From owner-freebsd-questions@freebsd.org Wed May 17 10:38:35 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 806ECD6FD88 for ; Wed, 17 May 2017 10:38:35 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47017187 for ; Wed, 17 May 2017 10:38:34 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from [89.204.130.180] (helo=localhost.unixarea.de) by ms-10.1blu.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from ) id 1dAwLe-0002kK-P9 for freebsd-questions@freebsd.org; Wed, 17 May 2017 12:38:31 +0200 Received: from localhost.my.domain (localhost [127.0.0.1]) by localhost.unixarea.de (8.15.2/8.14.9) with ESMTPS id v4HAcSAe024596 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 17 May 2017 12:38:28 +0200 (CEST) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by localhost.my.domain (8.15.2/8.14.9/Submit) id v4HAcMDZ024562 for freebsd-questions@freebsd.org; Wed, 17 May 2017 12:38:22 +0200 (CEST) (envelope-from guru@unixarea.de) X-Authentication-Warning: localhost.my.domain: guru set sender to guru@unixarea.de using -f Date: Wed, 17 May 2017 12:38:22 +0200 From: Matthias Apitz To: freebsd-questions@freebsd.org Subject: GnuPG smart card && geli Message-ID: <20170517103822.GB16462@c720-r314251> Reply-To: Matthias Apitz Mail-Followup-To: Matthias Apitz , freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="RASg3xLB4tUQ4RcS" Content-Disposition: inline X-Operating-System: FreeBSD 12.0-CURRENT r314251 (amd64) User-Agent: Mutt/1.8.0 (2017-02-23) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 89.204.130.180 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 May 2017 10:38:35 -0000 --RASg3xLB4tUQ4RcS Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I'm using gpg2 (from the ports) which supports a so called GnuPG smart card, i.e. the private key is stored in some CCID SIM (the card, which sits in a small USB stick) and access to the private gpg key is secured by a PIN entry, not a passphrase. This works fine and is very secure for using gpg on many hosts because you do not have to pollute all these hosts with your secret key material which could be copied (i.e. stolen) by anyone, for example even IP personal, having priv access to your workspace(s)). gpg2 brings a gpg-agent, to which gpg2 commands communicate, for example 'gpg2 --card-status' and which in turn connects to the daemon /usr/local/sbin/pcscd (as well in ports) which has the communication to special GnuPG-card. All you need is the PIN defined for the card. I use the HID Global OMNIKEY 6121 Smart Card Reader and the GnuPG-card produced here in Germany. On the other hand, the gpg-agent can also substitute the ssh-agent as a dro= pin. One exports the ssh public key for the remote ~/.ssh/authorized_keys with: $ gpg2 --export-ssh-key ID > ssh.pub kills the (old) 'ssh-agent' and starts a 'gpg-agent': $ ssh-agent -k $ gpg2 --card-status (the latter launches as well the gpg-agent) $ unset SSH_AGENT_PID $ unset SSH_AUTH_SOCK $ if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_= AUTH_SOCK=3D"$(gpgconf --list-dirs agent-ssh-socket)"; fi $ env | grep SSH SSH_AUTH_SOCK=3D/home/guru/.gnupg-ccid/S.gpg-agent.ssh Now 'ssh-add -l' will contact not the 'ssh-agent', but the 'gpg-agent': $ ssh-add -l 4096 SHA256:lo2xgyFAnSXz6HNMELNZogJEfyj7XEKZiHIHg+e1DFw cardno:00050000532B= (RSA) and on first access to the key with $ ssh id@remote-server the secret key is needed and 'gpg-agent' uses /usr/local/bin/pinentry or /usr/local/bin/pinentry-qt5 to request the PIN. Further ssh commands find the card already unlocked (until disconnect of the USB stick) and no PIN is needed anymore. So far so good and the same works this way for signing e-mails, etc. What I now want to get is using this too while booting the system which has the root and user partition geli(8) crypted. I.e. boot a mini system =66rom some un-encrypted USB stick which has only /boot, /etc/fstab and enough files to make gpg2, gpg-agent and /usr/local/sbin/pcscd working, including shared libs needed by these. On a very early stage the gpg2 decrypts the keyfile for geli(8) which was encrypted by gpg2 using the public key of the card. Than the rest of the partitions are attached with 'geli attach' using on STDIN the keyfile decrypted on the flight with gpg2. So the unencrypted keyfile is never stored onto the USB boot key. This would lead to a system (netbook) which never can be booted or otherwise data read from and you can only boot it with the USB boot key, the USB GnuPG-card and the PIN (normally 6 digits). Any comments on this? matthias --=20 Matthias Apitz, =E2=9C=89 guru@unixarea.de, =E2=8C=82 http://www.unixarea.d= e/ =E2=98=8E +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra. May 8, 1945: Who does not celebrate lost the War. --RASg3xLB4tUQ4RcS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXmn7rBYYViyzy/vBR8z35Hb+nREFAlkcKBYACgkQR8z35Hb+ nRHN1BAAjlH0/cYH1XtY1mfKHgmyKiJTqi9+Sl4eh1Gee6hD965jnnL77wDPzxFz 7aYHsRrsqM5c5zH8ZU5SosjhOuZzzOWEBImRjXEfvkbhuC0cGS5h9TvUSWNK70rQ A5UOHX1ullyKc1UAHPub+IUNJ07STB2nM4XDrVxTUqeeKaiwFbTqUnu3W4CoT6OL p2H17bhx9iLWivOiyv3DNnQmCi8vYt0uDcG8fuUyEtbkUwbpPCjBk0UU8eHRBEIc PBDHNC8us1c/uOMpmChdw68lWuE3istW6SOUUy4axO2x1skrFSq3CfACU/DQLoY+ S6EubCJSxDXl4kb/OjD34PKpH/ZEk6yuyg4kvqSA+EoFN79YM4DVUfPKi+u4ICX5 6WGl1DtQzkKxyxNDNMC3OA1v1U9q50/SACqxuXQjiE8psicCGfYwz+fjcibIW1bQ LGPWjcKAcTSM3bOeBom7FIYBzFVCd3KpNVyaEMZIbRWJNAr2kDPgiWrxLNJeRCxO r19hiLIQzfeUaSeWzD9xFtE5uYcmcOoe9WrJo+Z+s37UBtTrQfZocjwli0n8WeR7 E3H6LMjhLpfiBA7X68VCK7XlvFF8a/0h96EL5FhP01glpZHB92/iv2IBgGyi+HMN ks49jUHdwVIC2sm6TD/9tXRR6BmQNbywmA48HXGVNGUqfspkGdI= =Vkvt -----END PGP SIGNATURE----- --RASg3xLB4tUQ4RcS--