[CentOS] LUKS encypted partition using --key-file can only be decrypted with --key-file
Robert Nichols
rnicholsNOSPAM at comcast.net
Wed Mar 4 23:33:17 UTC 2015
On 03/04/2015 03:16 PM, Digimer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
> I created a LUKS encrypted partition via a udev-triggered script on
> 6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the
> LUKS partition via script and manually using --key-file with luksOpen.
>
> The odd problem is that I can't decrypt the partition using the
> prompt. If I manually create a file with the passphrase in it and then
> point to it with --key-file, it decrypts fine. I used 'cat -A
> /tmp/foo' to verify that there was no '\n' at the end of the phrase.
>
> Is this expected behaviour? That is; If you create an encrypted
> partition using --key-file, you always decrypt with the same? If so, I
> can't understand the logic... If not, then I am not sure what I am
> doing wrong.
Try again including "--hash plain" on the command line. When the
key is read from a keyfile, no hash is used and the key is simply
truncated to the correct length (too short is an error). A key read
from the terminal or from stdin is hashed, then truncated or padded
to the proper length.
See "NOTES ON PASSWORD PROCESSING" in the cryptsetup manpage.
Presumably, if you stored the hashed key phrase in the keyfile
(DAMHTDT) it would work from the terminal without "--hash -plain".
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the CentOS
mailing list