Date: Wed, 17 May 2017 12:38:22 +0200 From: Matthias Apitz <guru@unixarea.de> To: freebsd-questions@freebsd.org Subject: GnuPG smart card && geli Message-ID: <20170517103822.GB16462@c720-r314251>
next in thread | raw e-mail | index | archive | help
--RASg3xLB4tUQ4RcS
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
I'm using gpg2 (from the ports) which supports a so called GnuPG smart
card, i.e. the private key is stored in some CCID SIM (the card, which
sits in a small USB stick) and access to the private gpg key is secured
by a PIN entry, not a passphrase. This works fine and is very secure for
using gpg on many hosts because you do not have to pollute all these
hosts with your secret key material which could be copied (i.e. stolen)
by anyone, for example even IP personal, having priv access to your
workspace(s)).
gpg2 brings a gpg-agent, to which gpg2 commands communicate, for example
'gpg2 --card-status' and which in turn connects to the daemon
/usr/local/sbin/pcscd (as well in ports) which has the communication to
special GnuPG-card. All you need is the PIN defined for the card.
I use the HID Global OMNIKEY 6121 Smart Card Reader and the GnuPG-card
produced here in Germany.
On the other hand, the gpg-agent can also substitute the ssh-agent as a dro=
pin.
One exports the ssh public key for the remote ~/.ssh/authorized_keys
with:
$ gpg2 --export-ssh-key ID > ssh.pub
kills the (old) 'ssh-agent' and starts a 'gpg-agent':
$ ssh-agent -k
$ gpg2 --card-status
(the latter launches as well the gpg-agent)
$ unset SSH_AGENT_PID
$ unset SSH_AUTH_SOCK
$ if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_=
AUTH_SOCK=3D"$(gpgconf --list-dirs agent-ssh-socket)"; fi
$ env | grep SSH
SSH_AUTH_SOCK=3D/home/guru/.gnupg-ccid/S.gpg-agent.ssh
Now 'ssh-add -l' will contact not the 'ssh-agent', but the 'gpg-agent':
$ ssh-add -l
4096 SHA256:lo2xgyFAnSXz6HNMELNZogJEfyj7XEKZiHIHg+e1DFw cardno:00050000532B=
(RSA)
and on first access to the key with
$ ssh id@remote-server
the secret key is needed and 'gpg-agent' uses /usr/local/bin/pinentry or
/usr/local/bin/pinentry-qt5 to request the PIN. Further ssh commands
find the card already unlocked (until disconnect of the USB stick) and
no PIN is needed anymore.
So far so good and the same works this way for signing e-mails, etc.
What I now want to get is using this too while booting the system which
has the root and user partition geli(8) crypted. I.e. boot a mini system
=66rom some un-encrypted USB stick which has only /boot, /etc/fstab and
enough files to make gpg2, gpg-agent and /usr/local/sbin/pcscd working,
including shared libs needed by these. On a very early stage the gpg2
decrypts the keyfile for geli(8) which was encrypted by gpg2 using the
public key of the card. Than the rest of the partitions are attached
with 'geli attach' using on STDIN the keyfile decrypted on the flight
with gpg2. So the unencrypted keyfile is never stored onto the USB boot
key.
This would lead to a system (netbook) which never can be booted or
otherwise data read from and you can only boot it with the USB boot key,
the USB GnuPG-card and the PIN (normally 6 digits).
Any comments on this?
matthias
--=20
Matthias Apitz, =E2=9C=89 guru@unixarea.de, =E2=8C=82 http://www.unixarea.d=
e/ =E2=98=8E +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra.
May 8, 1945: Who does not celebrate lost the War.
--RASg3xLB4tUQ4RcS
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEXmn7rBYYViyzy/vBR8z35Hb+nREFAlkcKBYACgkQR8z35Hb+
nRHN1BAAjlH0/cYH1XtY1mfKHgmyKiJTqi9+Sl4eh1Gee6hD965jnnL77wDPzxFz
7aYHsRrsqM5c5zH8ZU5SosjhOuZzzOWEBImRjXEfvkbhuC0cGS5h9TvUSWNK70rQ
A5UOHX1ullyKc1UAHPub+IUNJ07STB2nM4XDrVxTUqeeKaiwFbTqUnu3W4CoT6OL
p2H17bhx9iLWivOiyv3DNnQmCi8vYt0uDcG8fuUyEtbkUwbpPCjBk0UU8eHRBEIc
PBDHNC8us1c/uOMpmChdw68lWuE3istW6SOUUy4axO2x1skrFSq3CfACU/DQLoY+
S6EubCJSxDXl4kb/OjD34PKpH/ZEk6yuyg4kvqSA+EoFN79YM4DVUfPKi+u4ICX5
6WGl1DtQzkKxyxNDNMC3OA1v1U9q50/SACqxuXQjiE8psicCGfYwz+fjcibIW1bQ
LGPWjcKAcTSM3bOeBom7FIYBzFVCd3KpNVyaEMZIbRWJNAr2kDPgiWrxLNJeRCxO
r19hiLIQzfeUaSeWzD9xFtE5uYcmcOoe9WrJo+Z+s37UBtTrQfZocjwli0n8WeR7
E3H6LMjhLpfiBA7X68VCK7XlvFF8a/0h96EL5FhP01glpZHB92/iv2IBgGyi+HMN
ks49jUHdwVIC2sm6TD/9tXRR6BmQNbywmA48HXGVNGUqfspkGdI=
=Vkvt
-----END PGP SIGNATURE-----
--RASg3xLB4tUQ4RcS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170517103822.GB16462>