On 23/09/2018 13:32, Peter Lebbing wrote: > How about copying the whole homedir without > random_seed, but first checking to make sure there are only smartcard > keys as private keys?
O dear, this might not be enough. The agent can also hold non-OpenPGP keys. SSH keys are an example of what I'm actually using myself. This might need some more thought... I'm not really happy with the "wait for a random smartcard to be available and import that as stubs" solution, but copying the whole homedir might need some more tuning as well... Or we just accept that people who put data in a directory named cryptsetup-initramfs should expect that this data ends up in their initramfs, and limit our safety checks. We can still document it, obviously, with a clearly phrased warning that although the key itself is encrypted, nothing else is. Anyway, Guilhem, thanks for working on this! Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
