modules.d/91crypt-gpg/crypt-gpg-lib.sh

   1 #!/bin/sh
   2
   3 command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
   4
   5 # gpg_decrypt mnt_point keypath keydev device
   6 #
   7 # Decrypts encrypted symmetrically key to standard output.
   8 #
   9 # mnt_point - mount point where <keydev> is already mounted
  10 # keypath - GPG encrypted key path relative to <mnt_point>
  11 # keydev - device on which key resides; only to display in prompt
  12 # device - device to be opened by cryptsetup; only to display in prompt
  13 gpg_decrypt() {
  14     local mntp="$1"
  15     local keypath="$2"
  16     local keydev="$3"
  17     local device="$4"
  18
  19     local gpghome=/tmp/gnupg
  20     local opts="--homedir $gpghome --no-mdc-warning --skip-verify --quiet"
  21     opts="$opts --logger-file /dev/null --batch --no-tty --passphrase-fd 0"
  22
  23     mkdir -m 0700 -p "$gpghome"
  24
  25     ask_for_password \
  26         --cmd "gpg $opts --decrypt $mntp/$keypath" \
  27         --prompt "Password ($keypath on $keydev for $device)" \
  28         --tries 3 --tty-echo-off
  29
  30     rm -rf -- "$gpghome"
  31 }