From 82ff52e0800702dee9402f8efe13dbc02e5883d2 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 02:31:20 +0200 Subject: Adding debian version 2:2.1.0-5+deb10u2. Signed-off-by: Daniel Baumann --- debian/README.gnupg | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 debian/README.gnupg (limited to 'debian/README.gnupg') diff --git a/debian/README.gnupg b/debian/README.gnupg new file mode 100644 index 0000000..837d151 --- /dev/null +++ b/debian/README.gnupg @@ -0,0 +1,42 @@ +Using GnuPG keys for LUKS dm-crypt devices in Debian +==================================================== + +The Debian cryptsetup package provides the keyscript `decrypt_gnupg` for +setups with a GnuPG encrypted LUKS keyfile. + +The following example assumes that you store the encrypted keyfile in +`/etc/keys/cryptkey.gpg`. LUKS device is `/dev/`. + +First, you'll have to create the encrypted keyfile: + + dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \ + --no-default-keyring --keyring /dev/null --secret-keyring /dev/null \ + --trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg + +Next the LUKS device needs to be formated with the key. For that, the +`decrypt_gnupg` keyscript can be used: + + /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/cryptkey.gpg | \ + cryptsetup --key-file=- luksFormat /dev/ + +In order to unlock the encrypted LUKS device automatically during boot process, +add the following to `/etc/crypttab`: + + cdev1 /dev/ /etc/keys/cryptkey.gpg luks,discard,keyscript=decrypt_gnupg + + +Decrypting the keyfile at initramfs stage +----------------------------------------- + +If the device is to be unlocked at initramfs stage (such as for the root FS or +the resume device), the provided initramfs hooks should do all additionally +required work for you when the initramfs is created or updated. + +Be warned though, that for such devices the GnuPG encrypted key is copied to +the initramfs by the initramfs cryptgnupg hook. If you don't want this, you +should take a look at the initramfs cryptgnupg hook, which is located at +`/usr/share/initramfs-tools/hooks/cryptgnupg`. + + -- Jonas Meurer Thu, 04 Mar 2010 17:31:40 +0100 + + -- Guilhem Moulin Sat, 17 Sep 2016 16:14:41 +0200 -- cgit v1.2.3