On Tue, Sep 14, 2010 at 11:22:07AM -0400, Josh Litherland wrote: > If anyone's interested, the point of all this is that I ultimately want to > use a USB thumb drive as my key-file; not from a file, but raw from the > device itself. I obviously can't constrain the size of the device, so I > need to be able to only read the known length of the passphrase off it. > Strictly speaking this is only required for luksOpen (which is working as > desired without my patch), but I discovered the surprising (to me) behavior > of luksAddKey whilst setting it up. You can do the following: head -c <keylength> <usbdev> | cryptsetup <lukscommand> --key-file - ... Note that luksAddKey has a different syntax for using a passphrase from file, see the FAQ. Arno > On Tue, Sep 14, 2010 at 11:17 AM, Josh Litherland <josh@xxxxxxxxxxx> wrote: > > > Hrm. That's not what I thought key-size was doing at all. I was imagining > > that it controlled how much of a key-file was read in and used for any > > operations that needed a passphrase. It certainly behaves in the way I > > expected when used with luksOpen... if I try to open with 2000key and no > > key-size param, it doesn't work. > > > > The patch I sent makes luksAddKey work as I thought it was meant to, but > > it's entirely possible I broke some other aspect of it that I'm not using at > > the moment. > > > > Thank you for responding. =) > > > > > > On Tue, Sep 14, 2010 at 10:41 AM, Roscoe <eocsor@xxxxxxxxx> wrote: > > > >> On Tue, Sep 14, 2010 at 8:07 AM, Josh Litherland <josh@xxxxxxxxxxx> > >> wrote: > >> > Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package. As an > >> experiment, > >> > I have a 1000 byte key that I have in a file 1000key. I have another > >> file > >> > 2000key which is the key followed by 1000 pad bytes. This works: > >> > > >> > # cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs > >> > > >> > This also works: > >> > > >> > # cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0 > >> cryptofs > >> > > >> > This works too: > >> > > >> > # cryptsetup --key-file 1000key luksAddKey /dev/loop0 > >> > > >> > But this bit doesn't work: > >> > > >> > # cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0 > >> > No key available with this passphrase. > >> > # > >> > > >> > That is to say, the --key-size argument doesn't seem to be working with > >> > luksAddKey. > >> > > >> > Any suggestions ? > >> > >> --key-size should specify the size of the key used for > >> encryption/decryption, which is going to almost always be 112-512 > >> bits. > >> > >> As this key is stored in the key slots and has a length described in > >> the header it doesn't make any sense to pass it to cryptsetup for any > >> of the luks commands other than luksFormat. > >> > >> Doesn't help your problem at all, though. It seems like you want it to > >> mean the amount of input to the PBKDF2 function. > >> > >> -- Roscoe > >> > > > > > > > > -- > > Josh Litherland (josh@xxxxxxxxxxx) > > > > > > -- > Josh Litherland (josh@xxxxxxxxxxx) > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
