LUKS Encypted Partition Using –key-file Can Only Be Decrypted With –key-file

Home » CentOS » LUKS Encypted Partition Using –key-file Can Only Be Decrypted With –key-file
CentOS 3 Comments

Hi all,

I created a LUKS encrypted partition via a udev-triggered script on
6.6 using –key-file /tmp/foo. This worked fine, and I can decrypt the LUKS partition via script and manually using –key-file with luksOpen.

The odd problem is that I can’t decrypt the partition using the prompt. If I manually create a file with the passphrase in it and then point to it with –key-file, it decrypts fine. I used ‘cat -A
/tmp/foo’ to verify that there was no ‘\n’ at the end of the phrase.

Is this expected behaviour? That is; If you create an encrypted partition using –key-file, you always decrypt with the same? If so, I
can’t understand the logic… If not, then I am not sure what I am doing wrong.

Thanks for any insight!

digimer

3 thoughts on - LUKS Encypted Partition Using –key-file Can Only Be Decrypted With –key-file

  • Try again including “–hash plain” on the command line. When the key is read from a keyfile, no hash is used and the key is simply truncated to the correct length (too short is an error). A key read from the terminal or from stdin is hashed, then truncated or padded to the proper length.

    See “NOTES ON PASSWORD PROCESSING” in the cryptsetup manpage. Presumably, if you stored the hashed key phrase in the keyfile
    (DAMHTDT) it would work from the terminal without “–hash -plain”.

  • Reviving a very old thread…

    I tried this (cryptsetup –hash plain luksOpen /dev/sdb1 sdb1) but it fails to recognize the passphrase at the command line still. When I
    tried to use ‘–hash plain’ on luksFormat, I get:

    [root@dashboard1 ~]# echo YES | cryptsetup –hash plain luksFormat
    /dev/sdb1 /tmp/password Requested LUKS hash plain is not supported.

    I suspect I’m misunderstanding something. I’ve read “NOTES ON PASSWORD
    PROCESSING” and as best I can figure, the root of the problem is the padding. I’m not so strong on security, so when I look at /proc/crypto, I get lost.

    Is there a “for dummies” document that I could look at to do what it is I am trying to do? That is; create the encrypted device from a script
    (which is why I am using –key-file) and then decrypt it later with normal STDIN via cryptsetup luksOpen?

    Thanks!

  • I don’t know why Robert suggested that you try that. It’s wrong. You would only use that to provide a binary key to cryptsetup, not a passphrase as you’re trying to do.

    I can’t replicate your problem. Using –key-file works correctly for me. You said that you used “cat -A” to verify that there’s no newline in the key file. I’d suggest that “od -c” is a better test. cat doesn’t even really need the -A to check for a newline; after printing a file to the terminal with cat, your prompt will appear on the same line as the file’s content if the file has no newline (for most prompt definitions).

    Anyway, below is the terminal output of a session where I create a LUKS
    device using –key-file and then open it by manually typing the passphrase.

    # dd if=/dev/zero of=crypttest bs=1M count0
    100+0 records in
    100+0 records out
    104857600 bytes (105 MB) copied, 0.0810213 s, 1.3 GB/s
    # losetup -f crypttest
    # echo -n thisismypassphrase > cryptfoo
    # od -c cryptfoo
    0000000 t h i s i s m y p a s s p h r a
    0000020 s e
    0000022
    # cryptsetup luksFormat –key-file cryptfoo /dev/loop0

    WARNING!
    =======This will overwrite data on /dev/loop0 irrevocably.

    Are you sure? (Type uppercase yes): YES
    # cryptsetup luksOpen /dev/loop0 cdev Enter passphrase for /root/crypttest:
    # ls -l /dev/mapper/cdev lrwxrwxrwx. 1 root root 7 Sep 15 09:31 /dev/mapper/cdev -> ../dm-4