Package: cryptsetup
Version: 2:2.6.1-5
New feature description
"/usr/lib/cryptsetup/scripts/decrypt_gnupg-sc" currently only supports
one OpenPGP Key.
Please add an option to support multiple OpenPGP Keys.
Further description
To enable this an option would be to replace the current call of
"decrypt_gpg" like in this patch:
--- /usr/lib/cryptsetup/scripts/decrypt_gnupg-sc 2023-04-21
00:54:29.000000000 +0200
+++ decrypt_gnupg-sc 2023-10-13 22:24:16.044055384 +0200
@@ -40,5 +40,10 @@
exit 1
fi
-decrypt_gpg "$1"
+key_email=$(run_gpg --batch --quiet --no-tty --card-status | sed -nE
"s/.*<(.*)>.*/\1/p")
+if [ -f "$1-${key_email}" ]; then
+ decrypt_gpg "$1-${key_email}"
+else
+ decrypt_gpg "$1"
+fi
exit $?
Additionally "/usr/share/initramfs-tools/hooks/cryptgnupg-sc" needs to
be adapted to also include the available files for the individual
OpenPGP Keys.
Based on the above code an individual CRYPTTAB_KEY would have as suffix
"-${key_email}".
If the CRYPTTAB_KEY is "cryptkey.gpg" an individual one
for firstname.lastn...@debian.org would be like
"cryptkey.gpg-firstname.lastn...@debian.org".
With this adaption "decrypt_gnupg-sc" would try to use the individual
CRYPTTAB_KEY first put fallback to the generic CRYPTTAB_KEY if it can't
be found. If multiple individual CRYPTTAB_KEY are provided it would
pick the right one based on the e-mail address of the key.
Thx & Kind regards,
Christoph
