Yubikey: "gpg error keyboxd not installed"

[mjpier]

Good afternoon. I installed gentoo with FDE using Yubikey GPG, and generated the initramfs without problems, but at system startup time, it gives me a message that says:

gpg: error running /usr/libexec/keyboxd: probably not installed

Also when inspecting the generated initramfs I realized that the cryp_key.gpg file has not been added even though I have added it as a dependency in the config.toml. key_file = "/boot/crypt_key.luks.gpg"

Well in the end I was able to correct it by manually adding the keyboxd in usr/libexec/ and the crypt_key.luks.gpg in boot/

Would there be a way for these files to be added when generating the initramfs?

[desultory]

Good afternoon. I installed gentoo with FDE using Yubikey GPG, and generated the initramfs without problems, but at system startup time, it gives me a message that says:

gpg: error running /usr/libexec/keyboxd: probably not installed

Also when inspecting the generated initramfs I realized that the cryp_key.gpg file has not been added even though I have added it as a dependency in the config.toml. key_file = "/boot/crypt_key.luks.gpg"

Well in the end I was able to correct it by manually adding the keyboxd in usr/libexec/ and the crypt_key.luks.gpg in boot/

Would there be a way for these files to be added when generating the initramfs?

This should be automatically added when using ugrd.crypto.smartcard and sc_public_key

I think the issue may be that you're copying it to the boot folder. If you mount something over this folder, the key will be under that mount.

I keep my public key in /etc/ugrd/ and it creates that dir within the initramfs so I don't need to keep the public key on another device.

If you run ugrd with --build-logging you should see something like: INFO | Copying '/etc/ugrd/pubkey.gpg' to '/tmp/initramfs/etc/ugrd/pubkey.gpg'

[mjpier]

The public key is copied, what is not copied is the key_file. I have it configured like this:

key_file = "/boot/crypt_key.luks.gpg"

but it is not added to the initramfs.

[desultory]

My bad, I misunderstood your question. The key file is intentionally not copied into the initramfs, to encourage you to keep the key file outside of the initramfs.

You can add the key file as a "dependency" definition and that should force it to copy into the initramfs.

I may make a "copy_key" option or something under cryptsetup definitions, but it can be done manually setting a dependency.

If you have the key file on `/boot' which is a mountpoint, it may make more sense to define this as a mountpoint in your config, so it's just read when it boots. That's what I do.

[mjpier]

I understand. I followed the gentoo full disk encryption guide. It must be that I didn't understand it well. I'm going to re-read the documentation. And regarding the keyboxd error, could you add it as default in ugrd just like scdaemon?

And sorry for the inconvenience, if you use Yubikey GPG, is there a way you could share your config.toml with me?

[desultory]

I'm not sure what to do about that keyboxd error, because I cannot replicate it. I don't even have /usr/libexec/keyboxd with gpg (GnuPG) 2.2.41 USE="bzip2 nls readline smartcard ssl usb -doc -ldap (-selinux) -test -tofu -tools -user-socket -verify-sig -wks-server"

https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch#Key_File_Creation

The key file would be created around here, /media/sda2 may be your /boot and if you have it on that volume, and have the boot mount defined, it should read it at runtime.

This config shows a mount being made for /boot:

https://github.com/desultory/ugrd/blob/main/examples/yubikey.toml

[mjpier]

It must be due to the gnupg version. I have gnupg version 2.4.3, and it happens that it is now asking for keyboxd by default.

Here is the information about it: https://github.com/gpg/gnupg/blob/master/README

Thanks for the help.

[desultory]

Could you test using the stable gpg version in the gentoo repos?

I may be able to test against the testing version later, but I believe this should work with the stable version since it does not use that component.

If you want to use that new version, you can try editing the gpg module or smartcard module, whichever requires that component, and you can add that binary path. I believe there is a similar entry for scdaemon.

[mjpier]

I will try to try both options. Thanks again for the help.

[desultory]

You're welcome, feel free to let me know if you have any other issues of if this is resolved.

[desultory]

Fixed.

[mjpier]

Excellent. Thank you very much for his work.