[CentOS] LUKS encypted partition using --key-file can only be decrypted with --key-file
Digimer
lists at alteeve.caMon Sep 14 21:45:10 UTC 2015
- Previous message: [CentOS] CentOS-6 - LogWatch
- Next message: [CentOS] LUKS encypted partition using --key-file can only be decrypted with --key-file
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 04/03/15 06:33 PM, Robert Nichols wrote: > On 03/04/2015 03:16 PM, Digimer wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi all, >> >> I created a LUKS encrypted partition via a udev-triggered script on >> 6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the >> LUKS partition via script and manually using --key-file with luksOpen. >> >> The odd problem is that I can't decrypt the partition using the >> prompt. If I manually create a file with the passphrase in it and then >> point to it with --key-file, it decrypts fine. I used 'cat -A >> /tmp/foo' to verify that there was no '\n' at the end of the phrase. >> >> Is this expected behaviour? That is; If you create an encrypted >> partition using --key-file, you always decrypt with the same? If so, I >> can't understand the logic... If not, then I am not sure what I am >> doing wrong. > > Try again including "--hash plain" on the command line. When the > key is read from a keyfile, no hash is used and the key is simply > truncated to the correct length (too short is an error). A key read > from the terminal or from stdin is hashed, then truncated or padded > to the proper length. > > See "NOTES ON PASSWORD PROCESSING" in the cryptsetup manpage. > Presumably, if you stored the hashed key phrase in the keyfile > (DAMHTDT) it would work from the terminal without "--hash -plain". Reviving a very old thread... I tried this (cryptsetup --hash plain luksOpen /dev/sdb1 sdb1) but it fails to recognize the passphrase at the command line still. When I tried to use '--hash plain' on luksFormat, I get: [root at dashboard1 ~]# echo YES | cryptsetup --hash plain luksFormat /dev/sdb1 /tmp/password Requested LUKS hash plain is not supported. I suspect I'm misunderstanding something. I've read "NOTES ON PASSWORD PROCESSING" and as best I can figure, the root of the problem is the padding. I'm not so strong on security, so when I look at /proc/crypto, I get lost. Is there a "for dummies" document that I could look at to do what it is I am trying to do? That is; create the encrypted device from a script (which is why I am using --key-file) and then decrypt it later with normal STDIN via cryptsetup luksOpen? Thanks! -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education?
- Previous message: [CentOS] CentOS-6 - LogWatch
- Next message: [CentOS] LUKS encypted partition using --key-file can only be decrypted with --key-file
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list