From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f47.google.com (mail-wm0-f47.google.com [74.125.82.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Tue, 7 Nov 2017 22:34:45 +0100 (CET) Received: by mail-wm0-f47.google.com with SMTP id b9so6890326wmh.0 for ; Tue, 07 Nov 2017 13:34:45 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <663a9d3d-28d2-a913-8bb3-7d949464b9b0@gmail.com> References: <663a9d3d-28d2-a913-8bb3-7d949464b9b0@gmail.com> From: Jan Tulak Date: Tue, 7 Nov 2017 22:34:23 +0100 Message-ID: Content-Type: text/plain; charset="UTF-8" Subject: Re: [dm-crypt] Can I test for LUKS passphrase strength without formatting a device? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Milan Broz Cc: dm-crypt@saout.de On Tue, Nov 7, 2017 at 7:45 PM, Milan Broz wrote: > On 11/07/2017 05:51 PM, Jan Tulak wrote: >> Is it possible to test whether a passphrase is strong enough (and >> luksFormat will accept it), without the need to really create a device >> with this passphrase? I ask because I want to test the password before >> I run a sequence of commands and I don't want them to fail in the >> middle just because of a weak passphrase. > > Cryptsetup/LUKS does not itself enforce any passphrase quality, it is libpwquality > that libcryptsetup can be linked to (optionally, we use it in all Red Hat distros). > > See man for pwquality library (the idea is to enforce password policy for the whole > distro, so it uses configuration pwquality file). > >> I checked for the --test-passphrase, but that verifies if the >> passphrase would decrypt an existing device, which is not what I want. > > This tests only LUKS, pwquality is called only in Format. > > m. Ah, thanks for directing me the right way. :-) Cheers, Jan