LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-21-2011, 11:48 AM   #1
sam42
LQ Newbie
 
Registered: Mar 2004
Posts: 20

Rep: Reputation: 3
cryptsetup luks key file


Hi,

I am testing out LUKS encryption of a partition.

cryptsetup luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 xyz

this works.

Also, with a key file instead of a manually entered passphrase:

cryptsetup luksFormat /dev/sdb1 /etc/mykeyfile
cryptsetup -d /etc/mykeyfile luksOpen /dev/sdb1 xyz

this works.

The confusion I have is that I can't mix and match passphrase and key file. As follows:

cryptsetup luksFormat /dev/sdb1 (using a manually entered passphrase)
cryptsetup -d /etc/mykeyfile luksOpen /dev/sdb1 xyz (using a key file, but fails)

this will fail with "No key available with this passphrase."

or

cryptsetup luksFormat /dev/sdb1 /etc/mykeyfile (using a key file)
cryptsetup luksOpen /dev/sdb1 xyz (using a manually entered passphrase)

fails.

So, what is contained inside a key file anyway? I have put the passphrase itself. I have tried both with and without newline characters.
Perhaps the contents of the key file should be something other than the passphrase? For example, an encrypted field?


CentOS Linux release 6.0 (Final)
Linux localhost.localdomain 2.6.32-71.29.1.el6.i686 #1 SMP Mon Jun 27 18:07:00 BST 2011 i686 i686 i386 GNU/Linux
 
Old 09-22-2011, 01:11 AM   #2
A.Thyssen
Member
 
Registered: May 2006
Location: Brisbane, Australia
Distribution: linux
Posts: 158

Rep: Reputation: 44
In cryptography there is a important difference in a binary cryptographic key and a user input passphrase (which is hashed to generate the key). The man page for cryptsetup is not however very clear on this difference and its relevance in the appropriate options. Probably best to use one method and not the other.

However as you are using LUKS form of encryption (the input passphrase or key, is only used to decode the actual cryptographic key stored in table) then it more likely that a keyfile and a passphrase are the same thing.

However it clear in the man page is that when a keyfile is used return characters will be treated as part of the input (or passphrase). On the other hand passphrase input will stop when a return character is given.

This in and of itself will be enough to make what you are doing fail, especially as most editors will ensure that the last line of any text file has a final newline!

Basically a 'keyfile' can contain a stronger passphase take a keyboard typeable key, but can take any binary sequence (including returns and nulls) as the input key. As such you may need to remove that fina newline from the keyfile.

One method to do that is...
tr -d '\012\015' < keyfile > keyfile_no_linefeeds



ASIDE: LUKS form of cryptography key indexing also will let you can change your phasephrase without needing to re-encrypt the whole disk. That is the passphrase can be changed without changing the actual cryptographic key used to encode the disks data. Similarly you can even have multiple (up to 8) different passphrases that can be used to mount the encrypted disk.

My notes on dmcrypt (yes my notes go that far back), cryptsetup, and LUKS cryptsetup...
http://www.ict.griffith.edu.au/antho..._dmcrypt.hints



PPS: I used to use cryptsetup a lot in storing encrypted data, though I have now moved to using "encfs", a directory level file encryption. I thoroughly recommend it over block level level, whole disk encryption, unless you plan to encrypt all the disks of your whole machine.

A directory-level encryption allows me to store my encrypted files 'in the cloud' (such as dropbox) or on USB drives, or on any other filesystem (NTFS, EXT4, VFAT, NFS, SSHFS, etc) I like. The encryption remains completely local to the system, and can be copied or transferred or synchronized to another storage device or system (cloud) without needing to actually decrypt the filesystem! With some effort you can even hide multiple encfs encryptions in the same data store to provide a level of plausible undeniably about exactly how much encrypted data there actually is (use of chaff and help prevent rubberhose attacks).

See my notes on using encfs
http://www.ict.griffith.edu.au/antho...to/encfs.hints

Last edited by A.Thyssen; 09-22-2011 at 01:13 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
cryptsetup - canīt open luks parittion - "no key available with this passphrase" ts0 Linux - Software 1 06-08-2013 11:46 AM
How to use key file instead of password for LUKS encrypted file systems? lucmove Linux - Security 2 06-30-2009 09:17 AM
luks cryptsetup and lvm question ruzzed Linux - Software 3 09-16-2007 07:21 PM
cryptsetup-luks question nomb Linux - Software 4 06-14-2007 10:22 AM
cryptsetup-luks error flying-tuxman Linux - Security 2 11-20-2006 11:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration