1 |
[Replying to |
2 |
http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=229542 ] |
3 |
|
4 |
On 2010-05-05 08:00:43 GMT, Daniel Troeder wrote: |
5 |
>On 05/05/2010 06:42 AM, Stefan G. Weichinger wrote: |
6 |
>> Am 04.05.2010 23:24, schrieb Daniel Troeder: |
7 |
>> |
8 |
>>> I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have |
9 |
>>> any issues. |
10 |
>>> Please decrypt your partition from the command line, so we can see if it |
11 |
>>> is a cryptsetup/luks/kernel problem or a pam_mount problem. |
12 |
>>> |
13 |
>>> Cmdline should something like: |
14 |
>>> $ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen |
15 |
>>> /dev/mapper/VG01-crypthome myhome |
16 |
>>> Which should create /dev/mapper/myhome. |
17 |
>> |
18 |
>> My user sgw is currently not allowed to sudo this (should it be? it |
19 |
>> never was). |
20 |
>> |
21 |
>> And for root it says "Kein Schlüssel mit diesem Passsatz verfügbar." |
22 |
>> (german) which should be "No key available with this passphrase." in |
23 |
>> english. |
24 |
>That is a message from cryptsetup. As you are using openssl to get the |
25 |
>key, I think the problem might be there. |
26 |
> |
27 |
>I followed the guide you linked here (website is down, but google-cache |
28 |
>works: |
29 |
>http://webcache.googleusercontent.com/search?q=cache:7eaSac72CoIJ:home.coming.dk/index.php/2009/05/20/encrypted_home_partition_using_luks_pam_+encrypted_home_partition_using_luks_pam&cd=2&hl=de&ct=clnk&gl=de&client=firefox-a) |
30 |
>and it works for me (kernel is 2.6.33-zen2): |
31 |
> |
32 |
>lvcreate -n crypttest -L 100M vg0 |
33 |
>KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79` |
34 |
>echo $KEY | openssl aes-256-ecb > verysekrit.key |
35 |
>openssl aes-256-ecb -d -in verysekrit.key |
36 |
|
37 |
In my personal opinion, both the quality of shell commands and key |
38 |
generation is suboptimal. What makes it bad is that people follow it. |
39 |
|
40 |
First, it generates a key which does not exploit the entire space. |
41 |
People claim it's because they want an ASCII readout, but frankly, you |
42 |
get the same with `hexdump -C`. |
43 |
|
44 |
Second, it's using echo without the -n parameter, thus implicitly |
45 |
inserting a newline into the key -- which is the cause for yoru observed |
46 |
mounting problems. |
47 |
|
48 |
Third, because you are passing the key via stdin into cryptsetup, it |
49 |
only uses the first line of whatever you pipe into it; whereas pam_mount |
50 |
uses the entire keyfile as it is supposed to be. |
51 |
|
52 |
(Fourth, the howto suggests ECB, which, well, looks rather weak |
53 |
considering the ECB's Tux picture on Wikipedia.) |
54 |
|
55 |
All of that should be in doc/bugs.txt, and mount.crypt even warns about |
56 |
ECB. You really cannot ignore seeing that. |
57 |
|
58 |
Phew! |