File: crypt-gpg-lib.sh

package info (click to toggle)
dracut 110-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 4,356 kB
  • sloc: sh: 24,895; ansic: 5,236; makefile: 346; perl: 186; python: 48; javascript: 19
file content (70 lines) | stat: -rwxr-xr-x 2,904 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
#!/bin/sh

command -v ask_for_password > /dev/null || . /lib/dracut-crypt-lib.sh

# gpg_decrypt mnt_point keypath keydev device
#
# Decrypts symmetrically encrypted (password or OpenPGP smartcard) key to standard output.
#
# mnt_point - mount point where <keydev> is already mounted
# keypath - GPG encrypted key path relative to <mnt_point>
# keydev - device on which key resides; only to display in prompt
# device - device to be opened by cryptsetup; only to display in prompt
gpg_decrypt() {
    local mntp="$1"
    local keypath="$2"
    local keydev="$3"
    local device="$4"

    local gpghome=/tmp/gnupg
    local opts="--homedir $gpghome --no-mdc-warning --skip-verify --quiet"
    opts="$opts --logger-file /dev/null --batch --no-tty --passphrase-fd 0"

    mkdir -m 0700 -p "$gpghome"

    # Setup GnuPG home and gpg-agent for usage of OpenPGP smartcard.
    # This requires GnuPG >= 2.1, as it uses the new ,,pinentry-mode´´
    # feature, which - when set to ,,loopback´´ - allows us to pipe
    # the smartcard's pin to GnuPG (instead of using a normal pinentry
    # program needed with GnuPG < 2.1), making for uncomplicated
    # integration with the existing codebase.
    local useSmartcard="0"
    local gpgMajorVersion
    local gpgMinorVersion
    local cmd
    gpgMajorVersion="$(gpg --version | sed -n 1p | sed -n -r -e 's|.* ([0-9]*).*|\1|p')"
    gpgMinorVersion="$(gpg --version | sed -n 1p | sed -n -r -e 's|.* [0-9]*\.([0-9]*).*|\1|p')"

    if [ "${gpgMajorVersion}" -ge 2 ] && [ "${gpgMinorVersion}" -ge 1 ] \
        && ls /root/crypt-public-key*.gpg > /dev/null 2>&1 && getargbool 1 rd.luks.smartcard; then
        useSmartcard="1"
        echo "allow-loopback-pinentry" >> "$gpghome/gpg-agent.conf"
        GNUPGHOME="$gpghome" gpg-agent --quiet --daemon
        for file in /root/crypt-public-key*.gpg; do
            GNUPGHOME="$gpghome" gpg --quiet --no-tty --import < "$file"
        done
        GNUPGHOME="$gpghome" gpg-connect-agent 1> /dev/null learn /bye
        local smartcardSerialNumber
        smartcardSerialNumber="$(GNUPGHOME=$gpghome gpg --no-tty --card-status \
            | sed -n -r -e 's|Serial number.*: ([0-9]*)|\1|p' | tr -d '\n')"
        if [ -n "${smartcardSerialNumber}" ]; then
            inputPrompt="PIN (OpenPGP card ${smartcardSerialNumber})"
        fi
        opts="$opts --pinentry-mode=loopback"
        cmd="GNUPGHOME=$gpghome gpg --card-status --no-tty > /dev/null 2>&1; gpg $opts --decrypt $mntp/$keypath"
    else
        cmd="gpg $opts --decrypt $mntp/$keypath"
    fi

    ask_for_password \
        --cmd "$cmd" \
        --prompt "${inputPrompt:-Password ($keypath on $keydev for $device)}" \
        --tries 3 --tty-echo-off

    # Clean up the smartcard gpg-agent
    if [ "${useSmartcard}" = "1" ]; then
        GNUPGHOME="$gpghome" gpg-connect-agent 1> /dev/null killagent /bye
    fi

    rm -rf -- "$gpghome"
}