[dm-crypt] Newbie question --key-file

[dm-crypt] Newbie question --key-file

[Li, David]

[-- Attachment #1: Type: text/plain, Size: 2801 bytes --]

Hi,

I am testing with a loop device /dev/loop0.  I want to use a 256-bit key file.

First I did:

-bash-4.1# cryptsetup --key-file keyfile-1 luksFormat /dev/loop0

WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type uppercase yes): YES
device-mapper: reload ioctl failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/loop0.
Check that kernel supports aes-cbc-essiv:sha256 cipher (check syslog for more info).

Question #1. Is the LUKS setup properly or not given the error? I checked my /proc/crypto and it doesn't seem to have the crypto aes-cbc-essiv nor does it have sha256.

-bash-4.1# cat /proc/crypto
name         : stdrng
driver       : krng
module       : kernel
priority     : 200
refcnt       : 1
selftest     : passed
type         : rng
seedsize     : 0

name         : crc32c
driver       : crc32c-generic
module       : kernel
priority     : 100
refcnt       : 2
selftest     : passed
type         : shash
blocksize    : 1
digestsize   : 4

name         : sha1
driver       : sha1-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
type         : shash
blocksize    : 64
digestsize   : 20

name         : md5
driver       : md5-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
type         : shash
blocksize    : 64
digestsize   : 16

But when I did the check, it seems LUKS has been setup with cbc-essiv:sha256.

-bash-4.1# -bash-4.1# cryptsetup -v isLuks /dev/loop0
Command successful.
-bash-4.1# blkid -p /dev/loop0
/dev/loop0: UUID="6732be3f-d385-4471-8c55-b0e2b43adf53" VERSION="256" TYPE="crypto_LUKS" USAGE="crypto"
-bash-4.1#
-bash-4.1# cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0

Version:               1
Cipher name:     aes
Cipher mode:     cbc-essiv:sha256
Hash spec:          sha1
Payload offset: 4096
MK bits:               256
MK digest:          b3 f8 1d 09 f8 50 65 29 50 21 ea cd 0b 4a 9d 6a 2a 70 04 84
MK salt:               f6 f8 2e 1e 5e 71 05 40 3e bc a4 a5 c1 ed 60 6e
                a5 f8 2d 63 e1 f5 42 2a 4f 4a ff 78 a4 e9 70 1e
MK iterations:   40875
UUID:                    6732be3f-d385-4471-8c55-b0e2b43adf53

Key Slot 0: DISABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
-bash-4.1#

So this is confusing to me.

Question #2. I went thru FAQ and didn't quite find an example using key-file to setup LUKS.  But I found this line:

cryptsetup luksOpen --key-file keyfile /dev/loop0 e1

what is e1 here? Can someone give an example using key-file to set up a LUKS partition.

Thanks.



[-- Attachment #2: Type: text/html, Size: 11643 bytes --]

Re: [dm-crypt] Newbie question --key-file

[Dennis Birkholz]

Hello David,

Am 26.10.2012 04:06, schrieb Li, David:
> 
> I am testing with a loop device /dev/loop0.  I want to use a 256-bit key
> file.
> 
> First I did:
> /-bash-4.1# cryptsetup --key-file keyfile-1 luksFormat /dev/loop0/
...

for me your example works but I have sha256, aes and cbc loaded (which
is required as you use aes as crypto-mode, sha256 as hash and cbc as
block-mode or what ever it is called). The setup is not proper as you
see there is no key slot used.

> Question #2. I went thru FAQ and didn’t quite find an example using
> key-file to setup LUKS.  But I found this line:
> 
> /cryptsetup luksOpen //--//key//-//file keyfile /////dev/////loop0 e1/
> 
> what is e1 here? Can someone give an example using key-file to set up a
> LUKS partition.

e1 is the name of the crypt mapping. After opening the mapping you can
access it under /dev/mapper/e1 (e.g. to create a file system).

Greets,
Dennis

Re: [dm-crypt] Newbie question --key-file

[Li, David]

Hi Dennis,
Please see below.

>> First I did:
>> /-bash-4.1# cryptsetup --key-file keyfile-1 luksFormat /dev/loop0/
>...
>
>for me your example works but I have sha256, aes and cbc loaded (which is
>required as you use aes as crypto-mode, sha256 as hash and cbc as block-mode
>or what ever it is called). The setup is not proper as you see there is no key slot
>used.


[Li, David] Can you explain a little here why key slot wasn't used? Why did the luksDump or the blkid result seem to be normal? 

>
>> Question #2. I went thru FAQ and didn't quite find an example using
>> key-file to setup LUKS.  But I found this line:
>>
>> /cryptsetup luksOpen //--//key//-//file keyfile /////dev/////loop0 e1/
>>
>> what is e1 here? Can someone give an example using key-file to set up
>> a LUKS partition.
>
>e1 is the name of the crypt mapping. After opening the mapping you can
>access it under /dev/mapper/e1 (e.g. to create a file system).
>
>Greets,
>Dennis

Re: [dm-crypt] Newbie question --key-file

[Milan Broz]

On 10/26/2012 06:27 PM, Li, David wrote:
> Hi Dennis,
> Please see below.
> 
>>> First I did:
>>> /-bash-4.1# cryptsetup --key-file keyfile-1 luksFormat /dev/loop0/
>> ...
>>
>> for me your example works but I have sha256, aes and cbc loaded (which is
>> required as you use aes as crypto-mode, sha256 as hash and cbc as block-mode
>> or what ever it is called). The setup is not proper as you see there is no key slot
>> used.
> 
> 
> [Li, David] Can you explain a little here why key slot wasn't used?
> Why did the luksDump or the blkid result seem to be normal? 

I think there are just missing internal kernel modules.

Cryptsetup internally first generates master key, then writes visible header and then
enables keyslot - and for keyslot write it requires kernel crypto modules.
If last step fails, you end up with LUKS header without any slot enabled.

(The error reporting here is not optimal, still thinking how to get
exact infmation from kernel.
Anyway there is:
"Check that kernel supports aes-cbc-essiv:sha256 cipher (check syslog for more info)."

Did you check syslog?

According to /proc/crypto, you have no aes module, no cbc, no sha256...

Milan

Re: [dm-crypt] Newbie question --key-file

[Arno Wagner]

On Fri, Oct 26, 2012 at 06:37:10PM +0200, Milan Broz wrote:
> > [Li, David] Can you explain a little here why key slot wasn't used?
> > Why did the luksDump or the blkid result seem to be normal? 
> 
> I think there are just missing internal kernel modules.
> 
> Cryptsetup internally first generates master key, then writes visible header and then
> enables keyslot - and for keyslot write it requires kernel crypto modules.
> If last step fails, you end up with LUKS header without any slot enabled.

Maybe use the kernel crypto modules needed later in some
dummy operation early on?

That way you could terminate with error before the header gets
written.

Arno


 
> (The error reporting here is not optimal, still thinking how to get
> exact infmation from kernel.
> Anyway there is:
> "Check that kernel supports aes-cbc-essiv:sha256 cipher (check syslog for more info)."
> 
> Did you check syslog?
> 
> According to /proc/crypto, you have no aes module, no cbc, no sha256...
> 
> Milan
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell