initramfs - gpg decryption failed invalid IPC response

classic Classic list List threaded Threaded
3 messages Options
D
Reply | Threaded
Open this post in threaded view
|

initramfs - gpg decryption failed invalid IPC response

D

Hi there,


I've been using OpenPGP smartcard to decrypt a keyfile to my drive partition with gpg.

This worked until it broke after system upgrade some time around November 2017 (I do not have the pacman pkg cache from that time).


> uname -a

    Linux username 4.14.15-1-ARCH #1 SMP PREEMPT Tue Jan 23 21:49:25 UTC 2018 x86_64 GNU/Linux


> gpg --version

    gpg (GnuPG) 2.2.4
    libgcrypt 1.8.2


THE PROBLEM:

> gpg --homedir "/etc/initcpio/gpg" -o "/keyfile.bin" --decrypt "${key_file}"


The command above which is run inside custom initcpio hook fails with status code: 2

And prints:

gpg: encrypted with <bit-length> RSA key, ID <key id>. created <date> <owner name + email>

gpg: public key decryption failed: Invalid IPC response

gpg: decryption failed: No secret key


Interestingly enough, when I break into a shell with `break=premount` kernel parameter and attempt to decrypt the keyfile by manually invoking same set of commands, everything works. However the break=premount gets triggered after the hook is run which might be why it works by that point.

The custom initcpio hook is available here:
https://github.com/fogine/initramfs-scencrypt

Particularly this line:

https://github.com/fogine/initramfs-scencrypt/blob/master/scencrypt-hook#L49


Note that before the decryption command, I run `gpg --card-status` which successfully detects the smartcard and populates subkey secret stub.


These are hooks run at boot time (/etc/mkinitcpio.conf):

HOOKS="base udev autodetect modconf block filesystems keyboard fsck scencrypt"

"scencrypt" being my custom hook.

I do not load any MODULES="" (in /etc/mkinicpio.conf) before the hooks are run.


I struggle with debuging this issue, does anybody have an idea how I could proceed further?

Thank you.



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: initramfs - gpg decryption failed invalid IPC response

Werner Koch
On Wed, 31 Jan 2018 22:25, [hidden email] said:

>     gpg (GnuPG) 2.2.4
>     libgcrypt 1.8.2
> And prints:
>
>    gpg: encrypted with <bit-length> RSA key, ID <key id>. created
>    <date> <owner name + email>
>
>    gpg: public key decryption failed: Invalid IPC response
>
>    gpg: decryption failed: No secret key
Can you please add

  --verbose --debug=ipc

to the gpg invocation?  This will show the IPC and thus the invalid IPC
response.


Salam-Shalom,

   Werner

--
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
D
Reply | Threaded
Open this post in threaded view
|

Re: initramfs - gpg decryption failed invalid IPC response

D

Thank you for getting back to me. I have added the options to the decryption command.

It reports that it fails on invoking `pinentry` utility.

I attached an image with the full log if interested.


pinentry-tty binary and gpg-agent.conf files are added to the the initram image here:

https://github.com/fogine/initramfs-scencrypt/blob/master/scencrypt-install#L22-L28


Have anything changed so that I'd need to set GPG_TTY to a specific value?

Currently I do not set the variable as I don't think I have access to the tty at that point.

I also tried to run `pinentry-tty -d` in the hook immediately before the gpg decryption command is executed - pinentry successfully started listening for STDIN, and I could use `GETPIN` command which would ask for a  PIN and dump it out. No error or debug messages were printed.

Any ideas?


On 02/28/2018 03:06 PM, Werner Koch wrote:
On Wed, 31 Jan 2018 22:25, [hidden email] said:

    gpg (GnuPG) 2.2.4
    libgcrypt 1.8.2
And prints:

   gpg: encrypted with <bit-length> RSA key, ID <key id>. created
   <date> <owner name + email>

   gpg: public key decryption failed: Invalid IPC response

   gpg: decryption failed: No secret key
Can you please add 

  --verbose --debug=ipc

to the gpg invocation?  This will show the IPC and thus the invalid IPC
response.


Salam-Shalom,

   Werner



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

bootlog_gpg.jpg (492K) Download Attachment