[dm-crypt] Unattended generation/opening.

[dm-crypt] Unattended generation/opening.

[Diagon]

Could someone let me know what I'm doing wrong here?  I'm trying to do this in a script, but it doesn't work on the command line, either:

$ echo "lukssecpwd" | sudo cryptsetup -c twofish-xts-plain64 -s 512 luksFormat /dev/loop5 -
$ echo "lukssecpwd" | sudo cryptsetup open /dev/loop5 crypt.secret
No key available with this passphrase.

$ sudo cryptsetup luksDump /dev/loop5
LUKS header information for /dev/loop5

Version:       	1
Cipher name:   	twofish
Cipher mode:   	xts-plain64
Hash spec:     	sha256
Payload offset:	4096
MK bits:       	512
MK digest:     	ed e5 83 79 0a ba 5f 85 96 4b 37 c9 50 d6 4b 52 0a ad c3 ca 
MK salt:       	b7 53 d7 74 e8 26 e0 0c 94 39 62 8d 52 cd f1 0f 
               	e5 6b ae 04 e0 5a 3c 92 c7 1e fe c6 69 d5 3c 78 
MK iterations: 	60569
UUID:          	95b47c48-9b76-4403-b5c8-6c54298cb0c5

Key Slot 0: ENABLED
	Iterations:         	969108
	Salt:               	fb 4a a5 43 b3 e0 a8 5d 86 e9 c5 50 c0 42 7a b0 
	                      	3a 56 31 ac 1b 98 46 cb 93 2f 9f 3c 68 e8 3a 32 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED


Ubuntu 18.04
cryptsetup 2.0.2

/D

Re: [dm-crypt] Unattended generation/opening.

[Michael Kjörling]

On 8 Aug 2020 19:05 -0700, from saout.boxy@xoxy.net (Diagon):
> Could someone let me know what I'm doing wrong here?  I'm trying to do this in a script, but it doesn't work on the command line, either:
> 
> $ echo "lukssecpwd" | sudo cryptsetup -c twofish-xts-plain64 -s 512 luksFormat /dev/loop5 -
> $ echo "lukssecpwd" | sudo cryptsetup open /dev/loop5 crypt.secret
> No key available with this passphrase.

Norepro on up-to-date Debian Buster with cryptsetup 2.1.0 (package
version 2:2.1.0-5+deb10u2) with kernel 4.19.0-10-amd64 (package
version 4.19.132-1) reporting build date 2020-07-24.

# truncate -s 100M /root/lukstest
# losetup -f /root/lukstest
# losetup -l
NAME       SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE      DIO LOG-SEC
/dev/loop0         0      0         0  0 /root/lukstest   0     512
# echo "lukssecpwd" | cryptsetup luksFormat /dev/loop0
# echo "lukssecpwd" | cryptsetup open /dev/loop0 lukstest.loop0
# ls -l /dev/mapper/lukstest.loop0
lrwxrwxrwx 1 root root 7 Aug  9 09:37 /dev/mapper/lukstest.loop0 -> ../dm-9
# cryptsetup close lukstest.loop0
# ls -l /dev/mapper/lukstest.loop0
ls: cannot access '/dev/mapper/lukstest.loop0': No such file or directory
#

Seems to work just fine all the way through.

Using echo to pipe the passphrase into luksFormat and then entering it
manually into the later cryptsetup open invocation also works fine for
me.

That said, maybe adding "--key-file -" and dropping the "-" from the
luksFormat command might help? If not, please try it again with
--debug and show us the output of that.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
 “Remember when, on the Internet, nobody cared that you were a dog?”

Re: [dm-crypt] Unattended generation/opening.

[Milan Broz]

On 09/08/2020 04:05, Diagon wrote:
> Could someone let me know what I'm doing wrong here?  I'm trying to do this in a script, but it doesn't work on the command line, either:
> 
> $ echo "lukssecpwd" | sudo cryptsetup -c twofish-xts-plain64 -s 512 luksFormat /dev/loop5 -

Remove that dash in the end of the line. It will switch to keyfile mode and EOL characted (\r) becomes part of the unlocking passphrase.

Alternatively you can do in format: echo -n "lukssecpwd"  ..

> $ echo "lukssecpwd" | sudo cryptsetup open /dev/loop5 crypt.secret

You will have to use "--key-file -" to do the same trick.

Ream man page section NOTES ON PASSPHRASE PROCESSING FOR LUKS.

Milan