[dm-crypt] Can I test for LUKS passphrase strength without formatting a device?

[dm-crypt] Can I test for LUKS passphrase strength without formatting a device?

[Jan Tulak]

Hi

Is it possible to test whether a passphrase is strong enough (and
luksFormat will accept it), without the need to really create a device
with this passphrase? I ask because I want to test the password before
I run a sequence of commands and I don't want them to fail in the
middle just because of a weak passphrase.

I checked for the --test-passphrase, but that verifies if the
passphrase would decrypt an existing device, which is not what I want.

Thanks,
Jan

Re: [dm-crypt] Can I test for LUKS passphrase strength without formatting a device?

[Milan Broz]

On 11/07/2017 05:51 PM, Jan Tulak wrote:
> Is it possible to test whether a passphrase is strong enough (and
> luksFormat will accept it), without the need to really create a device
> with this passphrase? I ask because I want to test the password before
> I run a sequence of commands and I don't want them to fail in the
> middle just because of a weak passphrase.

Cryptsetup/LUKS does not itself enforce any passphrase quality, it is libpwquality
that libcryptsetup can be linked to (optionally, we use it in all Red Hat distros).

See man for pwquality library (the idea is to enforce password policy for the whole
distro, so it uses configuration pwquality file).

> I checked for the --test-passphrase, but that verifies if the
> passphrase would decrypt an existing device, which is not what I want.

This tests only LUKS, pwquality is called only in Format.

m.

Re: [dm-crypt] Can I test for LUKS passphrase strength without formatting a device?

[Michael Kjörling]

On 7 Nov 2017 17:51 +0100, from jtulak@redhat.com (Jan Tulak):
> Is it possible to test whether a passphrase is strong enough (and
> luksFormat will accept it), without the need to really create a device
> with this passphrase? I ask because I want to test the password before
> I run a sequence of commands and I don't want them to fail in the
> middle just because of a weak passphrase.

Adding to Milan Broz's answer, you can always use a simple file (or a
sparse file) as a backing device for a LUKS container. Doing so will
also tell you that the utilities can understand all other options
you're feeding them, which may be a consideration if you are providing
custom settings (for example, hash algorithm, encryption algorithm,
etc.). Just remember to close the container before you delete the
file.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

Re: [dm-crypt] Can I test for LUKS passphrase strength without formatting a device?

[Jan Tulak]

On Tue, Nov 7, 2017 at 7:45 PM, Milan Broz <gmazyland@gmail.com> wrote:
> On 11/07/2017 05:51 PM, Jan Tulak wrote:
>> Is it possible to test whether a passphrase is strong enough (and
>> luksFormat will accept it), without the need to really create a device
>> with this passphrase? I ask because I want to test the password before
>> I run a sequence of commands and I don't want them to fail in the
>> middle just because of a weak passphrase.
>
> Cryptsetup/LUKS does not itself enforce any passphrase quality, it is libpwquality
> that libcryptsetup can be linked to (optionally, we use it in all Red Hat distros).
>
> See man for pwquality library (the idea is to enforce password policy for the whole
> distro, so it uses configuration pwquality file).
>
>> I checked for the --test-passphrase, but that verifies if the
>> passphrase would decrypt an existing device, which is not what I want.
>
> This tests only LUKS, pwquality is called only in Format.
>
> m.

Ah, thanks for directing me the right way. :-)

Cheers,
Jan