Re: 10 M Luks2 header size?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Ondrej,

 

Yes, I can read the key content when it seems not automatically used to activate (open) the luks partition it assigned to.

 

However,  after I did ‘keyctl link @us @s’

 

Then ‘cryptsetup luksOpen’ didn’t prompt for passphrase but directly activated the partition (show up under /dev/mapper/)

 

It seem the auto-activation need to have the key in session keyring, not just user session keyring, while as the man page said it only need to be in either @u or @us.

 

I can add this keyring link command every time try to open luks, but I want to know if we are supposed to do so or this indicated something wrong.

 

Thanks,

 

Hualing

 

-----Original Message-----
From: Ondrej Kozina [mailto:okozina@xxxxxxxxxx]
Sent: Monday, November 04, 2019 5:34 AM
To: dm-crypt@xxxxxxxx
Cc: Hualing Yu <hualing.yu@xxxxxxx>
Subject: Re: 10 M Luks2 header size?

 

On 11/3/19 4:33 AM, Hualing Yu wrote:

> Hi Milan

>

> We have problem now 8-)

>

> I did 'cryptsetup format' at initramfs, where I also 'add token' to

> luks passphrase slot 0.

>

> It seems to work as expected in later luksOpen (without asking me

> passphrase) when still in initramfs.  Even next run after power cycle

> reboot.  However after it runs to normal rootfs, then when I try to do

> luksOpen still as root user, it ask for passphrase.

>

> I can see my passphrases are both in @u and @us keyring both at

> initramfs time and when run as root in normal linux.  However, in

> initramfs, my passphrasses are also in @s, which probably is why in

> initramfs time, I can auto activate (open) my luks partitions.

>

> Cryptsetup man page says:

>

> token <add|remove> <device>

>

>                Adds a new keyring token to enable auto-activation of

> the device.   For  the  auto-

>

>                activation,   the   passphrase  must  be  stored  in

> keyring  with  the  specified

>

>                description. Usually, the passphrase should  be  stored

> in  user  or  user-session

>

>                keyring.  The token command is supported only for LUKS2.

>

> My passphrases are in both user and user-session keyrings, maybe I

> just ran into some unusual case where passphrases also need to be in

> session keyring.  Do you know what’s the reason?

 

Maybe the key is unreachable from your current session after switching out from initramfs. Can you read the key payload with "keyctl read <your_key>" command?

 

Regards O.

 

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux