On Tue, Aug 14, 2012 at 05:19:43PM -0500, Kent Yoder wrote: > Hi, > > I recently came across some code that did this: > > cat binary_secret | cryptsetup luksFormat /dev/loop0 > > This appears to work (no message printed, exit status 0). > > What might not be obvious is that if binary_secret contains a '\n' > character, input gets truncated at this point. This is documented in the man-page of the current release under "NOTES ON PASSPHRASE PROCESSING FOR LUKS". > This is different > than > > cat binary_secret | cryptsetup luksFormat --key-file=- /dev/loop0 > > which will read all of binary_secret, regardless of whether there's > a \n in it or not. Indeed. Documented under the entry for "--key-file" in the current release man-page. > This difference seems subtle and could lead to truncation of the > secret. I agree. I tried to make very sure it is clear what is done on my man-page revision. > This should probably be clearer in the man page at a > minimum (see patch), but I think a warning is appropriate too. > Secret processing that stops at \n isn't appropriate for binary > data. And that is the thing here. A passphrase is _not_ binary data! Doing "cat binary_secret | cryptsetup luksFormat /dev/loop0" is inherently wrong. What you need to do is "cat file_with_passphrase_that_could_also_be_entered_interactively | cryptsetup luksFormat /dev/loop0" As to your patch, I am unable to match your patch to the current version of the man-page. Did you do a "git pull" before? May also be a problem on my side, please verify: > md5sum cryptsetup.8 4fd70bbd1018f95818902144499c2234 cryptsetup.8 Arno > Thanks, > Kent > > -- > IBM LTC Security > > > diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 > index b9298a5..f8d7abb 100644 > --- a/man/cryptsetup.8 > +++ b/man/cryptsetup.8 > @@ -476,7 +476,8 @@ will quit with an error. > > If \-\-key-file=- is used for reading the key from stdin, no > trailing newline is stripped from the input. Without that option, > -cryptsetup strips trailing newlines from stdin input. > +cryptsetup stops reading from stdin when it encounters a newline, > +even if found in your binary key data! > .SH NOTES ON PASSWORD PROCESSING FOR LUKS > LUKS uses PBKDF2 to protect against dictionary attacks (see RFC 2898). > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
