On Thu, Dec 02, 2010 at 10:44:25PM +0100, Miklos Bagi wrote: > > Mh, I'm not really sure what you mean with "salt" here. > > > > To set up a dm-crypt mapping you need a (block)cipher, a key, and a > > (underlying) device. > > If you set up a CBC-ESSIV (Encrypted Salt-Sector IV) cipher, there is > > something like a salt (although this is more or less a misnomer) > > involved, but this is deduced from the key. > > So, you don't need an explicit salt to set up a dm-crypt mapping if you > > know the key (called master key in LUKS context). > Correct, this I can check when I luksDump my partition information: MK > bits, MK digest, MK salt. > The one I was talking about is in a key slot (same luksDump provides the > info), and comes with iterations, key material offset and AF stripes. > When I initialize my partition with cryptsetup --create, I see no way > determining whether these details are matching, so I might be "reading" > the whole partition wrong. ... > I sense there might be a diff in terminology here. By master key I mean > the one particular file provided to cryptsetup luksFormat <my_device> > <key_file>, and used primarily to provide better security and at the > same time avoid the requirement to enter passphrase. All right, then we indeed have a difference in terminology here. Since you explicitely claimed to "have the master key file available" I assumed you were aware of the terminology. What you have is not the master key but a key to unlock a LUKS keyslot, i.e. a key the master key is derived from. The information you claimed to have in your first mail (chipher, keysize, offset, and key file) are not sufficient in this case. To derive the master key (used to en/decrypt your data) from your key you mandatorily need the salt and iterations of the respective key slot. If you don't have that, you are definitely lost. However, when you can luksDump your partition information (as you state above) or when you have an older luksDump output available, you have all the information required to restore the LUKS header, including the mentioned salt and iterations. On Thu, Dec 02, 2010 at 10:53:24PM +0100, Miklos Bagi wrote: > I've been playing around with setting it up a couple of ways, no luck yet. > The one most looking like the most "valid" to me at this stage is: > #cryptsetup create crypt-test-sda1 /dev/sda1 -d <keyfile> -o 2056 > cipher, keysize, etc are detected properly - but xfs finds no supblock. `cryptsetup create' does not detect anything, it just uses default values for all the parameters you did not specify explicitely. And the mappings it creates do all look equally "valid" - i.e. the mapping it creates decrypts your partition to something... mostly more or less random looking data. PS: I re-added dm-crypt@ back to CC: regards Mario -- I've never been certain whether the moral of the Icarus story should only be, as is generally accepted, "Don't try to fly too high," or whether it might also be thought of as, "Forget the wax and feathers and do a better job on the wings." -- Stanley Kubrick
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
