[dm-crypt] key-size argument not working with luksAddKey

[dm-crypt] key-size argument not working with luksAddKey

[Josh Litherland]

[-- Attachment #1: Type: text/plain, Size: 732 bytes --]

Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package.  As an experiment,
I have a 1000 byte key that I have in a file 1000key.  I have another file
2000key which is the key followed by 1000 pad bytes.  This works:

# cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs

This also works:

# cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0 cryptofs

This works too:

# cryptsetup --key-file 1000key luksAddKey /dev/loop0

But this bit doesn't work:

# cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0
No key available with this passphrase.
#

That is to say, the --key-size argument doesn't seem to be working with
luksAddKey.

Any suggestions ?

-- 
Josh Litherland (josh@temp123.org)

[-- Attachment #2: Type: text/html, Size: 1519 bytes --]

Re: [dm-crypt] key-size argument not working with luksAddKey

[Josh Litherland]

[-- Attachment #1.1: Type: text/plain, Size: 939 bytes --]

Attached patch seems to fix it for me.

On Mon, Sep 13, 2010 at 6:07 PM, Josh Litherland <josh@temp123.org> wrote:

> Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package.  As an
> experiment, I have a 1000 byte key that I have in a file 1000key.  I have
> another file 2000key which is the key followed by 1000 pad bytes.  This
> works:
>
> # cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs
>
> This also works:
>
> # cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0
> cryptofs
>
> This works too:
>
> # cryptsetup --key-file 1000key luksAddKey /dev/loop0
>
> But this bit doesn't work:
>
> # cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0
> No key available with this passphrase.
> #
>
> That is to say, the --key-size argument doesn't seem to be working with
> luksAddKey.
>
> Any suggestions ?
>
> --
> Josh Litherland (josh@temp123.org)
>



-- 
Josh Litherland (josh@temp123.org)

[-- Attachment #1.2: Type: text/html, Size: 2049 bytes --]

[-- Attachment #2: addkey_keysize.patch.gz --]
[-- Type: application/x-gzip, Size: 506 bytes --]

Re: [dm-crypt] key-size argument not working with luksAddKey

[Roscoe]

On Tue, Sep 14, 2010 at 8:07 AM, Josh Litherland <josh@temp123.org> wrote:
> Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package.  As an experiment,
> I have a 1000 byte key that I have in a file 1000key.  I have another file
> 2000key which is the key followed by 1000 pad bytes.  This works:
>
> # cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs
>
> This also works:
>
> # cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0 cryptofs
>
> This works too:
>
> # cryptsetup --key-file 1000key luksAddKey /dev/loop0
>
> But this bit doesn't work:
>
> # cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0
> No key available with this passphrase.
> #
>
> That is to say, the --key-size argument doesn't seem to be working with
> luksAddKey.
>
> Any suggestions ?

--key-size should specify the size of the key used for
encryption/decryption, which is going to almost always be 112-512
bits.

As this key is stored in the key slots and has a length described in
the header it doesn't make any sense to pass it to cryptsetup for any
of the luks commands other than luksFormat.

Doesn't help your problem at all, though. It seems like you want it to
mean the amount of input to the PBKDF2 function.

-- Roscoe

Re: [dm-crypt] key-size argument not working with luksAddKey

[Josh Litherland]

[-- Attachment #1: Type: text/plain, Size: 1960 bytes --]

Hrm.  That's not what I thought key-size was doing at all.  I was imagining
that it controlled how much of a key-file was read in and used for any
operations that needed a passphrase.  It certainly behaves in the way I
expected when used with luksOpen... if I try to open with 2000key and no
key-size param, it doesn't work.

The patch I sent makes luksAddKey work as I thought it was meant to, but
it's entirely possible I broke some other aspect of it that I'm not using at
the moment.

Thank you for responding.  =)

On Tue, Sep 14, 2010 at 10:41 AM, Roscoe <eocsor@gmail.com> wrote:

> On Tue, Sep 14, 2010 at 8:07 AM, Josh Litherland <josh@temp123.org> wrote:
> > Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package.  As an
> experiment,
> > I have a 1000 byte key that I have in a file 1000key.  I have another
> file
> > 2000key which is the key followed by 1000 pad bytes.  This works:
> >
> > # cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs
> >
> > This also works:
> >
> > # cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0
> cryptofs
> >
> > This works too:
> >
> > # cryptsetup --key-file 1000key luksAddKey /dev/loop0
> >
> > But this bit doesn't work:
> >
> > # cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0
> > No key available with this passphrase.
> > #
> >
> > That is to say, the --key-size argument doesn't seem to be working with
> > luksAddKey.
> >
> > Any suggestions ?
>
> --key-size should specify the size of the key used for
> encryption/decryption, which is going to almost always be 112-512
> bits.
>
> As this key is stored in the key slots and has a length described in
> the header it doesn't make any sense to pass it to cryptsetup for any
> of the luks commands other than luksFormat.
>
> Doesn't help your problem at all, though. It seems like you want it to
> mean the amount of input to the PBKDF2 function.
>
> -- Roscoe
>



-- 
Josh Litherland (josh@temp123.org)

[-- Attachment #2: Type: text/html, Size: 2624 bytes --]

Re: [dm-crypt] key-size argument not working with luksAddKey

[Josh Litherland]

[-- Attachment #1: Type: text/plain, Size: 2637 bytes --]

If anyone's interested, the point of all this is that I ultimately want to
use a USB thumb drive as my key-file; not from a file, but raw from the
device itself.  I obviously can't constrain the size of the device, so I
need to be able to only read the known length of the passphrase off it.
Strictly speaking this is only required for luksOpen (which is working as
desired without my patch), but I discovered the surprising (to me) behavior
of luksAddKey whilst setting it up.

On Tue, Sep 14, 2010 at 11:17 AM, Josh Litherland <josh@temp123.org> wrote:

> Hrm.  That's not what I thought key-size was doing at all.  I was imagining
> that it controlled how much of a key-file was read in and used for any
> operations that needed a passphrase.  It certainly behaves in the way I
> expected when used with luksOpen... if I try to open with 2000key and no
> key-size param, it doesn't work.
>
> The patch I sent makes luksAddKey work as I thought it was meant to, but
> it's entirely possible I broke some other aspect of it that I'm not using at
> the moment.
>
> Thank you for responding.  =)
>
>
> On Tue, Sep 14, 2010 at 10:41 AM, Roscoe <eocsor@gmail.com> wrote:
>
>> On Tue, Sep 14, 2010 at 8:07 AM, Josh Litherland <josh@temp123.org>
>> wrote:
>> > Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package.  As an
>> experiment,
>> > I have a 1000 byte key that I have in a file 1000key.  I have another
>> file
>> > 2000key which is the key followed by 1000 pad bytes.  This works:
>> >
>> > # cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs
>> >
>> > This also works:
>> >
>> > # cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0
>> cryptofs
>> >
>> > This works too:
>> >
>> > # cryptsetup --key-file 1000key luksAddKey /dev/loop0
>> >
>> > But this bit doesn't work:
>> >
>> > # cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0
>> > No key available with this passphrase.
>> > #
>> >
>> > That is to say, the --key-size argument doesn't seem to be working with
>> > luksAddKey.
>> >
>> > Any suggestions ?
>>
>> --key-size should specify the size of the key used for
>> encryption/decryption, which is going to almost always be 112-512
>> bits.
>>
>> As this key is stored in the key slots and has a length described in
>> the header it doesn't make any sense to pass it to cryptsetup for any
>> of the luks commands other than luksFormat.
>>
>> Doesn't help your problem at all, though. It seems like you want it to
>> mean the amount of input to the PBKDF2 function.
>>
>> -- Roscoe
>>
>
>
>
> --
> Josh Litherland (josh@temp123.org)
>



-- 
Josh Litherland (josh@temp123.org)

[-- Attachment #2: Type: text/html, Size: 3666 bytes --]

Re: [dm-crypt] key-size argument not working with luksAddKey

[Arno Wagner]

On Tue, Sep 14, 2010 at 11:17:27AM -0400, Josh Litherland wrote:
> Hrm.  That's not what I thought key-size was doing at all.  I was imagining
> that it controlled how much of a key-file was read in and used for any
> operations that needed a passphrase.  It certainly behaves in the way I
> expected when used with luksOpen... if I try to open with 2000key and no
> key-size param, it doesn't work.

That is done differently. May I direct your attention to the 
item "How do I read a LUKS slot key from file?" in the FAQ?
(Found e.g. here: 
http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions)

Arno

> The patch I sent makes luksAddKey work as I thought it was meant to, but
> it's entirely possible I broke some other aspect of it that I'm not using at
> the moment.
> 
> Thank you for responding.  =)
> 
> On Tue, Sep 14, 2010 at 10:41 AM, Roscoe <eocsor@gmail.com> wrote:
> 
> > On Tue, Sep 14, 2010 at 8:07 AM, Josh Litherland <josh@temp123.org> wrote:
> > > Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package.  As an
> > experiment,
> > > I have a 1000 byte key that I have in a file 1000key.  I have another
> > file
> > > 2000key which is the key followed by 1000 pad bytes.  This works:
> > >
> > > # cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs
> > >
> > > This also works:
> > >
> > > # cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0
> > cryptofs
> > >
> > > This works too:
> > >
> > > # cryptsetup --key-file 1000key luksAddKey /dev/loop0
> > >
> > > But this bit doesn't work:
> > >
> > > # cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0
> > > No key available with this passphrase.
> > > #
> > >
> > > That is to say, the --key-size argument doesn't seem to be working with
> > > luksAddKey.
> > >
> > > Any suggestions ?
> >
> > --key-size should specify the size of the key used for
> > encryption/decryption, which is going to almost always be 112-512
> > bits.
> >
> > As this key is stored in the key slots and has a length described in
> > the header it doesn't make any sense to pass it to cryptsetup for any
> > of the luks commands other than luksFormat.
> >
> > Doesn't help your problem at all, though. It seems like you want it to
> > mean the amount of input to the PBKDF2 function.
> >
> > -- Roscoe
> >
> 
> 
> 
> -- 
> Josh Litherland (josh@temp123.org)

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] key-size argument not working with luksAddKey

[Arno Wagner]

On Tue, Sep 14, 2010 at 11:22:07AM -0400, Josh Litherland wrote:
> If anyone's interested, the point of all this is that I ultimately want to
> use a USB thumb drive as my key-file; not from a file, but raw from the
> device itself.  I obviously can't constrain the size of the device, so I
> need to be able to only read the known length of the passphrase off it.
> Strictly speaking this is only required for luksOpen (which is working as
> desired without my patch), but I discovered the surprising (to me) behavior
> of luksAddKey whilst setting it up.

You can do the following:

head -c <keylength> <usbdev> | cryptsetup <lukscommand> --key-file - ...

Note that luksAddKey has a different syntax for using a 
passphrase from file, see the FAQ.

Arno



 
> On Tue, Sep 14, 2010 at 11:17 AM, Josh Litherland <josh@temp123.org> wrote:
> 
> > Hrm.  That's not what I thought key-size was doing at all.  I was imagining
> > that it controlled how much of a key-file was read in and used for any
> > operations that needed a passphrase.  It certainly behaves in the way I
> > expected when used with luksOpen... if I try to open with 2000key and no
> > key-size param, it doesn't work.
> >
> > The patch I sent makes luksAddKey work as I thought it was meant to, but
> > it's entirely possible I broke some other aspect of it that I'm not using at
> > the moment.
> >
> > Thank you for responding.  =)
> >
> >
> > On Tue, Sep 14, 2010 at 10:41 AM, Roscoe <eocsor@gmail.com> wrote:
> >
> >> On Tue, Sep 14, 2010 at 8:07 AM, Josh Litherland <josh@temp123.org>
> >> wrote:
> >> > Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package.  As an
> >> experiment,
> >> > I have a 1000 byte key that I have in a file 1000key.  I have another
> >> file
> >> > 2000key which is the key followed by 1000 pad bytes.  This works:
> >> >
> >> > # cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs
> >> >
> >> > This also works:
> >> >
> >> > # cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0
> >> cryptofs
> >> >
> >> > This works too:
> >> >
> >> > # cryptsetup --key-file 1000key luksAddKey /dev/loop0
> >> >
> >> > But this bit doesn't work:
> >> >
> >> > # cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0
> >> > No key available with this passphrase.
> >> > #
> >> >
> >> > That is to say, the --key-size argument doesn't seem to be working with
> >> > luksAddKey.
> >> >
> >> > Any suggestions ?
> >>
> >> --key-size should specify the size of the key used for
> >> encryption/decryption, which is going to almost always be 112-512
> >> bits.
> >>
> >> As this key is stored in the key slots and has a length described in
> >> the header it doesn't make any sense to pass it to cryptsetup for any
> >> of the luks commands other than luksFormat.
> >>
> >> Doesn't help your problem at all, though. It seems like you want it to
> >> mean the amount of input to the PBKDF2 function.
> >>
> >> -- Roscoe
> >>
> >
> >
> >
> > --
> > Josh Litherland (josh@temp123.org)
> >
> 
> 
> 
> -- 
> Josh Litherland (josh@temp123.org)

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] key-size argument not working with luksAddKey

[Josh Litherland]

[-- Attachment #1: Type: text/plain, Size: 4127 bytes --]

> That is done differently. May I direct your attention to the
> item "How do I read a LUKS slot key from file?" in the FAQ?

Understood.  The point of my original query is that the procedure outlined
in that FAQ _will not work_ if the key-file you provide has trailing bytes
after the actual key part, as it does in my 2000key test file and as it will
_always_ do if you're using a raw block device as your key file.

A workaround that works is to dd off the key into a separate file and use
that new file as the argument for luksAddKey (and then be careful to shred
-u the file afterward!).  My patch adds the ability to handle this task
internally within cryptsetup, without having to duplicate and subsequently
destroy the extra copy of the key, and in a way that is consistent with the
user interface of other luks operations.

On Tue, Sep 14, 2010 at 11:26 AM, Arno Wagner <arno@wagner.name> wrote:

> On Tue, Sep 14, 2010 at 11:17:27AM -0400, Josh Litherland wrote:
> > Hrm.  That's not what I thought key-size was doing at all.  I was
> imagining
> > that it controlled how much of a key-file was read in and used for any
> > operations that needed a passphrase.  It certainly behaves in the way I
> > expected when used with luksOpen... if I try to open with 2000key and no
> > key-size param, it doesn't work.
>
> That is done differently. May I direct your attention to the
> item "How do I read a LUKS slot key from file?" in the FAQ?
> (Found e.g. here:
> http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions)
>
> Arno
>
> > The patch I sent makes luksAddKey work as I thought it was meant to, but
> > it's entirely possible I broke some other aspect of it that I'm not using
> at
> > the moment.
> >
> > Thank you for responding.  =)
> >
> > On Tue, Sep 14, 2010 at 10:41 AM, Roscoe <eocsor@gmail.com> wrote:
> >
> > > On Tue, Sep 14, 2010 at 8:07 AM, Josh Litherland <josh@temp123.org>
> wrote:
> > > > Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package.  As an
> > > experiment,
> > > > I have a 1000 byte key that I have in a file 1000key.  I have another
> > > file
> > > > 2000key which is the key followed by 1000 pad bytes.  This works:
> > > >
> > > > # cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs
> > > >
> > > > This also works:
> > > >
> > > > # cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0
> > > cryptofs
> > > >
> > > > This works too:
> > > >
> > > > # cryptsetup --key-file 1000key luksAddKey /dev/loop0
> > > >
> > > > But this bit doesn't work:
> > > >
> > > > # cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0
> > > > No key available with this passphrase.
> > > > #
> > > >
> > > > That is to say, the --key-size argument doesn't seem to be working
> with
> > > > luksAddKey.
> > > >
> > > > Any suggestions ?
> > >
> > > --key-size should specify the size of the key used for
> > > encryption/decryption, which is going to almost always be 112-512
> > > bits.
> > >
> > > As this key is stored in the key slots and has a length described in
> > > the header it doesn't make any sense to pass it to cryptsetup for any
> > > of the luks commands other than luksFormat.
> > >
> > > Doesn't help your problem at all, though. It seems like you want it to
> > > mean the amount of input to the PBKDF2 function.
> > >
> > > -- Roscoe
> > >
> >
> >
> >
> > --
> > Josh Litherland (josh@temp123.org)
>
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
>
>
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
> arno@wagner.name
> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
> 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>



-- 
Josh Litherland (josh@temp123.org)

[-- Attachment #2: Type: text/html, Size: 5760 bytes --]

Re: [dm-crypt] key-size argument not working with luksAddKey

[Arno Wagner]

On Tue, Sep 14, 2010 at 12:59:57PM -0400, Josh Litherland wrote:
> > That is done differently. May I direct your attention to the
> > item "How do I read a LUKS slot key from file?" in the FAQ?
> 
> Understood.  The point of my original query is that the procedure outlined
> in that FAQ _will not work_ if the key-file you provide has trailing bytes
> after the actual key part, as it does in my 2000key test file and as it will
> _always_ do if you're using a raw block device as your key file.

Oh, it works. It just does not take partial files as input,
only full ones. This is not surprising as cutting out part
of a file is a task for a diffewrent tool by the UNIX 
philosophy, see my second anzwer about reading the passphrase
from STDIN and cutting with 'head'. 

> A workaround that works is to dd off the key into a separate file and use
> that new file as the argument for luksAddKey (and then be careful to shred
> -u the file afterward!).  My patch adds the ability to handle this task
> internally within cryptsetup, without having to duplicate and subsequently
> destroy the extra copy of the key, and in a way that is consistent with the
> user interface of other luks operations.

Copying the file is a bad idea for security reasons. As cryptsetup 
accepts '-' as filename (except on adding or changing a passphrase), 
it is not needed. Also note that in more complex set-ups you
might be able transfer the cutout of the passphrase bit-sequence
by a named pipe.

I can see what you are tryong to do, but I think your patch 
falls into the Microsoft pitfall of having complex tools 
that do a lot of tasts but none particularly well ;-)

I recomend having a look through the Gnu Textutils. They
are 8-bit clean (work on binary data) and there is amazing 
stuff in there. Another pitfall for us few that can actually
code is to write things that already exist and work well.
Believe me, I do understand the urge.

Arno

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier