> item "How do I read a LUKS slot key from file?" in the FAQ?
Understood. The point of my original query is that the procedure outlined in that FAQ _will not work_ if the key-file you provide has trailing bytes after the actual key part, as it does in my 2000key test file and as it will _always_ do if you're using a raw block device as your key file.
A workaround that works is to dd off the key into a separate file and use that new file as the argument for luksAddKey (and then be careful to shred -u the file afterward!). My patch adds the ability to handle this task internally within cryptsetup, without having to duplicate and subsequently destroy the extra copy of the key, and in a way that is consistent with the user interface of other luks operations.
On Tue, Sep 14, 2010 at 11:26 AM, Arno Wagner <arno@xxxxxxxxxxx> wrote:
On Tue, Sep 14, 2010 at 11:17:27AM -0400, Josh Litherland wrote:That is done differently. May I direct your attention to the
> Hrm. That's not what I thought key-size was doing at all. I was imagining
> that it controlled how much of a key-file was read in and used for any
> operations that needed a passphrase. It certainly behaves in the way I
> expected when used with luksOpen... if I try to open with 2000key and no
> key-size param, it doesn't work.
item "How do I read a LUKS slot key from file?" in the FAQ?
(Found e.g. here:
http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions)
Arno
> _______________________________________________
> The patch I sent makes luksAddKey work as I thought it was meant to, but
> it's entirely possible I broke some other aspect of it that I'm not using at
> the moment.
>
> Thank you for responding. =)
>
> On Tue, Sep 14, 2010 at 10:41 AM, Roscoe <eocsor@xxxxxxxxx> wrote:
>
> > On Tue, Sep 14, 2010 at 8:07 AM, Josh Litherland <josh@xxxxxxxxxxx> wrote:
> > > Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package. As an
> > experiment,
> > > I have a 1000 byte key that I have in a file 1000key. I have another
> > file
> > > 2000key which is the key followed by 1000 pad bytes. This works:
> > >
> > > # cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs
> > >
> > > This also works:
> > >
> > > # cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0
> > cryptofs
> > >
> > > This works too:
> > >
> > > # cryptsetup --key-file 1000key luksAddKey /dev/loop0
> > >
> > > But this bit doesn't work:
> > >
> > > # cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0
> > > No key available with this passphrase.
> > > #
> > >
> > > That is to say, the --key-size argument doesn't seem to be working with
> > > luksAddKey.
> > >
> > > Any suggestions ?
> >
> > --key-size should specify the size of the key used for
> > encryption/decryption, which is going to almost always be 112-512
> > bits.
> >
> > As this key is stored in the key slots and has a length described in
> > the header it doesn't make any sense to pass it to cryptsetup for any
> > of the luks commands other than luksFormat.
> >
> > Doesn't help your problem at all, though. It seems like you want it to
> > mean the amount of input to the PBKDF2 function.
> >
> > -- Roscoe
> >
>
>
>
> --
> Josh Litherland (josh@xxxxxxxxxxx)
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
--
Josh Litherland (josh@xxxxxxxxxxx)
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
