1 files changed, 8 insertions, 2 deletions

diff --git a/src/initrd/btrfs-create.sh b/src/initrd/btrfs-create.sh
index 3066331..c076b9e 100644
--- a/src/initrd/btrfs-create.sh
+++ b/src/initrd/btrfs-create.sh
@@ -224,12 +224,18 @@ open_samizdat_blockdev_from_loop()
 open_samizdat_blockdev()
 {
   local dev="$1" keyfile="$2"
+  local cryptname=samizdatcrypt decrypted_keyfile=/luks.secret
 
-  local cryptname=samizdatcrypt
   gpg2 --verify "$keyfile" || return
+
+  # TODO: we should be ensuring we can decrypt this secret key before even
+  # offering the option to boot the encrypted filesystem
+
   # The first --decrypt merely strips the signature.  The option is
   # poorly named for that case.
-  gpg2 --decrypt "$keyfile" | gpg2 --decrypt | cryptsetup --key-file - luksOpen "$dev" "$cryptname" || return
+  gpg2 --decrypt "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return
+
+  cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return
 
   [ -b /dev/mapper/"$cryptname" ] || return