[gentoo-user] Re: Kernel upgrade and now LUKS failure

[gentoo-user] Re: Kernel upgrade and now LUKS failure

[Jan Engelhardt]

[Replying to 
http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=229542 ]

On 2010-05-05 08:00:43 GMT, Daniel Troeder wrote:
>On 05/05/2010 06:42 AM, Stefan G. Weichinger wrote:
>> Am 04.05.2010 23:24, schrieb Daniel Troeder:
>> 
>>> I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have
>>> any issues.
>>> Please decrypt your partition from the command line, so we can see if it
>>> is a cryptsetup/luks/kernel problem or a pam_mount problem.
>>>
>>> Cmdline should something like:
>>> $ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen
>>> /dev/mapper/VG01-crypthome myhome
>>> Which should create /dev/mapper/myhome.
>> 
>> My user sgw is currently not allowed to sudo this (should it be? it
>> never was).
>> 
>> And for root it says "Kein Schlüssel mit diesem Passsatz verfügbar."
>> (german) which should be "No key available with this passphrase." in
>> english.
>That is a message from cryptsetup. As you are using openssl to get the
>key, I think the problem might be there.
>
>I followed the guide you linked here (website is down, but google-cache
>works:
>http://webcache.googleusercontent.com/search?q=cache:7eaSac72CoIJ:home.coming.dk/index.php/2009/05/20/encrypted_home_partition_using_luks_pam_+encrypted_home_partition_using_luks_pam&cd=2&hl=de&ct=clnk&gl=de&client=firefox-a)
>and it works for me (kernel is 2.6.33-zen2):
>
>lvcreate -n crypttest -L 100M vg0
>KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
>echo $KEY | openssl aes-256-ecb > verysekrit.key
>openssl aes-256-ecb -d -in verysekrit.key

In my personal opinion, both the quality of shell commands and key
generation is suboptimal. What makes it bad is that people follow it.

First, it generates a key which does not exploit the entire space. 
People claim it's because they want an ASCII readout, but frankly, you 
get the same with `hexdump -C`.

Second, it's using echo without the -n parameter, thus implicitly 
inserting a newline into the key -- which is the cause for yoru observed 
mounting problems.

Third, because you are passing the key via stdin into cryptsetup, it 
only uses the first line of whatever you pipe into it; whereas pam_mount 
uses the entire keyfile as it is supposed to be.

(Fourth, the howto suggests ECB, which, well, looks rather weak 
considering the ECB's Tux picture on Wikipedia.)

All of that should be in doc/bugs.txt, and mount.crypt even warns about 
ECB. You really cannot ignore seeing that.

Phew!

[gentoo-user] Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Am 16.05.2010 14:36, schrieb Jan Engelhardt:
> [Replying to 
> http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=229542 
> ]
> 
> In my personal opinion, both the quality of shell commands and key 
> generation is suboptimal. What makes it bad is that people follow 
> it.
> 
> First, it generates a key which does not exploit the entire space. 
> People claim it's because they want an ASCII readout, but frankly, 
> you get the same with `hexdump -C`.
> 
> Second, it's using echo without the -n parameter, thus implicitly 
> inserting a newline into the key -- which is the cause for yoru 
> observed mounting problems.
> 
> Third, because you are passing the key via stdin into cryptsetup, it 
> only uses the first line of whatever you pipe into it; whereas 
> pam_mount uses the entire keyfile as it is supposed to be.
> 
> (Fourth, the howto suggests ECB, which, well, looks rather weak 
> considering the ECB's Tux picture on Wikipedia.)
> 
> All of that should be in doc/bugs.txt, and mount.crypt even warns 
> about ECB. You really cannot ignore seeing that.
> 
> Phew!

Jan, thanks for your suggestions.

I created a new LUKS-volume and tried to avoid all the mentioned
pitfalls (I used "echo -n", avoided stdin etc.), but this didn't help here.

The new volume is not mounted with pam_mount-2.1, but mounted OK with
pam_mount-1.33.

And, btw, as mentioned in the original thread, I use CBC, not ECB ;-)

-- Your CCing Daniel didn't work maybe, wrong address, I corrected it
for this reply)

-- I CC: hanno@gentoo.org to link to the gentoo bug

http://bugs.gentoo.org/show_bug.cgi?id=318865

Thanks, regards, Stefan

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Daniel Troeder]

[-- Attachment #1: Type: text/plain, Size: 3480 bytes --]

On 05/17/2010 11:14 AM, Stefan G. Weichinger wrote:
> Am 16.05.2010 14:36, schrieb Jan Engelhardt:
>> [Replying to 
>> http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=229542 
>> ]
>>
>> In my personal opinion, both the quality of shell commands and key 
>> generation is suboptimal. What makes it bad is that people follow 
>> it.
>>
>> First, it generates a key which does not exploit the entire space. 
>> People claim it's because they want an ASCII readout, but frankly, 
>> you get the same with `hexdump -C`.
>>
>> Second, it's using echo without the -n parameter, thus implicitly 
>> inserting a newline into the key -- which is the cause for yoru 
>> observed mounting problems.
>>
>> Third, because you are passing the key via stdin into cryptsetup, it 
>> only uses the first line of whatever you pipe into it; whereas 
>> pam_mount uses the entire keyfile as it is supposed to be.
>>
>> (Fourth, the howto suggests ECB, which, well, looks rather weak 
>> considering the ECB's Tux picture on Wikipedia.)
>>
>> All of that should be in doc/bugs.txt, and mount.crypt even warns 
>> about ECB. You really cannot ignore seeing that.
>>
>> Phew!
> 
> Jan, thanks for your suggestions.
> 
> I created a new LUKS-volume and tried to avoid all the mentioned
> pitfalls (I used "echo -n", avoided stdin etc.), but this didn't help here.
> 
> The new volume is not mounted with pam_mount-2.1, but mounted OK with
> pam_mount-1.33.
> 
> And, btw, as mentioned in the original thread, I use CBC, not ECB ;-)
> 
> -- Your CCing Daniel didn't work maybe, wrong address, I corrected it
> for this reply)
> 
> -- I CC: hanno@gentoo.org to link to the gentoo bug
> 
> http://bugs.gentoo.org/show_bug.cgi?id=318865
> 
> Thanks, regards, Stefan
> 
Hello :)

In a more general discussion I wonder what the advantage of using a SSL
encrypted key for HDD-encryption is.

As the SSL-keyfile is as well protected as the password to decrypt it is
"difficult", so would be a directly encrypted HDD with the same password
- or not?

If this assumption is correct, then I think the direct approach would be
better, as in "less complexity - less errors".

<For the paranoid>
I think it is much easier to hide a trojan/keylogger on an unencrypted
root-partition than in an initramfs - and not be detected. (Both is easy
to do, but the latter can be detected easier.) Unfortunately that
detection is never done... after opening the root-dev some form of
file-/partition-manipulation check should run. Though the kernel could
be already compromised... Only a secure boot-path like with TCG is
really secure... well this is only if you fear strong attackers, and not
only loosing your notebook :) I head that really strong attackers would
hide a keylogger beneath your keyboard... but if you have that kind of
opponent, then you really have other problems too :)
</For the paranoid>

Anyway - if your /tmp is not encrypted you should put it on a ram-disk:
gives you speed and privacy in case of robbery. Also important is to
have the screensaver lock the screen.

On a technical note: I use "xts" as I read it's a good (although new) algo.

Bye,
Daniel


BTW: No need to CC mailing list mails to me - I'll read and reply the
ML-thread when I have time :)


-- 
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

[gentoo-user] Re: Kernel upgrade and now LUKS failure

[Jan Engelhardt]

On Monday 2010-05-17 11:14, Stefan G. Weichinger wrote:
>Am 16.05.2010 14:36, schrieb Jan Engelhardt:
>> [Replying to 
>> http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=229542 
>> ]
>> 
>> Second, it's using echo without the -n parameter, thus implicitly 
>> inserting a newline into the key -- which is the cause for yoru 
>> observed mounting problems.
>> 
>> Third, because you are passing the key via stdin into cryptsetup, it 
>> only uses the first line of whatever you pipe into it; whereas 
>> pam_mount uses the entire keyfile as it is supposed to be.
>>[...]
>Jan, thanks for your suggestions.
>
>I created a new LUKS-volume and tried to avoid all the mentioned
>pitfalls (I used "echo -n", avoided stdin etc.), but this didn't help here.

To be sure, use

	openssl -d ... | hexdump -C

to detect newlines in the key. The shell has far too many occasions
where \n gets stripped or added.

[gentoo-user] Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Am 18.05.2010 15:05, schrieb Jan Engelhardt:
> 
> On Monday 2010-05-17 11:14, Stefan G. Weichinger wrote:
>> Am 16.05.2010 14:36, schrieb Jan Engelhardt:
>>> [Replying to 
>>> http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=229542 
>>> ]
>>>
>>> Second, it's using echo without the -n parameter, thus implicitly 
>>> inserting a newline into the key -- which is the cause for yoru 
>>> observed mounting problems.
>>>
>>> Third, because you are passing the key via stdin into cryptsetup, it 
>>> only uses the first line of whatever you pipe into it; whereas 
>>> pam_mount uses the entire keyfile as it is supposed to be.
>>> [...]
>> Jan, thanks for your suggestions.
>>
>> I created a new LUKS-volume and tried to avoid all the mentioned
>> pitfalls (I used "echo -n", avoided stdin etc.), but this didn't help here.
> 
> To be sure, use
> 
> 	openssl -d ... | hexdump -C
> 
> to detect newlines in the key. The shell has far too many occasions
> where \n gets stripped or added.

Thanks for the hint.

Could you please show me an example how it should look like and what to
look for?

I get several lines of output, that seems bad ... ?

Maybe I didn't get all the steps right, could be.

Do you know any howto where it is done "the right way"?

Thanks, Stefan

[gentoo-user] Re: Kernel upgrade and now LUKS failure

[Jan Engelhardt]

On Tuesday 2010-05-18 15:44, Stefan G. Weichinger wrote:
>> 
>> To be sure, use
>> 
>> 	openssl -d ... | hexdump -C
>> 
>> to detect newlines in the key. The shell has far too many occasions
>> where \n gets stripped or added.
>
>Thanks for the hint.
>
>Could you please show me an example how it should look like and what to
>look for?

In case the key is a suboptimal ascii-only key, it looks like this.

offset    bytes broken up                                   visual represent.
00000000  35 34 28 5e 52 69 4c 22  3c 72 4c 35 35 27 70 32  |54(^RiL"<rL55'p2|
00000010  39 59 48 21 3b 50 2e 25  52 6e 27 4f 4d 51 42 6b  |9YH!;P.%Rn'OMQBk|
00000020  34 43 38 76 4e 49 51 24  3f 5e 42 63 2f 6c 2d 76  |4C8vNIQ$?^Bc/l-v|
00000030  34 7d 4d 6a 50 5c 41 3c  3f 70 76 67 22 57 21 6b  |4}MjP\A<?pvg"W!k|
00000040  77 78 5c 24 23 5e 2e 56  7a 56 24 5a 4f 7e 6a     |wx\$#^.VzV$ZO~j|
0000004f

If there were a newline, one of the bytes would be 0a.

>Do you know any howto where it is done "the right way"?

The right and easy way is to just use the supplied pmt-ehd(8) tool,
which works both interactively and non-interactively, depending on
whether it's called with enough arguments or not, so there's something
for everybody's flavor.
It does not do LUKS yet as of pam_mount 2.2, though. Guess my
todo list gets longer..

[gentoo-user] Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Am 18.05.2010 18:04, schrieb Jan Engelhardt:
> 
> On Tuesday 2010-05-18 15:44, Stefan G. Weichinger wrote:
>>>
>>> To be sure, use
>>>
>>> 	openssl -d ... | hexdump -C
>>>
>>> to detect newlines in the key. The shell has far too many occasions
>>> where \n gets stripped or added.
>>
>> Thanks for the hint.
>>
>> Could you please show me an example how it should look like and what to
>> look for?
> 
> In case the key is a suboptimal ascii-only key, it looks like this.
> 
> offset    bytes broken up                                   visual represent.
> 00000000  35 34 28 5e 52 69 4c 22  3c 72 4c 35 35 27 70 32  |54(^RiL"<rL55'p2|
> 00000010  39 59 48 21 3b 50 2e 25  52 6e 27 4f 4d 51 42 6b  |9YH!;P.%Rn'OMQBk|
> 00000020  34 43 38 76 4e 49 51 24  3f 5e 42 63 2f 6c 2d 76  |4C8vNIQ$?^Bc/l-v|
> 00000030  34 7d 4d 6a 50 5c 41 3c  3f 70 76 67 22 57 21 6b  |4}MjP\A<?pvg"W!k|
> 00000040  77 78 5c 24 23 5e 2e 56  7a 56 24 5a 4f 7e 6a     |wx\$#^.VzV$ZO~j|
> 0000004f
> 
> If there were a newline, one of the bytes would be 0a.

Will check ...

>> Do you know any howto where it is done "the right way"?
> 
> The right and easy way is to just use the supplied pmt-ehd(8) tool,
> which works both interactively and non-interactively, depending on
> whether it's called with enough arguments or not, so there's something
> for everybody's flavor.
> It does not do LUKS yet as of pam_mount 2.2, though. Guess my
> todo list gets longer..

:-)

But given the fact that I store the key on the same hard-disk with the
shadowed user-pw I could also leave that openssl-part straight away,
correct?? seems the same level of (in)security to me ...

thank you, Stefan

[gentoo-user] Re: Kernel upgrade and now LUKS failure

[Jan Engelhardt]

On Tuesday 2010-05-18 18:56, Stefan G. Weichinger wrote:
>
>>> Do you know any howto where it is done "the right way"?
>> 
>> The right and easy way is to just use the supplied pmt-ehd(8) tool,
>> which works both interactively and non-interactively, depending on
>> whether it's called with enough arguments or not, so there's something
>> for everybody's flavor.
>> It does not do LUKS yet as of pam_mount 2.2, though. Guess my
>> todo list gets longer..
>
>:-)
>
>But given the fact that I store the key on the same hard-disk with the
>shadowed user-pw I could also leave that openssl-part straight away,
>correct?? seems the same level of (in)security to me ...

Yes. The point of keyfiles is to be able to change the password on
a volume.

Without a keyfile, a crypto program would take the password, hash it
somehow, and you get your AES key. Changing the password means having
a different AES key, meaning decrypting the disk will yield a
different result. In other words, changing the password would require
at least reading the old data, reencrypting it and writing it again.
Takes time.

With a keyfile, you retain the same AES key all the time, and encrypt
the AES key itself - reencrypting the AES key is quick, as it's
only some xyz bits, not terabytes.

[gentoo-user] Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Am 18.05.2010 19:57, schrieb Jan Engelhardt:

>> But given the fact that I store the key on the same hard-disk with the
>> shadowed user-pw I could also leave that openssl-part straight away,
>> correct?? seems the same level of (in)security to me ...
> 
> Yes. The point of keyfiles is to be able to change the password on
> a volume.
> 
> Without a keyfile, a crypto program would take the password, hash it
> somehow, and you get your AES key. Changing the password means having
> a different AES key, meaning decrypting the disk will yield a
> different result. In other words, changing the password would require
> at least reading the old data, reencrypting it and writing it again.
> Takes time.
> 
> With a keyfile, you retain the same AES key all the time, and encrypt
> the AES key itself - reencrypting the AES key is quick, as it's
> only some xyz bits, not terabytes.

Ok, I see. So my current setup with one disk only and SSL-generated
keyfile does not add security but flexibility (being able to switch
passwords more quickly).

Do you see a way of getting this working with my current packages:

pam_mount-2.1
sys-fs/cryptsetup-1.1.1_rc2

and LUKS ... ?

As mentioned the old keyfile works with pam_mount-1.33, when I check the
changelog at

http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-auth/pam_mount/ChangeLog?view=markup

this is a package from 10 Jan 2010, so maybe it wouldn't be too risky to
just mask >pam_mount-1.33

-

On the other hand I would like to get that done right, sure.

Any howto without pmt-ehd that would keep me safe from newlines etc
(btw. there were NO newlines in that hexdump-output)?

Thanks for your time, Stefan

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Am 18.05.2010 20:57, schrieb Stefan G. Weichinger:

> On the other hand I would like to get that done right, sure.
> 
> Any howto without pmt-ehd that would keep me safe from newlines etc
> (btw. there were NO newlines in that hexdump-output)?

Created a new encrypted LV and used "--key-file=-" as mentioned in:

http://pam-mount.git.sourceforge.net/git/gitweb.cgi?p=pam-mount/pam-mount;a=blob;hb=master;f=doc/bugs.txt

Still no success with 2.x ...
I masked pam_mount-2.x again ...

Stefan

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Jan Engelhardt]

On Tuesday 2010-05-18 21:33, Stefan G. Weichinger wrote:
>Am 18.05.2010 20:57, schrieb Stefan G. Weichinger:
>
>> On the other hand I would like to get that done right, sure.
>> 
>> Any howto without pmt-ehd that would keep me safe from newlines etc
>> (btw. there were NO newlines in that hexdump-output)?
>
>Created a new encrypted LV and used "--key-file=-" as mentioned in:
>
>http://pam-mount.git.sourceforge.net/git/gitweb.cgi?p=pam-mount/pam-mount;a=blob;hb=master;f=doc/bugs.txt
>
>Still no success with 2.x ...

Debugging preexisting containers is hard (because people usually don't
share that.)

Since you are starting with a blank one, I would love to see your
failing testcase -- i.e. sequence of shell commands to trigger the
unanticipated behavior, such as the existing testcases in
src/t-crypt:

  echo that | openssl whatever
  cryptsetup luksFoo,Format,Open that.
  mkfs
  cryptsetup luksClose
  mount.crypt -o [...]

It does not need to follow t-crypt's style, just the sequence alone
is good.

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Am 18.05.2010 22:06, schrieb Jan Engelhardt:
> 
> On Tuesday 2010-05-18 21:33, Stefan G. Weichinger wrote:
>> Am 18.05.2010 20:57, schrieb Stefan G. Weichinger:
>> 
>>> On the other hand I would like to get that done right, sure.
>>> 
>>> Any howto without pmt-ehd that would keep me safe from newlines
>>> etc (btw. there were NO newlines in that hexdump-output)?
>> 
>> Created a new encrypted LV and used "--key-file=-" as mentioned
>> in:
>> 
>> http://pam-mount.git.sourceforge.net/git/gitweb.cgi?p=pam-mount/pam-mount;a=blob;hb=master;f=doc/bugs.txt
>>
>>
>> 
Still no success with 2.x ...
> 
> Debugging preexisting containers is hard (because people usually
> don't share that.)
> 
> Since you are starting with a blank one, I would love to see your 
> failing testcase -- i.e. sequence of shell commands to trigger the 
> unanticipated behavior, such as the existing testcases in 
> src/t-crypt:
> 
> echo that | openssl whatever cryptsetup luksFoo,Format,Open that. 
> mkfs cryptsetup luksClose mount.crypt -o [...]
> 
> It does not need to follow t-crypt's style, just the sequence alone 
> is good.


I saved my history, unfortunately only the last steps were kept, but I
am able to reconstruct:

The block-device is /dev/VG01/sgwcrypt ...

#I tried a more complicated KEY
KEY=`head -c 79 /dev/urandom`

# avoid newline here
echo -n $KEY | openssl aes-256-cbc > /etc/security/super.key

# format it, using "--keyfile=-" as mentioned in bugs ...
openssl aes-256-cbc -d -in /etc/security/super.key | cryptsetup -v
--key-file=- --cipher aes-cbc-plain --key-size 256 luksFormat
/dev/VG01/sgwcrypt

# open it
openssl aes-256-cbc -d -in /etc/security/super.key | cryptsetup -v
--key-file=-  luksOpen /dev/VG01/sgwcrypt newhome

# create fs on the open luks-volume
mkfs.ext3 /dev/mapper/newhome

# mount the new fs
mount /dev/mapper/newhome /mnt/gschwind

all this worked OK so far, but not with pam_mount.

OK?

Stefan

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Jan Engelhardt]

yOn Tuesday 2010-05-18 22:17, Stefan G. Weichinger wrote:
>
>I saved my history, unfortunately only the last steps were kept, but I
>am able to reconstruct:
>
>The block-device is /dev/VG01/sgwcrypt ...
>
>#I tried a more complicated KEY
>KEY=`head -c 79 /dev/urandom`

Well, I'm not going to blame you yet, but the shell is pretty
binary-unsafe -- and you have just invoked that voodoo again.

# head -c79 /dev/urandom >t-crypt.ukey; \
  hexdump -C <t-crypt.ukey; \
  KEY=$(cat t-crypt.ukey); \
  echo -n "$KEY" | hexdump -C; \
  echo -n "$KEY" | wc;
00000000  a4 b2 c8 a0 4f c9 00 37  66 f3 0c 20 2d 5c 05 e7  |....O..7f.. -\..|
00000010  cd 5e 5d 00 5d e1 18 2a  1a 8b 2d 41 22 e7 66 0e  |.^].]..*..-A".f.|
00000020  b0 a3 1d 41 1e 23 1d 00  f8 b2 b2 bc 34 28 94 fe  |...A.#......4(..|
00000030  ba 0f 45 11 b5 c6 d8 a1  ca c2 ec 08 5e 48 d4 7f  |..E.........^H..|
00000040  17 a8 75 af ef ef f1 7a  0f 2f bf 64 c2 3a 9c     |..u....z./.d.:.|
0000004f

00000000  a4 b2 c8 a0 4f c9 37 66  f3 0c 20 2d 5c 05 e7 cd  |....O.7f.. -\...|
00000010  5e 5d 5d e1 18 2a 1a 8b  2d 41 22 e7 66 0e b0 a3  |^]]..*..-A".f...|
00000020  1d 41 1e 23 1d f8 b2 b2  bc 34 28 94 fe ba 0f 45  |.A.#.....4(....E|
00000030  11 b5 c6 d8 a1 ca c2 ec  08 5e 48 d4 7f 17 a8 75  |.........^H....u|
00000040  af ef ef f1 7a 0f 2f bf  64 c2 3a 9c              |....z./.d.:.|
0000004c
      0       2      76

So what was once 79 bytes has been reduced to 76 by means of the $()
or backtick operator.

Not a problem for the crypto utilities per se, but I wanted to point out 
that you are effectively only having a 76-long key here. The chance to 
get a key shorter than the requested 79 is 27%.

># avoid newline here
>echo -n $KEY | openssl aes-256-cbc > /etc/security/super.key
>
># format it, using "--keyfile=-" as mentioned in bugs ...
>openssl aes-256-cbc -d -in /etc/security/super.key | cryptsetup -v
>--key-file=- --cipher aes-cbc-plain --key-size 256 luksFormat
>/dev/VG01/sgwcrypt
>
># open it
>openssl aes-256-cbc -d -in /etc/security/super.key | cryptsetup -v
>--key-file=-  luksOpen /dev/VG01/sgwcrypt newhome

Turns out cryptsetup has yet another oddity. With LUKS, --key-file=- is 
moot. Instead....

[fkey is the unencrypted one]

# cryptsetup luksFormat /dev/loop94 t-crypt.fkey && \
  cryptsetup --key-file=- luksOpen /dev/loop94 x94 <t-crypt.fkey 
Key slot 0 unlocked.


And you thought that doc/bugs.txt described all cryptsetup CLI oddities.

*facepalm*

ANYWAY.


If I proceed with this luks container now, all succeeds:

# mkfs.ext4 /dev/mapper/x94 
mke2fs 1.41.9 (22-Aug-2009)
...
# cryptsetup remove x94

First, let's see if raw passthrough works:

# ./mount.crypt -vo keyfile=t-crypt.fkey,fsk_cipher=none /dev/loop94 /mnt
command: 'readlink' '-fn' '/dev/loop94' 
command: 'readlink' '-fn' '/mnt' 
mount.crypt(crypto-dmc.c:144): Using _dev_loop94 as dmdevice name
command: 'mount' '-n' '/dev/mapper/_dev_loop94' '/mnt' 
# df /mnt
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/loop94              62465      5365     53875  10% /mnt
# PMT_DEBUG_UMOUNT=1 ./umount.crypt /mnt


Now the openssl-encrypted file:

# ./mount.crypt -vo keyfile=t-crypt.key,fsk_cipher=aes-256-cbc,fsk_hash=md5 /dev/loop94 /mnt
command: 'readlink' '-fn' '/dev/loop94' 
command: 'readlink' '-fn' '/mnt' 
Password: 
mount.crypt(crypto-dmc.c:144): Using _dev_loop94 as dmdevice name
command: 'mount' '-n' '/dev/mapper/_dev_loop94' '/mnt' 
# df /mnt
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/loop94              62465      5365     53875  10% /mnt


Match?

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Am 18.05.2010 23:16, schrieb Jan Engelhardt:
> yOn Tuesday 2010-05-18 22:17, Stefan G. Weichinger wrote:
>> 
>> I saved my history, unfortunately only the last steps were kept,
>> but I am able to reconstruct:
>> 
>> The block-device is /dev/VG01/sgwcrypt ...
>> 
>> #I tried a more complicated KEY KEY=`head -c 79 /dev/urandom`
> 
> Well, I'm not going to blame you yet, but the shell is pretty 
> binary-unsafe -- and you have just invoked that voodoo again.
> 
> # head -c79 /dev/urandom >t-crypt.ukey; \ hexdump -C <t-crypt.ukey;
> \ KEY=$(cat t-crypt.ukey); \ echo -n "$KEY" | hexdump -C; \ echo -n
> "$KEY" | wc; 00000000  a4 b2 c8 a0 4f c9 00 37  66 f3 0c 20 2d 5c 05
> e7  |....O..7f.. -\..| 00000010  cd 5e 5d 00 5d e1 18 2a  1a 8b 2d 41
> 22 e7 66 0e  |.^].]..*..-A".f.| 00000020  b0 a3 1d 41 1e 23 1d 00  f8
> b2 b2 bc 34 28 94 fe  |...A.#......4(..| 00000030  ba 0f 45 11 b5 c6
> d8 a1  ca c2 ec 08 5e 48 d4 7f  |..E.........^H..| 00000040  17 a8 75
> af ef ef f1 7a  0f 2f bf 64 c2 3a 9c     |..u....z./.d.:.| 0000004f
> 
> 00000000  a4 b2 c8 a0 4f c9 37 66  f3 0c 20 2d 5c 05 e7 cd
> |....O.7f.. -\...| 00000010  5e 5d 5d e1 18 2a 1a 8b  2d 41 22 e7 66
> 0e b0 a3  |^]]..*..-A".f...| 00000020  1d 41 1e 23 1d f8 b2 b2  bc 34
> 28 94 fe ba 0f 45  |.A.#.....4(....E| 00000030  11 b5 c6 d8 a1 ca c2
> ec  08 5e 48 d4 7f 17 a8 75  |.........^H....u| 00000040  af ef ef f1
> 7a 0f 2f bf  64 c2 3a 9c              |....z./.d.:.| 0000004c 0
> 2      76
> 
> So what was once 79 bytes has been reduced to 76 by means of the $() 
> or backtick operator.
> 
> Not a problem for the crypto utilities per se, but I wanted to point
> out that you are effectively only having a 76-long key here. The
> chance to get a key shorter than the requested 79 is 27%.
> 
>> # avoid newline here echo -n $KEY | openssl aes-256-cbc >
>> /etc/security/super.key
>> 
>> # format it, using "--keyfile=-" as mentioned in bugs ... openssl
>> aes-256-cbc -d -in /etc/security/super.key | cryptsetup -v 
>> --key-file=- --cipher aes-cbc-plain --key-size 256 luksFormat 
>> /dev/VG01/sgwcrypt
>> 
>> # open it openssl aes-256-cbc -d -in /etc/security/super.key |
>> cryptsetup -v --key-file=-  luksOpen /dev/VG01/sgwcrypt newhome
> 
> Turns out cryptsetup has yet another oddity. With LUKS, --key-file=-
> is moot. Instead....
> 
> [fkey is the unencrypted one]
> 
> # cryptsetup luksFormat /dev/loop94 t-crypt.fkey && \ cryptsetup
> --key-file=- luksOpen /dev/loop94 x94 <t-crypt.fkey Key slot 0
> unlocked.
> 
> 
> And you thought that doc/bugs.txt described all cryptsetup CLI
> oddities.
> 
> *facepalm*
> 
> ANYWAY.
> 
> 
> If I proceed with this luks container now, all succeeds:
> 
> # mkfs.ext4 /dev/mapper/x94 mke2fs 1.41.9 (22-Aug-2009) ... #
> cryptsetup remove x94
> 
> First, let's see if raw passthrough works:
> 
> # ./mount.crypt -vo keyfile=t-crypt.fkey,fsk_cipher=none /dev/loop94
> /mnt command: 'readlink' '-fn' '/dev/loop94' command: 'readlink'
> '-fn' '/mnt' mount.crypt(crypto-dmc.c:144): Using _dev_loop94 as
> dmdevice name command: 'mount' '-n' '/dev/mapper/_dev_loop94' '/mnt'
>  # df /mnt Filesystem           1K-blocks      Used Available Use%
> Mounted on /dev/loop94              62465      5365     53875  10%
> /mnt # PMT_DEBUG_UMOUNT=1 ./umount.crypt /mnt
> 
> 
> Now the openssl-encrypted file:
> 
> # ./mount.crypt -vo
> keyfile=t-crypt.key,fsk_cipher=aes-256-cbc,fsk_hash=md5 /dev/loop94
> /mnt command: 'readlink' '-fn' '/dev/loop94' command: 'readlink'
> '-fn' '/mnt' Password: mount.crypt(crypto-dmc.c:144): Using
> _dev_loop94 as dmdevice name command: 'mount' '-n'
> '/dev/mapper/_dev_loop94' '/mnt' # df /mnt Filesystem
> 1K-blocks      Used Available Use% Mounted on /dev/loop94
> 62465      5365     53875  10% /mnt
> 
> 
> Match?

Frankly: dunno ;-)
Yes, I am able to follow and understand in general so far ... but ...

Assuming that "I am too stupid": Where is the how-to-do-it?

So far the only thing I really understood "You are doing it wrong".

But where is the "Do it this way and you are safe" ?

I wouldn't post here if I were competent enough to know all these details.

Concerning encryption I am at the USER-level, you know for sure ;-)

Just trying to feed back my problems to maybe detect bugs or my mistakes.

Stefan

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Jan Engelhardt]

On Tuesday 2010-05-18 23:49, Stefan G. Weichinger wrote:

>> # ./mount.crypt -vo
>> keyfile=t-crypt.key,fsk_cipher=aes-256-cbc,fsk_hash=md5 /dev/loop94
>> /mnt command: 'readlink' '-fn' '/dev/loop94' command: 'readlink'
>> '-fn' '/mnt' Password: mount.crypt(crypto-dmc.c:144): Using
>> _dev_loop94 as dmdevice name command: 'mount' '-n'
>> '/dev/mapper/_dev_loop94' '/mnt' # df /mnt Filesystem
>> 1K-blocks      Used Available Use% Mounted on /dev/loop94
>> 62465      5365     53875  10% /mnt
>> 
>> Match?
>
>Frankly: dunno ;-)
>Yes, I am able to follow and understand in general so far ... but ...

Right now it's more a case of "let's do it and compare results"
than having to thoroughly understand when and where cryptsetup
chops off a byte and pads another.

That went fine, up to

># mount the new fs
>mount /dev/mapper/newhome /mnt/gschwind
>all this worked OK so far, but not with pam_mount.
>OK?

OK, but don't stop there. pam_mount really just ultimatively runs
mount.crypt; and it tells you that it does by means of syslog
(with enabled debug=1 of course).

command: 'mount.crypt' '-ofsk....

And that is what you can run from shell, which eliminates
pam_mount from the path and only leaves the usual suspects.

Keep on it, marine!


>Assuming that "I am too stupid": Where is the how-to-do-it?
>So far the only thing I really understood "You are doing it wrong".
>But where is the "Do it this way and you are safe" ?

http://archives.gentoo.org/gentoo-user/msg_e80d6e5a662b7595a2a8a70a0fa166dd.xml
was basically it: pmt-ehd and you're safe. Short of the current
...missing feature though, mentioned in that same mail.

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Am 19.05.2010 00:23, schrieb Jan Engelhardt:

> OK, but don't stop there. pam_mount really just ultimatively runs 
> mount.crypt; and it tells you that it does by means of syslog (with
> enabled debug=1 of course).
> 
> command: 'mount.crypt' '-ofsk....

Sorry, I don't see that in my logs (yep, debug=1).


May 20 12:18:03 enzo slim: pam_mount(pam_mount.c:364): pam_mount 2.1:
entering auth stage
May 20 12:18:03 enzo slim: pam_mount(pam_mount.c:552): pam_mount 2.1:
entering session stage
May 20 12:18:03 enzo slim: pam_mount(misc.c:38): Session open: (uid=0,
euid=0, gid=0, egid=0)
May 20 12:18:03 enzo slim: pam_mount(mount.c:196): Mount info:
globalconf, user=sgw <volume fstype="crypt" server="(null)"
path="/dev/mapper/VG01-crypthome" mountpoint="/home/sgw"
cipher="aes-cbc-plain" fskeypath="/etc/security/verysekrit.key"
fskeycipher="aes-256-cbc" fskeyhash="md5"
options="data=journal,commit=15" /> fstab=0
May 20 12:18:03 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0,
euid=0, gid=0, egid=0)
May 20 12:18:03 enzo slim: pam_mount(misc.c:38): set_myuid<post>:
(uid=0, euid=0, gid=0, egid=0)
May 20 12:18:12 enzo slim: pam_mount(mount.c:64): Errors from underlying
mount program:
May 20 12:18:12 enzo slim: pam_mount(mount.c:68):
crypt_activate_by_passphrase: Operation not permitted
May 20 12:18:14 enzo slim: pam_mount(pam_mount.c:520): mount of
/dev/mapper/VG01-crypthome failed
May 20 12:18:14 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0,
euid=0, gid=0, egid=0)
May 20 12:18:14 enzo slim: pam_mount(misc.c:38): set_myuid<post>:
(uid=0, euid=0, gid=0, egid=0)
May 20 12:18:15 enzo slim: pam_mount(pam_mount.c:440): pmvarrun says
login count is 1
May 20 12:18:16 enzo slim: pam_mount(pam_mount.c:642): done opening
session (ret=0)
May 20 12:18:16 enzo slim: pam_mount(pam_mount.c:115): Clean global
config (0)
May 20 12:18:16 enzo slim: pam_mount(pam_mount.c:132): clean system
authtok=0x80bdac0 (0)



> And that is what you can run from shell, which eliminates pam_mount
> from the path and only leaves the usual suspects.
> 
> Keep on it, marine!

I try ;-)   *sigh*

Stefan

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Am 20.05.2010 12:25, schrieb Stefan G. Weichinger:
> Am 19.05.2010 00:23, schrieb Jan Engelhardt:
> 
>> OK, but don't stop there. pam_mount really just ultimatively runs 
>> mount.crypt; and it tells you that it does by means of syslog (with
>> enabled debug=1 of course).
>>
>> command: 'mount.crypt' '-ofsk....
> 
> Sorry, I don't see that in my logs (yep, debug=1).

debug=2 didn't show anything new, btw.

--

Trying pmt-ehd for a change:

# pmt-ehd -f /dev/VG01/sgwcrypt -p /etc/security/sgwcrypt.enc -h md5 -D
-s 25000

Creating a new container at /dev/VG01/sgwcrypt
/dev/VG01/sgwcrypt is a symlink and points to ../dm-2
Do you really want to overwrite /dev/VG01/sgwcrypt? (y/n)
y
Writing random data to container
Password:
Reenter password:
Using openssl cipher "aes-256-cbc" and hash "md5"
ehd(crypto-dmc.c:144): Using _dev_VG01_sgwcrypt as dmdevice name
crypt_activate: No such file or directory

Oh my ...

Re: [gentoo-user] SOLVED: Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Don't ask ... I was really perfectly positive back then that there was
no newline in my decrypted key (I even used grep, yes) ... today there
was one ... *sigh*

The posting on:

http://bugs.gentoo.org/show_bug.cgi?id=318865

pointed me at another hint from Jan which now helped me to use my
encrypted volume with pam_mount-2.1 at last.

Thanks for all your suggestions and help ... sorry for all the noise ...

Stefan

Re: [gentoo-user] SOLVED: Re: Kernel upgrade and now LUKS failure

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 877 bytes --]

On Sunday 23 May 2010 21:37:58 Stefan G. Weichinger wrote:
> Don't ask ... I was really perfectly positive back then that there was
> no newline in my decrypted key (I even used grep, yes) ... today there
> was one ... *sigh*
> 
> The posting on:
> 
> http://bugs.gentoo.org/show_bug.cgi?id=318865
> 
> pointed me at another hint from Jan which now helped me to use my
> encrypted volume with pam_mount-2.1 at last.
> 
> Thanks for all your suggestions and help ... sorry for all the noise ...

Since we were subjected to all this noise (no problem for me, I found the 
thread interesting, albeit undecipherable!  Pun intended =) can you please 
explain why a new line breaks the openssl key?

I have an SSL pkcs12 certificate which I am trying to use with kmail and I 
can't decrypt it no matter what encryption passphrase I set up.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] SOLVED: Re: Kernel upgrade and now LUKS failure

[Stefan G. Weichinger]

Am 23.05.2010 23:57, schrieb Mick:
> On Sunday 23 May 2010 21:37:58 Stefan G. Weichinger wrote:
>> Thanks for all your suggestions and help ... sorry for all the noise ...
> 
> Since we were subjected to all this noise (no problem for me, I found the 
> thread interesting, albeit undecipherable!  Pun intended =) can you please 
> explain why a new line breaks the openssl key?

Hm, *I* can't.

AFAI understand: that newline was handled in a different way with
pam_mount-1.33, back then the ssl-decrypted key was fed into cryptsetup
and now that isn't done anymore. Back then the key was modified by
cryptsetup, and now, as cryptsetup isn't in the whole "chain" anymore,
the key is not modified (or at least in another way) so it doesn't fit
the key as it was at creation-time.

That is what I understand, pls correct me, Jan ;-)

> I have an SSL pkcs12 certificate which I am trying to use with kmail and I 
> can't decrypt it no matter what encryption passphrase I set up.

Sorry, no idea.

I suggest you start a new thread for your issue and provide us with more
details.

Stefan

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Eray Aslan]

On Tue, May 18, 2010 at 08:57:58PM +0200, Stefan G. Weichinger wrote:
> Am 18.05.2010 19:57, schrieb Jan Engelhardt:
> Ok, I see. So my current setup with one disk only and SSL-generated
> keyfile does not add security but flexibility (being able to switch
> passwords more quickly).

Keep the keyfile in a usb-stick if you can.  Decrypting the hard disk
will require both the usb-stick and the password, i.e. two factor
authentication.

-- 
Eray

Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

[Daniel Troeder]

[-- Attachment #1: Type: text/plain, Size: 2509 bytes --]

On 05/18/2010 07:57 PM, Jan Engelhardt wrote:
> 
> On Tuesday 2010-05-18 18:56, Stefan G. Weichinger wrote:
>>
>>>> Do you know any howto where it is done "the right way"?
>>>
>>> The right and easy way is to just use the supplied pmt-ehd(8) tool,
>>> which works both interactively and non-interactively, depending on
>>> whether it's called with enough arguments or not, so there's something
>>> for everybody's flavor.
>>> It does not do LUKS yet as of pam_mount 2.2, though. Guess my
>>> todo list gets longer..
>>
>> :-)
>>
>> But given the fact that I store the key on the same hard-disk with the
>> shadowed user-pw I could also leave that openssl-part straight away,
>> correct?? seems the same level of (in)security to me ...
> 
> Yes. The point of keyfiles is to be able to change the password on
> a volume.
> 
> Without a keyfile, a crypto program would take the password, hash it
> somehow, and you get your AES key. Changing the password means having
> a different AES key, meaning decrypting the disk will yield a
> different result. In other words, changing the password would require
> at least reading the old data, reencrypting it and writing it again.
> Takes time.
> 
> With a keyfile, you retain the same AES key all the time, and encrypt
> the AES key itself - reencrypting the AES key is quick, as it's
> only some xyz bits, not terabytes.

That's not true for LUKS. This is one of the nice things about it:
Multiple keys can be used on a volume, and it is possible to change the
passwords in a safe way. (You have 8 "key slots", each can be used to
decrypt the volume. To change a PW use a new slot, then remove the old
one.) The trick here is that LUKS does by itself safely, what you are
trying to do with the SSL-key in a hackish way (no offense). The key
setup scheme is a modified TKS1 (nice Paper:
http://clemens.endorphin.org/TKS1-draft.pdf - read section 2 "Two Level
Encryption") which uses the keys in the key slots to encrypt a master
key which is used to encrypt the volume. So the only key(s) you ever
change is the key(s) encrypting the master key.

LUKS really does by itself already, what you are doing :)

So I'm pretty sure, that it is safer to use the LUKS key setup (that has
been peer-reviewed by security experts), than a self written shell script.

Bye,
Daniel


-- 
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]