| 1 |
[Replying to |
| 2 |
http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=229542 ] |
| 3 |
|
| 4 |
On 2010-05-05 08:00:43 GMT, Daniel Troeder wrote: |
| 5 |
>On 05/05/2010 06:42 AM, Stefan G. Weichinger wrote: |
| 6 |
>> Am 04.05.2010 23:24, schrieb Daniel Troeder: |
| 7 |
>> |
| 8 |
>>> I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have |
| 9 |
>>> any issues. |
| 10 |
>>> Please decrypt your partition from the command line, so we can see if it |
| 11 |
>>> is a cryptsetup/luks/kernel problem or a pam_mount problem. |
| 12 |
>>> |
| 13 |
>>> Cmdline should something like: |
| 14 |
>>> $ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen |
| 15 |
>>> /dev/mapper/VG01-crypthome myhome |
| 16 |
>>> Which should create /dev/mapper/myhome. |
| 17 |
>> |
| 18 |
>> My user sgw is currently not allowed to sudo this (should it be? it |
| 19 |
>> never was). |
| 20 |
>> |
| 21 |
>> And for root it says "Kein Schlüssel mit diesem Passsatz verfügbar." |
| 22 |
>> (german) which should be "No key available with this passphrase." in |
| 23 |
>> english. |
| 24 |
>That is a message from cryptsetup. As you are using openssl to get the |
| 25 |
>key, I think the problem might be there. |
| 26 |
> |
| 27 |
>I followed the guide you linked here (website is down, but google-cache |
| 28 |
>works: |
| 29 |
>http://webcache.googleusercontent.com/search?q=cache:7eaSac72CoIJ:home.coming.dk/index.php/2009/05/20/encrypted_home_partition_using_luks_pam_+encrypted_home_partition_using_luks_pam&cd=2&hl=de&ct=clnk&gl=de&client=firefox-a) |
| 30 |
>and it works for me (kernel is 2.6.33-zen2): |
| 31 |
> |
| 32 |
>lvcreate -n crypttest -L 100M vg0 |
| 33 |
>KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79` |
| 34 |
>echo $KEY | openssl aes-256-ecb > verysekrit.key |
| 35 |
>openssl aes-256-ecb -d -in verysekrit.key |
| 36 |
|
| 37 |
In my personal opinion, both the quality of shell commands and key |
| 38 |
generation is suboptimal. What makes it bad is that people follow it. |
| 39 |
|
| 40 |
First, it generates a key which does not exploit the entire space. |
| 41 |
People claim it's because they want an ASCII readout, but frankly, you |
| 42 |
get the same with `hexdump -C`. |
| 43 |
|
| 44 |
Second, it's using echo without the -n parameter, thus implicitly |
| 45 |
inserting a newline into the key -- which is the cause for yoru observed |
| 46 |
mounting problems. |
| 47 |
|
| 48 |
Third, because you are passing the key via stdin into cryptsetup, it |
| 49 |
only uses the first line of whatever you pipe into it; whereas pam_mount |
| 50 |
uses the entire keyfile as it is supposed to be. |
| 51 |
|
| 52 |
(Fourth, the howto suggests ECB, which, well, looks rather weak |
| 53 |
considering the ECB's Tux picture on Wikipedia.) |
| 54 |
|
| 55 |
All of that should be in doc/bugs.txt, and mount.crypt even warns about |
| 56 |
ECB. You really cannot ignore seeing that. |
| 57 |
|
| 58 |
Phew! |
Archives