[dm-crypt] what happens when cryptsetup is given an incorrect passphrase?

[dm-crypt] what happens when cryptsetup is given an incorrect passphrase?

[Robert Lummis]

I'm writing some python and bash scripts that do cryptsetup luksOpen
and luksClose on a /dev/loop-mounted file. The user enters the
passphrase at the keyboard and the script passes it to cryptsetup.

When the user enters the wrong passphrase the file gets into a state
that I can't get out of except by rebooting. losetup thinks the device
is attached (losetup -f returns /dev/loop1) but I can't detach it
(losetup -d /dev/loop1 says 'the device is busy' or something like
that). /dev/mapper contains no names and "cryptsetup luksClose <name>"
says 'no such name' or something like that (<name> is the name on the
failed luksOpen).

Question 1) What is going on here and how can I avoid it or get out of
it? Rebooting is not a good answer. When the user gives the correct
passphrase everything works as expected.

Question 2) A related question: is there a way to verify the
passphrase without actually opening (or failing to open) the
partition? I would like to collect the passphrase from the user at the
beginning of the script but not use it until later, and be sure it
will work at that time.

Question 3) Are the exit codes from cryptsetup documented somewhere?
I've seen 0 and 255. Are there others?

I am currently using ubuntu 10.04 with the pre-installed cryptsetup
and losetup. cryptsetup is 1.1.0-rc2. losetup doesn't give it's
version number.

-- 
Robert Lummis

Re: [dm-crypt] what happens when cryptsetup is given an incorrect passphrase?

[Robert Lummis]

Update: I've been experimenting with losetup and cryptsetup luks...
commands interactively (not scripted) and they all seem to work or
else fail in an understandable way. So I must have left out something
essential in my original posting (quoted below). I'm sorry about that.

I'll post again when I can pin down what sequence of commands leads to
the confusing state. I did again see the state where "luksClose
secret" says "Device secret is not active" but "losetup -d /dev/loop0"
says the device is busy.  Unfortunately on that occasion I couldn't
trace back to the commands that had preceded it. Also, at that time I
didn't think to do "luksDump /dev/loop0".  Probably more later.

On Fri, Jul 2, 2010 at 11:25 AM, Robert Lummis <robert.lummis@gmail.com> wrote:
> I'm writing some python and bash scripts that do cryptsetup luksOpen
> and luksClose on a /dev/loop-mounted file. The user enters the
> passphrase at the keyboard and the script passes it to cryptsetup.
>
> When the user enters the wrong passphrase the file gets into a state
> that I can't get out of except by rebooting. losetup thinks the device
> is attached (losetup -f returns /dev/loop1) but I can't detach it
> (losetup -d /dev/loop1 says 'the device is busy' or something like
> that). /dev/mapper contains no names and "cryptsetup luksClose <name>"
> says 'no such name' or something like that (<name> is the name on the
> failed luksOpen).
>
> Question 1) What is going on here and how can I avoid it or get out of
> it? Rebooting is not a good answer. When the user gives the correct
> passphrase everything works as expected.
>
> Question 2) A related question: is there a way to verify the
> passphrase without actually opening (or failing to open) the
> partition? I would like to collect the passphrase from the user at the
> beginning of the script but not use it until later, and be sure it
> will work at that time.
>
> Question 3) Are the exit codes from cryptsetup documented somewhere?
> I've seen 0 and 255. Are there others?
>
> I am currently using ubuntu 10.04 with the pre-installed cryptsetup
> and losetup. cryptsetup is 1.1.0-rc2. losetup doesn't give it's
> version number.
>
> --
> Robert Lummis
>



-- 
Robert Lummis