All of lore.kernel.org
 help / color / mirror / Atom feed
From: Hualing Yu <hualing.yu@jci.com>
To: Ondrej Kozina <okozina@redhat.com>,
	"dm-crypt@saout.de" <dm-crypt@saout.de>
Subject: Re: [dm-crypt] 10 M Luks2 header size?
Date: Mon, 4 Nov 2019 14:59:18 +0000	[thread overview]
Message-ID: <CH2P132MB0187684C805E914A8A4F67F1877F0@CH2P132MB0187.NAMP132.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <cc9faed6-b9bd-2f59-9797-67340fe7db72@redhat.com>

[-- Attachment #1: Type: text/plain, Size: 2571 bytes --]

Hi Ondrej,



Yes, I can read the key content when it seems not automatically used to activate (open) the luks partition it assigned to.



However,  after I did 'keyctl link @us @s'



Then 'cryptsetup luksOpen' didn't prompt for passphrase but directly activated the partition (show up under /dev/mapper/)



It seem the auto-activation need to have the key in session keyring, not just user session keyring, while as the man page said it only need to be in either @u or @us.



I can add this keyring link command every time try to open luks, but I want to know if we are supposed to do so or this indicated something wrong.



Thanks,



Hualing



-----Original Message-----
From: Ondrej Kozina [mailto:okozina@redhat.com]
Sent: Monday, November 04, 2019 5:34 AM
To: dm-crypt@saout.de
Cc: Hualing Yu <hualing.yu@jci.com>
Subject: Re: [dm-crypt] 10 M Luks2 header size?



On 11/3/19 4:33 AM, Hualing Yu wrote:

> Hi Milan

>

> We have problem now 8-)

>

> I did 'cryptsetup format' at initramfs, where I also 'add token' to

> luks passphrase slot 0.

>

> It seems to work as expected in later luksOpen (without asking me

> passphrase) when still in initramfs.  Even next run after power cycle

> reboot.  However after it runs to normal rootfs, then when I try to do

> luksOpen still as root user, it ask for passphrase.

>

> I can see my passphrases are both in @u and @us keyring both at

> initramfs time and when run as root in normal linux.  However, in

> initramfs, my passphrasses are also in @s, which probably is why in

> initramfs time, I can auto activate (open) my luks partitions.

>

> Cryptsetup man page says:

>

> token <add|remove> <device>

>

>                Adds a new keyring token to enable auto-activation of

> the device.   For  the  auto-

>

>                activation,   the   passphrase  must  be  stored  in

> keyring  with  the  specified

>

>                description. Usually, the passphrase should  be  stored

> in  user  or  user-session

>

>                keyring.  The token command is supported only for LUKS2.

>

> My passphrases are in both user and user-session keyrings, maybe I

> just ran into some unusual case where passphrases also need to be in

> session keyring.  Do you know what's the reason?



Maybe the key is unreachable from your current session after switching out from initramfs. Can you read the key payload with "keyctl read <your_key>" command?



Regards O.



[-- Attachment #2: Type: text/html, Size: 7317 bytes --]

  reply	other threads:[~2019-11-04 14:59 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-18 19:24 [dm-crypt] 10 M Luks2 header size? Hualing Yu
2019-10-19  7:07 ` Milan Broz
2019-10-19 18:47   ` Hualing Yu
2019-10-19 19:59     ` Hualing Yu
2019-10-20 10:07       ` Milan Broz
2019-10-21 16:13         ` Hualing Yu
2019-10-27 13:15           ` Hualing Yu
2019-10-27 18:33             ` Arno Wagner
2019-10-28 10:36             ` Milan Broz
2019-10-28 13:50               ` Hualing Yu
2019-10-29 13:07                 ` Milan Broz
2019-10-29 15:03                   ` Hualing Yu
2019-11-03  3:33                     ` Hualing Yu
2019-11-04 10:33                       ` Ondrej Kozina
2019-11-04 14:59                         ` Hualing Yu [this message]
  -- strict thread matches above, loose matches on Subject: below --
2019-10-18 19:04 Hualing Yu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CH2P132MB0187684C805E914A8A4F67F1877F0@CH2P132MB0187.NAMP132.PROD.OUTLOOK.COM \
    --to=hualing.yu@jci.com \
    --cc=dm-crypt@saout.de \
    --cc=okozina@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.