new module - 91crypt-gpg

It's an extension to 90crypt module.  Adds support for GPG-encrypted
keys (symmetrically, of course).  Module is optional.

modules.d/91crypt-gpg/crypt-gpg-lib.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=4 sw=4 sts=0 et filetype=sh
+
+command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
+
+# gpg_decrypt mnt_point keypath keydev device
+#
+# Decrypts encrypted symmetrically key to standard output.
+#
+# mnt_point - mount point where <keydev> is already mounted
+# keypath - GPG encrypted key path relative to <mnt_point>
+# keydev - device on which key resides; only to display in prompt
+# device - device to be opened by cryptsetup; only to display in prompt
+gpg_decrypt() {
+    local mntp="$1"
+    local keypath="$2"
+    local keydev="$3"
+    local device="$4"
+
+    local gpghome=/tmp/gnupg
+    local opts="--homedir $gpghome --no-mdc-warning --skip-verify --quiet"
+    opts="$opts --logger-file /dev/null --batch --no-tty --passphrase-fd 0"
+
+    mkdir -m 0700 -p "$gpghome"
+
+    ask_for_password \
+        --cmd "gpg $opts --decrypt $mntp/$keypath" \
+        --prompt "Password ($keypath on $keydev for $device)" \
+        --tries 3 --tty-echo-off
+
+    rm -rf -- "$gpghome"
+}

modules.d/91crypt-gpg/module-setup.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# GPG support is optional
+check() {
+    type -P gpg >/dev/null || return 1
+
+    return 255
+}
+
+depends() {
+    echo crypt
+}
+
+install() {
+    dracut_install gpg
+    inst "$moddir/crypt-gpg-lib.sh" "/lib/dracut-crypt-gpg-lib.sh"
+}