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu/ 



This happens to work beautifully w/ the Yubikey NEO and the GPG Applet 


The article does omit any backup measures, so I added a separate long 
passphrase to use in the backup case - but to use it requires the initial boot 
UI to fail and I manually unlock the volumes and resume boot w/o the gnupg 
unlock. 



On Wed, Apr 16, 2014 at 11:40 AM, < tux.tsn...@free.fr > wrote: 


Hello Peter, 

Actually, I'm on a fresh sid Debian installed, I've use during install crypted 
LVM volume for all my partitions excepted for /boot. 

So now I've two files like these : 

/etc/fstab 
# /etc/fstab: static file system information. 
# 
# Use 'blkid' to print the universally unique identifier for a 
# device; this may be used with UUID= as a more robust way to name devices 
# that works even if disks are added and removed. See fstab(5). 
# 
#   
/dev/mapper/sda5_crypt / btrfs ssd,discard,noatime 0 1 
# /boot was on /dev/sda1 during installation 
UUID=xx /boot btrfs ssd,discard,noatime 0 2 
/dev/mapper/sda7_crypt /data btrfs ssd,discard,noatime 0 2 
... 

and 

/etc/cryptab : 
sda5_crypt UUID=yy none luks,discard 
sda7_crypt UUID=xx none luks,discard 
 

In a first time, I want to add a key.gpg file solution, so in the firt time I 
want it ask to me the pincode for the key.gpg file, and if it's wrong or broken 
ask me the usual passphrase. 


So could you explain us step by step, how to add this key.gpg as passphrase on 
a existing lvm crypted partition and how to have gnupg smartcard activate on 
boot to decrypt the key.gpg file ? 

Thanks in advanced for your return. 

PS : my gnupg smartcard works actually fine on a terminal on xsession. 

Best Regards 

___ 
Gnupg-users mailing list 
Gnupg-users@gnupg.org 
http://lists.gnupg.org/mailman/listinfo/gnupg-users 




-- 

Thomas Harning Jr. ( http://about.me/harningt )

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-04-16 Thread Thomas Harning Jr. 
I believe this blog article could be a useful reference:
https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu/

This happens to work beautifully w/ the Yubikey NEO and the GPG Applet

The article does omit any backup measures, so I added a separate long
passphrase to use in the backup case - but to use it requires the initial
boot UI to fail and I manually unlock the volumes and resume boot w/o the
gnupg unlock.


On Wed, Apr 16, 2014 at 11:40 AM,  wrote:

> Hello Peter,
>
> Actually, I'm on a fresh sid Debian installed, I've use during install
> crypted LVM volume for all my partitions excepted for /boot.
>
> So now I've two files like these :
>
> /etc/fstab
> # /etc/fstab: static file system information.
> #
> # Use 'blkid' to print the universally unique identifier for a
> # device; this may be used with UUID= as a more robust way to name devices
> # that works even if disks are added and removed. See fstab(5).
> #
> # 
>   
> /dev/mapper/sda5_crypt  /   btrfs
> ssd,discard,noatime 0   1
> # /boot was on  /dev/sda1 during installation
> UUID=xx /boot   btrfs
> ssd,discard,noatime 0   2
> /dev/mapper/sda7_crypt  /data   btrfs
> ssd,discard,noatime 0   2
> ...
>
> and
>
> /etc/cryptab :
> sda5_crypt UUID=yy none luks,discard
> sda7_crypt UUID=xx none luks,discard
> 
>
> In a first time, I want to add a key.gpg file solution, so in the firt
> time I want it ask to me the pincode for the key.gpg file, and if it's
> wrong or broken ask me the usual passphrase.
>
>
> So could you explain us step by step, how to add this key.gpg as
> passphrase on a existing lvm crypted partition and how to have gnupg
> smartcard activate on boot to decrypt the key.gpg file ?
>
> Thanks in advanced for your return.
>
> PS : my gnupg smartcard works actually fine on a terminal on xsession.
>
> Best Regards
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
Thomas Harning Jr. (http://about.me/harningt)
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg smartcard on boot for LUKS on sid debian howto ?

2014-04-16 Thread tux . tsndcb 
Hello,

Thanks for your answer, I've already see your article and I asked to me many 
questions.

But in my case I've already crypted lvm partition with a passphrase, so can I 
only generated key.txt file and encrypt it with my gnupg key and add in cryptab 
file :

/etc/cryptab : 
sda5_crypt UUID=yy /etc/gpg_luks/luks-key.txt none 
luks,keyscript=/usr/local/sbin/decrypt_luks.sh
sda5_crypt UUID=yy none luks,discard 

crypto /dev/sda2 none luks,keyscript=/usr/local/sbin/decrypt_luks.sh
sda7_crypt UUID=xx none luks,discard


But in the debian case, it's seems than I neeed to use 
/lib/cryptsetup/scripts/decrypt_gnupg, but I've not really exemple on that.

Best Regards

- Mail original -
De: "Thomas Harning Jr." 
À: "tux tsndcb" 
Cc: "Peter Lebbing" , gnupg-users@gnupg.org
Envoyé: Mercredi 16 Avril 2014 21:32:22
Objet: Re: gnupg smartcard on boot for LUKS on sid debian howto ?


I believe this blog article could be a useful reference: 
https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu/ 



This happens to work beautifully w/ the Yubikey NEO and the GPG Applet 


The article does omit any backup measures, so I added a separate long 
passphrase to use in the backup case - but to use it requires the initial boot 
UI to fail and I manually unlock the volumes and resume boot w/o the gnupg 
unlock. 



On Wed, Apr 16, 2014 at 11:40 AM, < tux.tsn...@free.fr > wrote: 


Hello Peter, 

Actually, I'm on a fresh sid Debian installed, I've use during install crypted 
LVM volume for all my partitions excepted for /boot. 

So now I've two files like these : 

/etc/fstab 
# /etc/fstab: static file system information. 
# 
# Use 'blkid' to print the universally unique identifier for a 
# device; this may be used with UUID= as a more robust way to name devices 
# that works even if disks are added and removed. See fstab(5). 
# 
#   
/dev/mapper/sda5_crypt / btrfs ssd,discard,noatime 0 1 
# /boot was on /dev/sda1 during installation 
UUID=xx /boot btrfs ssd,discard,noatime 0 2 
/dev/mapper/sda7_crypt /data btrfs ssd,discard,noatime 0 2 
... 

and 

/etc/cryptab : 
sda5_crypt UUID=yy none luks,discard 
sda7_crypt UUID=xx none luks,discard 
 

In a first time, I want to add a key.gpg file solution, so in the firt time I 
want it ask to me the pincode for the key.gpg file, and if it's wrong or broken 
ask me the usual passphrase. 


So could you explain us step by step, how to add this key.gpg as passphrase on 
a existing lvm crypted partition and how to have gnupg smartcard activate on 
boot to decrypt the key.gpg file ? 

Thanks in advanced for your return. 

PS : my gnupg smartcard works actually fine on a terminal on xsession. 

Best Regards 

___ 
Gnupg-users mailing list 
Gnupg-users@gnupg.org 
http://lists.gnupg.org/mailman/listinfo/gnupg-users 




-- 

Thomas Harning Jr. ( http://about.me/harningt )

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gnupg smartcard on boot for LUKS on sid debian howto ?

2014-04-16 Thread tux . tsndcb 
Hello Peter,

Actually, I'm on a fresh sid Debian installed, I've use during install crypted 
LVM volume for all my partitions excepted for /boot.

So now I've two files like these :

/etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
#   
 
/dev/mapper/sda5_crypt  /   btrfs   
ssd,discard,noatime 0   1
# /boot was on  /dev/sda1 during installation
UUID=xx /boot   btrfs   
ssd,discard,noatime 0   2
/dev/mapper/sda7_crypt  /data   btrfs   
ssd,discard,noatime 0   2
...

and

/etc/cryptab :
sda5_crypt UUID=yy none luks,discard
sda7_crypt UUID=xx none luks,discard


In a first time, I want to add a key.gpg file solution, so in the firt time I 
want it ask to me the pincode for the key.gpg file, and if it's wrong or broken 
ask me the usual passphrase.


So could you explain us step by step, how to add this key.gpg as passphrase on 
a existing lvm crypted partition and how to have gnupg smartcard activate on 
boot to decrypt the key.gpg file ?

Thanks in advanced for your return.

PS : my gnupg smartcard works actually fine on a terminal on xsession.

Best Regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users