summaryrefslogtreecommitdiffstats
path: root/debian/README.gnupg
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 08:06:26 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 08:06:26 +0000
commitfd888e850cf413955483bfb993aeeea5ea611289 (patch)
tree6148fed3d1f30272c48403f4cdefa59c2b7e1513 /debian/README.gnupg
parentAdding upstream version 2:2.6.1. (diff)
downloadcryptsetup-fd888e850cf413955483bfb993aeeea5ea611289.tar.xz
cryptsetup-fd888e850cf413955483bfb993aeeea5ea611289.zip
Adding debian version 2:2.6.1-4~deb12u2.debian/2%2.6.1-4_deb12u2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/README.gnupg')
-rw-r--r--debian/README.gnupg42
1 files changed, 42 insertions, 0 deletions
diff --git a/debian/README.gnupg b/debian/README.gnupg
new file mode 100644
index 0000000..837d151
--- /dev/null
+++ b/debian/README.gnupg
@@ -0,0 +1,42 @@
+Using GnuPG keys for LUKS dm-crypt devices in Debian
+====================================================
+
+The Debian cryptsetup package provides the keyscript `decrypt_gnupg` for
+setups with a GnuPG encrypted LUKS keyfile.
+
+The following example assumes that you store the encrypted keyfile in
+`/etc/keys/cryptkey.gpg`. LUKS device is `/dev/<luks_device>`.
+
+First, you'll have to create the encrypted keyfile:
+
+ dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
+ --no-default-keyring --keyring /dev/null --secret-keyring /dev/null \
+ --trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg
+
+Next the LUKS device needs to be formated with the key. For that, the
+`decrypt_gnupg` keyscript can be used:
+
+ /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/cryptkey.gpg | \
+ cryptsetup --key-file=- luksFormat /dev/<luks_device>
+
+In order to unlock the encrypted LUKS device automatically during boot process,
+add the following to `/etc/crypttab`:
+
+ cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,discard,keyscript=decrypt_gnupg
+
+
+Decrypting the keyfile at initramfs stage
+-----------------------------------------
+
+If the device is to be unlocked at initramfs stage (such as for the root FS or
+the resume device), the provided initramfs hooks should do all additionally
+required work for you when the initramfs is created or updated.
+
+Be warned though, that for such devices the GnuPG encrypted key is copied to
+the initramfs by the initramfs cryptgnupg hook. If you don't want this, you
+should take a look at the initramfs cryptgnupg hook, which is located at
+`/usr/share/initramfs-tools/hooks/cryptgnupg`.
+
+ -- Jonas Meurer <jonas@freesources.org> Thu, 04 Mar 2010 17:31:40 +0100
+
+ -- Guilhem Moulin <guilhem@guilhem.org> Sat, 17 Sep 2016 16:14:41 +0200