From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1ODd67-0004Bg-Tg for garchives@archives.gentoo.org; Sun, 16 May 2010 12:37:36 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E119DE05F8; Sun, 16 May 2010 12:36:30 +0000 (UTC) Received: from borg.medozas.de (borg.medozas.de [188.40.89.202]) by pigeon.gentoo.org (Postfix) with ESMTP id B02B4E05F8 for ; Sun, 16 May 2010 12:36:30 +0000 (UTC) Received: by borg.medozas.de (Postfix, from userid 25121) id 14D4DF0A6E28D; Sun, 16 May 2010 14:36:30 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by borg.medozas.de (Postfix) with ESMTP id 083DCE732; Sun, 16 May 2010 14:36:30 +0200 (CEST) Date: Sun, 16 May 2010 14:36:30 +0200 (CEST) From: Jan Engelhardt To: gentoo-user@lists.gentoo.org cc: Daniel Troeder , "Stefan G. Weichinger" , walt , Florian Philipp , Jason Dusek , Till Maas Subject: [gentoo-user] Re: Kernel upgrade and now LUKS failure Message-ID: User-Agent: Alpine 2.01 (LSU 1266 2009-07-14) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 8b21e9aa-7f9b-4563-81e1-bad4f108062d X-Archives-Hash: 4d2203513bece2f7250d5cf853adab97 [Replying to=20 http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=3D229542 ] On 2010-05-05 08:00:43 GMT, Daniel Troeder wrote: >On 05/05/2010 06:42 AM, Stefan G. Weichinger wrote: >> Am 04.05.2010 23:24, schrieb Daniel Troeder: >>=20 >>> I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't hav= e >>> any issues. >>> Please decrypt your partition from the command line, so we can see if= it >>> is a cryptsetup/luks/kernel problem or a pam_mount problem. >>> >>> Cmdline should something like: >>> $ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen >>> /dev/mapper/VG01-crypthome myhome >>> Which should create /dev/mapper/myhome. >>=20 >> My user sgw is currently not allowed to sudo this (should it be? it >> never was). >>=20 >> And for root it says "Kein Schl=C3=BCssel mit diesem Passsatz verf=C3=BC= gbar." >> (german) which should be "No key available with this passphrase." in >> english. >That is a message from cryptsetup. As you are using openssl to get the >key, I think the problem might be there. > >I followed the guide you linked here (website is down, but google-cache >works: >http://webcache.googleusercontent.com/search?q=3Dcache:7eaSac72CoIJ:home= .coming.dk/index.php/2009/05/20/encrypted_home_partition_using_luks_pam_+= encrypted_home_partition_using_luks_pam&cd=3D2&hl=3Dde&ct=3Dclnk&gl=3Dde&= client=3Dfirefox-a) >and it works for me (kernel is 2.6.33-zen2): > >lvcreate -n crypttest -L 100M vg0 >KEY=3D`tr -cd [:graph:] < /dev/urandom | head -c 79` >echo $KEY | openssl aes-256-ecb > verysekrit.key >openssl aes-256-ecb -d -in verysekrit.key In my personal opinion, both the quality of shell commands and key generation is suboptimal. What makes it bad is that people follow it. First, it generates a key which does not exploit the entire space.=20 People claim it's because they want an ASCII readout, but frankly, you=20 get the same with `hexdump -C`. Second, it's using echo without the -n parameter, thus implicitly=20 inserting a newline into the key -- which is the cause for yoru observed=20 mounting problems. Third, because you are passing the key via stdin into cryptsetup, it=20 only uses the first line of whatever you pipe into it; whereas pam_mount=20 uses the entire keyfile as it is supposed to be. (Fourth, the howto suggests ECB, which, well, looks rather weak=20 considering the ECB's Tux picture on Wikipedia.) All of that should be in doc/bugs.txt, and mount.crypt even warns about=20 ECB. You really cannot ignore seeing that. Phew!