Can AddKey not use stdin for the new key?

[Chris X Edwards <chris@xed.ch>]

Hi,

I'm looking for some clarification into why what I'm attempting does
not work.

What I'd like to do is have a large number of (e.g. regular backup)
drives all encrypted with the same key; I don't want to type a
password every time I connect one so it would be great if I could have
some kind of SSH-like agent. I believe GPG has such a thing. So...

I create an encrypted secret that I only have to unlock once:

    dd if=/dev/urandom bs=512 count=1 | gpg --symmetric --output drivekey.gpg

Now I'd like to add that to a LUKS keyslot so that the following
works.

    gpg --decrypt drivekey.gpg | cryptsetup luksOpen --key-file=- /dev/sdb backup

When I add the key like this, it (this luksAddKey command and the
previous luksOpen) does all work.

    gpg --decrypt drivekey.gpg > INSECUREdrivekey
    cryptsetup luksAddKey /dev/sdb  --new-keyfile INSECUREdrivekey --new-key-slot 1
    rm INSECUREdrivekey

This asks for a passphrase for one of the existing slots as I'd
expect. However, I'd like to avoid that insecure part with something
like this.

    gpg --decrypt drivekey.gpg | cryptsetup luksAddKey /dev/sdb --new-keyfile - --new-key-slot 1

This does not work. I was hoping it would still ask for a passphrase
of an existing slot. But it just complains of "No key available with
this passphrase."

What's also interesting is that _removing_ the key works exactly how I
think it should.

    gpg --decrypt drivekey.gpg | cryptsetup luksRemoveKey /dev/sdb -

Am I misunderstanding the syntax? Is there a way to have the
`luksAddKey` command accept the new key on stdin while verifying that
it can be added by typing a passphrase? Maybe manual passphrase and
stdin mixing is too confusing. Obviously I can work around it but I'm
now curious.

Thanks!

-- 
++++++++++[>++++++++++++<-]>-...<++++++[>>+++++++<<-]>>++++.<+.<++++[>
Chris X Edwards-----<-]>+.- Have a nice day. >.<-.+++++><chris@xed.ch>