Ondrej Kozina: > On 09/14/2018 02:21 AM, procmem wrote: >> >> >> Guilhem Moulin: >>> On Thu, 13 Sep 2018 at 14:22:00 +0000, procmem wrote: >>>> Ondrej Kozina: >>>>> Well, this sounds like a bug. Could you please provide us with debug >>>>> output for failing command trying to luksConvertKey that particular >>>>> keyslot? >>>> >>>> Sure thing but I don't know how to access initramfs command history. >>>> Unlike a booted-up environment there is no opportunity to scroll and >>>> select entire output for saving. >>> >>> You can redirect the output to a file under /run/initramfs. /run is >>> moved to the rootfs at init-bottom stage, shortly before the execution >>> is turned over to the `init` binary, so content added at early boot >>> stage will also be available later during the boot process. >>> >>> (Again, assuming your initramfs is comes from initramfs-tools, which is >>> the default in Debian — and I guess its derivatives.) >>> >> >> OK here are the contents of the redirected output: >> > > Are you sure your keyslot 1 is active? The only way I can reproduce the > same cryptic failure is with my keyslot passed in params being inactive. > It's a bug because cryptsetup cli should emit proper error message about > it. > > New issue: https://gitlab.com/cryptsetup/cryptsetup/issues/416 > > O. Indeed that was it. My bad. I was blindly typing in the same command that designated the non-existent keyslot 1 while the key was in 0. Nonetheless a clearer error message should help. This command did work from initramfs: cryptsetup luksConvertKey --key-slot 0 --pbkdf argon2id --pbkdf-force-iterations 50 --pbkdf-memory 1048576 --pbkdf-parallel 4 <device> Verified that the header data was changed as intended after boot. Also noticed a nice delay after entering passphrases now. That should throw a big fat wrench in brute-forcing efforts ;) sudo cryptsetup luksDump --debug /dev/vda5 # cryptsetup 2.0.4 processing "cryptsetup luksDump --debug /dev/vda5" # Running command luksDump. # Locking memory. # Installing SIGINT/SIGTERM handler. # Unblocking interruption on signal. # Allocating context for crypt device /dev/vda5. # Trying to open and read device /dev/vda5 with direct-io. # Initialising device-mapper backend library. # Trying to load any crypt type from device /dev/vda5. # Crypto backend (gcrypt 1.8.3) initialized in cryptsetup library version 2.0.4. # Detected kernel Linux 4.17.0-3-amd64 x86_64. # Loading LUKS2 header (repair disabled). # Opening lock resource file /run/cryptsetup/L_254:5 # Acquiring read lock for device /dev/vda5. # Verifying read lock handle for device /dev/vda5. # Device /dev/vda5 READ lock taken. # Trying to read primary LUKS2 header at offset 0x0. # Opening locked device /dev/vda5 # Veryfing locked device handle (bdev) # LUKS2 header version 2 of size 16384 bytes, checksum sha256. # Checksum:267f3c4bc0b36cb98e99bc1f32066d9e8843c2977a65df04c43c2f474aca3efc (on-disk) # Checksum:267f3c4bc0b36cb98e99bc1f32066d9e8843c2977a65df04c43c2f474aca3efc (in-memory) # Trying to read secondary LUKS2 header at offset 0x4000. # Opening locked device /dev/vda5 # Veryfing locked device handle (bdev) # LUKS2 header version 2 of size 16384 bytes, checksum sha256. # Checksum:70714e66fa9d9913bb85191a96cb5f4348d349a716b9c4a8dd297fe02431fc56 (on-disk) # Checksum:70714e66fa9d9913bb85191a96cb5f4348d349a716b9c4a8dd297fe02431fc56 (in-memory) # Device size 53429141504, header size 2097152. # Device /dev/vda5 READ lock released. # Only 2 active CPUs detected, PBKDF threads decreased from 4 to 2. # Not enough physical memory detected, PBKDF max memory decreased from 1048576kB to 506360kB. # PBKDF argon2i, hash sha256, time_ms 2000 (iterations 0), max_memory_kb 506360, parallel_threads 2. # { "keyslots":{ "0":{ "type":"luks2", "key_size":64, "kdf":{ "type":"argon2id", "time":50, "memory":506360, "cpus":2, "salt":"3K2QS1LyYWoQiVXz2sVfqYoRFgLNj8YOQUnj7PJacgg=" }, "af":{ "type":"luks1", "hash":"sha256", "stripes":4000 }, "area":{ "type":"raw", "encryption":"aes-xts-plain64", "key_size":64, "offset":"32768", "size":"258048" } } }, "tokens":{ }, "segments":{ "0":{ "type":"crypt", "offset":"2097152", "iv_tweak":"0", "size":"dynamic", "encryption":"aes-xts-plain64", "sector_size":512 } }, "digests":{ "0":{ "type":"pbkdf2", "keyslots":[ "0" ], "segments":[ "0" ], "hash":"sha256", "salt":"fXVLOCzOBLq+mYHHGE7Z6gTDcBZue\/N0ksKl2siGj1c=", "digest":"kogLEtiHWaQBJQipVN9wMawxi28=", "iterations":64503 } }, "config":{ "json_size":"12288", "keyslots_size":"2064384" } } LUKS header information Version: 2 Epoch: 3 Metadata area: 12288 bytes UUID: fd28a001-e2a1-46dc-8e6c-99f0a55b1851 Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 2097152 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 PBKDF: argon2id Time cost: 50 Memory: 506360 Threads: 2 Salt: dc ad 90 4b 52 f2 61 6a 10 89 55 f3 da c5 5f a9 8a 11 16 02 cd 8f c6 0e 41 49 e3 ec f2 5a 72 08 AF stripes: 4000 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 64503 Salt: 7d 75 4b 38 2c ce 04 ba be 99 81 c7 18 4e d9 ea 04 c3 70 16 6e 7b f3 74 92 c2 a5 da c8 86 8f 57 Digest: 92 88 0b 12 d8 87 59 a4 01 25 08 a9 54 df 70 31 ac 31 8b 6f # Releasing crypt device /dev/vda5 context. # Releasing device-mapper backend. # Unlocking memory. Command successful. _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
