On 04/03/15 06:33 PM, Robert Nichols wrote:
On 03/04/2015 03:16 PM, Digimer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all,
I created a LUKS encrypted partition via a udev-triggered script on 6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the LUKS partition via script and manually using --key-file with luksOpen.
The odd problem is that I can't decrypt the partition using the prompt. If I manually create a file with the passphrase in it and then point to it with --key-file, it decrypts fine. I used 'cat -A /tmp/foo' to verify that there was no '\n' at the end of the phrase.
Is this expected behaviour? That is; If you create an encrypted partition using --key-file, you always decrypt with the same? If so, I can't understand the logic... If not, then I am not sure what I am doing wrong.
Try again including "--hash plain" on the command line. When the key is read from a keyfile, no hash is used and the key is simply truncated to the correct length (too short is an error). A key read from the terminal or from stdin is hashed, then truncated or padded to the proper length.
See "NOTES ON PASSWORD PROCESSING" in the cryptsetup manpage. Presumably, if you stored the hashed key phrase in the keyfile (DAMHTDT) it would work from the terminal without "--hash -plain".
Reviving a very old thread...
I tried this (cryptsetup --hash plain luksOpen /dev/sdb1 sdb1) but it fails to recognize the passphrase at the command line still. When I tried to use '--hash plain' on luksFormat, I get:
[root@dashboard1 ~]# echo YES | cryptsetup --hash plain luksFormat /dev/sdb1 /tmp/password Requested LUKS hash plain is not supported.
I suspect I'm misunderstanding something. I've read "NOTES ON PASSWORD PROCESSING" and as best I can figure, the root of the problem is the padding. I'm not so strong on security, so when I look at /proc/crypto, I get lost.
Is there a "for dummies" document that I could look at to do what it is I am trying to do? That is; create the encrypted device from a script (which is why I am using --key-file) and then decrypt it later with normal STDIN via cryptsetup luksOpen?
Thanks!