Hey, On 28/12/2008 mum laris wrote: > I've used till now dm-crypt with another partition typing the password > at boot; it's perfectly! Now I'd like to encrypt another one and mount > it only if the first crypto-device is mounted. > So I've created it, ad added the key.file in a directory of the first > encrypted device, but... It doesn't work! > > I've checked: > - hashalot with rmd160compat. ripemd160, rmd160 of my password with 32 bytes > is the same output I get from: > > - dmsetup table --showkeys new_partition > > But if I put this output in the key.file (with a new line at the end > of it), during the partition mapping something goes wrong, so I > receive always a "wrong fs type" during mount operation of mapped > device (but it works perfectly if I put the password by hand). if you want to read the passphrase from a keyfile, then you need to read the keyfile from stdin: # cat key.file | cryptsetup create new_partition /dev/path/partition if you remove the trailing newline from the keyfile, you can even do the following: # cat key.file | cryptsetup create new_partition /dev/path/partition --key-file=- keyfile is not meant to keep the hashed version of your passphrase, keyfile may be any file. the most secure way to use a keyfile is to fill it up with random data, i.e. from /dev/random. if you give the keyfile as argument with --key-file=key.file then it's processed different. would need to to look at the code to tell you the exact difference. > Moreover: > > - cryptsetup status new_partition > > says it's normally active, also if it's not "mount ready"! plain dm-crypt has no headers on the encrypted partition, and no check for correct passphrase/keyfile implemented. thus the mapping is always setup, regardless whether the correct passphrase/keyfile was provided. only way to check for success is to check the result (i.e. whether the expected filesystem is on the dm-crypt mapping). greetings, jonas --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
