-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all,
I created a LUKS encrypted partition via a udev-triggered script on 6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the LUKS partition via script and manually using --key-file with luksOpen.
The odd problem is that I can't decrypt the partition using the prompt. If I manually create a file with the passphrase in it and then point to it with --key-file, it decrypts fine. I used 'cat -A /tmp/foo' to verify that there was no '\n' at the end of the phrase.
Is this expected behaviour? That is; If you create an encrypted partition using --key-file, you always decrypt with the same? If so, I can't understand the logic... If not, then I am not sure what I am doing wrong.
Thanks for any insight!
digimer
- -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education?
On 03/04/2015 03:16 PM, Digimer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all,
I created a LUKS encrypted partition via a udev-triggered script on 6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the LUKS partition via script and manually using --key-file with luksOpen.
The odd problem is that I can't decrypt the partition using the prompt. If I manually create a file with the passphrase in it and then point to it with --key-file, it decrypts fine. I used 'cat -A /tmp/foo' to verify that there was no '\n' at the end of the phrase.
Is this expected behaviour? That is; If you create an encrypted partition using --key-file, you always decrypt with the same? If so, I can't understand the logic... If not, then I am not sure what I am doing wrong.
Try again including "--hash plain" on the command line. When the key is read from a keyfile, no hash is used and the key is simply truncated to the correct length (too short is an error). A key read from the terminal or from stdin is hashed, then truncated or padded to the proper length.
See "NOTES ON PASSWORD PROCESSING" in the cryptsetup manpage. Presumably, if you stored the hashed key phrase in the keyfile (DAMHTDT) it would work from the terminal without "--hash -plain".
On 04/03/15 06:33 PM, Robert Nichols wrote:
On 03/04/2015 03:16 PM, Digimer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all,
I created a LUKS encrypted partition via a udev-triggered script on 6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the LUKS partition via script and manually using --key-file with luksOpen.
The odd problem is that I can't decrypt the partition using the prompt. If I manually create a file with the passphrase in it and then point to it with --key-file, it decrypts fine. I used 'cat -A /tmp/foo' to verify that there was no '\n' at the end of the phrase.
Is this expected behaviour? That is; If you create an encrypted partition using --key-file, you always decrypt with the same? If so, I can't understand the logic... If not, then I am not sure what I am doing wrong.
Try again including "--hash plain" on the command line. When the key is read from a keyfile, no hash is used and the key is simply truncated to the correct length (too short is an error). A key read from the terminal or from stdin is hashed, then truncated or padded to the proper length.
See "NOTES ON PASSWORD PROCESSING" in the cryptsetup manpage. Presumably, if you stored the hashed key phrase in the keyfile (DAMHTDT) it would work from the terminal without "--hash -plain".
Reviving a very old thread...
I tried this (cryptsetup --hash plain luksOpen /dev/sdb1 sdb1) but it fails to recognize the passphrase at the command line still. When I tried to use '--hash plain' on luksFormat, I get:
[root@dashboard1 ~]# echo YES | cryptsetup --hash plain luksFormat /dev/sdb1 /tmp/password Requested LUKS hash plain is not supported.
I suspect I'm misunderstanding something. I've read "NOTES ON PASSWORD PROCESSING" and as best I can figure, the root of the problem is the padding. I'm not so strong on security, so when I look at /proc/crypto, I get lost.
Is there a "for dummies" document that I could look at to do what it is I am trying to do? That is; create the encrypted device from a script (which is why I am using --key-file) and then decrypt it later with normal STDIN via cryptsetup luksOpen?
Thanks!
On 09/14/2015 02:45 PM, Digimer wrote:
I tried this (cryptsetup --hash plain luksOpen /dev/sdb1 sdb1) but it fails to recognize the passphrase at the command line still. When I tried to use '--hash plain' on luksFormat, I get:
I don't know why Robert suggested that you try that. It's wrong. You would only use that to provide a binary key to cryptsetup, not a passphrase as you're trying to do.
I can't replicate your problem. Using --key-file works correctly for me. You said that you used "cat -A" to verify that there's no newline in the key file. I'd suggest that "od -c" is a better test. cat doesn't even really need the -A to check for a newline; after printing a file to the terminal with cat, your prompt will appear on the same line as the file's content if the file has no newline (for most prompt definitions).
Anyway, below is the terminal output of a session where I create a LUKS device using --key-file and then open it by manually typing the passphrase.
# dd if=/dev/zero of=crypttest bs=1M count=100 100+0 records in 100+0 records out 104857600 bytes (105 MB) copied, 0.0810213 s, 1.3 GB/s # losetup -f crypttest # echo -n thisismypassphrase > cryptfoo # od -c cryptfoo 0000000 t h i s i s m y p a s s p h r a 0000020 s e 0000022 # cryptsetup luksFormat --key-file cryptfoo /dev/loop0
WARNING! ======== This will overwrite data on /dev/loop0 irrevocably.
Are you sure? (Type uppercase yes): YES # cryptsetup luksOpen /dev/loop0 cdev Enter passphrase for /root/crypttest: # ls -l /dev/mapper/cdev lrwxrwxrwx. 1 root root 7 Sep 15 09:31 /dev/mapper/cdev -> ../dm-4
-
Digimer -
Gordon Messmer -
Robert Nichols