As part of the Librem Key initiative, we need the ability to use an OpenPGP smartcard to automatically unlock a LUKS-encrypted drive. The following project provides a few simple scripts to manage this, and is written with Debian-based distributions in mind:
https://github.com/eriknellessen/gpg-encrypted-root
I would like to request that we package this tool for PureOS, unless there is already a tool in place I'm unaware of that offers the same features.
@kyle.rankin wrote:
we will need this package (or similar functionality if it already exists) so we can use it [with a potential product]
[…]
it will be important to have this working, tested, and available for customers [soon]
ACK. The problem here was that it was not assigned to anyone so it was not only anybody's radar. Taking it...
Just checking in on the status of this ticket. We are not yet at a place where this is blocking other activity but will be within another week or two.
Thanks for the ping and this is good to know; can prioritise this over some other things on my radar :)
ITP bug filed here: https://bugs.debian.org/903163
Initial, untested packaging here: https://salsa.debian.org/lamby/pkg-gpg-encrypted-root
@kyle.rankin Can you provide any input (on the Debian bug preferably...) on the response from Guillem here: https://bugs.debian.org/903163#10 ? Thanks!
The point about it just being a shell script is valid. I would be perfectly fine with including this script (or a similar forked script) directly into cryptsetup-initramfs, especially if that helps speed the process along.
(I'm not plugged into all of those Debian mailing lists so I can't easily reply there at this point and will just reply here.)
Hi @chris.lamb I just wanted to check in on the progress with this. Looking at the official bug it looks like things have stalled a bit but maybe there are other things happening behind the scenes with people working on packaging that I'm not aware of.
Are we in a blocked state or otherwise is there anything I can do to help the process?
Sweet! So, what's the timeline look like for me to be able to test this on something?
FYI discussion and work on this is mostly happening on https://bugs.debian.org/903163
Thanks for the update. Let's leave this ticket open to track the work in bringing the updated cryptsetup package into PureOS. Once that package exists in PureOS we can close this ticket.
https://tracker.debian.org/news/1005629/accepted-cryptsetup-2205-2-source-amd64-all-into-unstable/ was just uploaded to Debian, closing https://bugs.debian.org/888916 and https://bugs.debian.org/903163
@kyle.rankin Does that mean we can close this bug or is further integration required?
It probably makes sense to keep this open until the package shows up in PureOS (having it in Debian is nice, but not sufficient). Once it makes its way into PureOS then sure, close the ticket.
Thanks so much for tracking this to completion!
@kyle.rankin Okaley, so what's the next step here? This should have hit PureOS by now :)
Is there a documentation available to configure this, now that it's possible to do now?
The cryptsetup-initramfs package has a README on configuring gnupg-sc, but I've found it's not entirely accurate and is too focused on configuring a *new* and non-root disk.
I've written a simple script that automates the entire setup, and am working on packaging it for PureOS.
and am working on packaging it for PureOS.
@kyle.rankin, shall I therefore assign it over to thee? That would appear to make the most sense at this point. :)
To me this ticket should be closed, as we have achieved the initial goal (packaging the equivalent of gpg-encrypted-root into PureOS).
@hansolo you can find an example script for how to set this up at https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#decrypt-luks-encrypted-drives-with-librem-key