modules.d/91crypt-gpg/README

   1 # Directions for changing a system from password-based gpg keyfile
   2 # to smartcard-based gpg keyfile
   3
   4 # Be sure that you meet the following requirements:
   5 #  1. GnuPG >= 2.1 installed with
   6 #     * Smartcard support enabled (scdaemon must be built)
   7 #     * Direct CCID access built into scdaemon
   8 #  2. A password-based gpg keyfile ${KEYFILE} (e.g. "keyfile.gpg"):
   9 #     That is, a file containing the slot key for LUKS, which
  10 #     has been encrypted symmetrically with GnuPG using
  11 #     a password.
  12 #  3. Your public OpenPGP identity ${RECIPIENT} (e.g. "3A696356")
  13 #  4. An OpenPGP smartcard holding the decryption key associated
  14 #     with your public identity
  15 #  5. A CCID smartcard reader
  16
  17 #  Notes: Requirement 4. and 5. can of course be one device, e.g.
  18 #         a USB token with an integrated OpenPGP smartcard
  19
  20 # Make a backup of your keyfile (assuming it lies on the boot partition)
  21 $ cp /boot/${KEYFILE} /safe/place/keyfile.bak.gpg
  22
  23 # Change your keyfile from purely password-based to both
  24 # password-based and key-based (you can then decrypt the keyfile
  25 # with either method). As an example aes256 is chosen, the cipher
  26 # is not important to this guide, but do note that your kernel
  27 # must support it at boot time (be it built into the kernel image
  28 # or loaded as a module from the initramfs).
  29 $ cat /safe/place/keyfile.bak.gpg | gpg -d | gpg --encrypt --recipient ${RECIPIENT} --cipher-algo aes256 --armor -c > /safe/place/keyfile_sc.gpg
  30
  31 # Verify that you can decrypt your new keyfile both with the password
  32 # and your smartcard.
  33 # (with smartcard inserted, you should be prompted for your PIN, unless
  34 #  you already did so and have not yet timed out)
  35 $ gpg -d /safe/place/keyfile_sc.gpg
  36 # (with smartcard disconnected, you should be prompted for your password)
  37 $ gpg -d /safe/place/keyfile_sc.gpg
  38
  39 # After verification, replace your old keyfile with your new one
  40 $ su -c 'cp /safe/place/keyfile_sc.gpg /boot/${KEYFILE}'
  41
  42 # Export your public key to where crypt-gpg can find it
  43 $ gpg --armor --export-options export-minimal --export ${RECIPIENT} > /safe/place/crypt-public-key.gpg
  44 $ su -c 'cp /safe/place/crypt-public-key.gpg /etc/dracut.conf.d/crypt-public-key.gpg'
  45
  46 # Rebuild your initramfs as usual
  47 # When booting with any of the requirements not met, crypt-gpg will default to password-based keyfile unlocking.
  48 # If all requirements are met and smartcard support is not disabled by setting the kernel option "rd.luks.smartcard=0"
  49 # crypt-gpg will try find and use a connected OpenPGP smartcard by prompting you for the PIN and then
  50 # unlocking the gpg keyfile with the smartcard.