Peter_22@xxxxxx wrote: > > Can you now decrypt the rootkey.gpg key file in both openSuSE text > > console and in X windows? Or is it decryptable in knoppix and > > encrypted-root-initrd only? > > Bad news! I checked it right now as you asked. The result is: > rootkey was made in Knoppix 5.01 DVD > default.kmap was taken from same Knoppix > build-initrd.sh was run in SuSE 10.2 on AMD64 _without_ UTF8KEYBMODE=1 > losetup, loop.ko, gpg and such were taken from same SuSE > encryption/decryption in Knoppix works fine > booting from MicroSD works fine, too > issuing losetup -e aes256 -K /<path>/rootkey /dev/loopX /dev/sdaX in SuSE 10.2 FAILS!!! So Knoppix and SUSE use different default character encodings. Old version of Knoppix CD that I have seems to default to ASCII mode. Maybe newer Knoppix versions do the same. SUSE seems to default to UTF-8 mode. You can set your text console keyboard to ASCII mode using "kbd_mode -a" command and to UTF-8 mode using "kbd_mode -u" command. Issuing either of those commands before you run gpg, losetup or something that requires a passphrase, should fix it. For text console, that is. For X windows, those commands may screw your keyboard setting really badly (haven't tested). You don't need to run losetup to test if you can decrypt a key file. Just run "gpg --decrypt <rootkey.gpg". If that works, then losetup works too. > Yes, SuSE messed it up once again. Different defaults, not necessarily messed up. > Console (Alt+F1) says: > The keyboard is in Unicode (UTF-8) more And in Knoppix it says "ASCII", which uses different encoding scheme for all those öäåÖÄÅ or whatever characters. > None decrypts the key! Might I load the default.kmap manually? In text console, run "kbd_mode -a", and try again. Remember this from earlier in this thread? $ read x ; echo -n ${x} | od -Ax -tx1 - 123 000000 31 32 33 000003 $ read x ; echo -n ${x} | od -Ax -tx1 - öäåÖÄÅµß 000000 f6 e4 e5 d6 c4 c5 b5 df 000008 Those hex numbers represent characters that you type. Whatever encoding is used to represent characters, same encoding must be used when you encrypt something using gpg, and when you attempt to decrypt an encrypted file. Those hex bytes are used to derive symmetric encryption key, or in case of public key crypto, they are used to derive a key to decrypt your private keyring data. If hex representation of characters in your passphrase are different, then it is guaranteed to fail. That UTF8KEYBMODE=1 in build-initrd.sh config puts keyboard to UTF-8 mode before passphrase is typed to losetup program. So, previously an initrd created by build-initrd.sh only worked in ASCII keyboard mode, but now build-initrd.sh lets you configure it either way. UTF8KEYBMODE=0 means ASCII keyboard mode. UTF8KEYBMODE=1 means UTF-8 keyboard mode. -- Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/