Digimer
2015-Mar-04 21:16 UTC
[CentOS] LUKS encypted partition using --key-file can only be decrypted with --key-file
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I created a LUKS encrypted partition via a udev-triggered script on 6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the LUKS partition via script and manually using --key-file with luksOpen. The odd problem is that I can't decrypt the partition using the prompt. If I manually create a file with the passphrase in it and then point to it with --key-file, it decrypts fine. I used 'cat -A /tmp/foo' to verify that there was no '\n' at the end of the phrase. Is this expected behaviour? That is; If you create an encrypted partition using --key-file, you always decrypt with the same? If so, I can't understand the logic... If not, then I am not sure what I am doing wrong. Thanks for any insight! digimer - -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJU93ZLAAoJECChztQA3mh0swwP/2PX3Y3TmEEIeN7WxWQjnbX0 B+hdp3Yk1PBqaQ/FsOzGsnKnxOUu73fB25gDksEWnNedBru4ayJuYPW644rH8Ivr fS8Pz3y6buGqUaggzsGNaGfDOKtiLOp722OeuPUmaNHnGCE3qJbhE3RKBRrMl4SP Yi/otL8+85cp4isMESOYs3F5qw/osDmmKxktPbULbTrne94EWHHl+9RoSFDZFNCj JBsNE122WUtn+2JPV8it8nlIS/Kzqzv3qGR88lYiBj3y3F+zIbpix/8wyCgRVSw6 /LQwLSTmGKYdvLw2Td7oIqMrW69ZsgujAonnbyx2nl9WN3KSqr799SxL4n2M7ZOj a1MjcLdLr0kM28eu+/A3LyHQRkBVsz7f27e7M+drEVa4OHFS3KuL4EM47xkTGyps veljkNmZ8elL7PX+dmWsVGYyo4XH/bTFDcW8ZLhr+bc55xLplMRrhPNNFGQ+5k3R ev7HRhSqHD9Ub39KTea4WCJOsm0hJJgKYneWYmQJ1aVYmrFMHLJaJBzCqU+W751O GkXvU24eoajNKnIAcY9wrC/WzVru8dM2JwBefcatxCsWFhpcpSyrh0zhCAiZKOga hjskIq/54Il8YyzSVy5Xvwv8WACBUwoiPv6ZqVm3oKRkoZI3E14vVYTcG+b0cPqn S30qAHntsjFA70Hpedt5 =YYFB -----END PGP SIGNATURE-----
Robert Nichols
2015-Mar-04 23:33 UTC
[CentOS] LUKS encypted partition using --key-file can only be decrypted with --key-file
On 03/04/2015 03:16 PM, Digimer wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > I created a LUKS encrypted partition via a udev-triggered script on > 6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the > LUKS partition via script and manually using --key-file with luksOpen. > > The odd problem is that I can't decrypt the partition using the > prompt. If I manually create a file with the passphrase in it and then > point to it with --key-file, it decrypts fine. I used 'cat -A > /tmp/foo' to verify that there was no '\n' at the end of the phrase. > > Is this expected behaviour? That is; If you create an encrypted > partition using --key-file, you always decrypt with the same? If so, I > can't understand the logic... If not, then I am not sure what I am > doing wrong.Try again including "--hash plain" on the command line. When the key is read from a keyfile, no hash is used and the key is simply truncated to the correct length (too short is an error). A key read from the terminal or from stdin is hashed, then truncated or padded to the proper length. See "NOTES ON PASSWORD PROCESSING" in the cryptsetup manpage. Presumably, if you stored the hashed key phrase in the keyfile (DAMHTDT) it would work from the terminal without "--hash -plain". -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.
Digimer
2015-Sep-14 21:45 UTC
[CentOS] LUKS encypted partition using --key-file can only be decrypted with --key-file
On 04/03/15 06:33 PM, Robert Nichols wrote:> On 03/04/2015 03:16 PM, Digimer wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi all, >> >> I created a LUKS encrypted partition via a udev-triggered script on >> 6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the >> LUKS partition via script and manually using --key-file with luksOpen. >> >> The odd problem is that I can't decrypt the partition using the >> prompt. If I manually create a file with the passphrase in it and then >> point to it with --key-file, it decrypts fine. I used 'cat -A >> /tmp/foo' to verify that there was no '\n' at the end of the phrase. >> >> Is this expected behaviour? That is; If you create an encrypted >> partition using --key-file, you always decrypt with the same? If so, I >> can't understand the logic... If not, then I am not sure what I am >> doing wrong. > > Try again including "--hash plain" on the command line. When the > key is read from a keyfile, no hash is used and the key is simply > truncated to the correct length (too short is an error). A key read > from the terminal or from stdin is hashed, then truncated or padded > to the proper length. > > See "NOTES ON PASSWORD PROCESSING" in the cryptsetup manpage. > Presumably, if you stored the hashed key phrase in the keyfile > (DAMHTDT) it would work from the terminal without "--hash -plain".Reviving a very old thread... I tried this (cryptsetup --hash plain luksOpen /dev/sdb1 sdb1) but it fails to recognize the passphrase at the command line still. When I tried to use '--hash plain' on luksFormat, I get: [root at dashboard1 ~]# echo YES | cryptsetup --hash plain luksFormat /dev/sdb1 /tmp/password Requested LUKS hash plain is not supported. I suspect I'm misunderstanding something. I've read "NOTES ON PASSWORD PROCESSING" and as best I can figure, the root of the problem is the padding. I'm not so strong on security, so when I look at /proc/crypto, I get lost. Is there a "for dummies" document that I could look at to do what it is I am trying to do? That is; create the encrypted device from a script (which is why I am using --key-file) and then decrypt it later with normal STDIN via cryptsetup luksOpen? Thanks! -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education?
Possibly Parallel Threads
- LUKS encypted partition using --key-file can only be decrypted with --key-file
- LUKS encypted partition using --key-file can only be decrypted with --key-file
- Encrypting tmp swap and home
- LUKS on EL6 / enable block device after reboot
- potential wiki on encryption