FAQ
Hi all,


   I created a LUKS encrypted partition via a udev-triggered script on
6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the
LUKS partition via script and manually using --key-file with luksOpen.


   The odd problem is that I can't decrypt the partition using the
prompt. If I manually create a file with the passphrase in it and then
point to it with --key-file, it decrypts fine. I used 'cat -A
/tmp/foo' to verify that there was no '\n' at the end of the phrase.


   Is this expected behaviour? That is; If you create an encrypted
partition using --key-file, you always decrypt with the same? If so, I
can't understand the logic... If not, then I am not sure what I am
doing wrong.


Thanks for any insight!


digimer


- --
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without
access to education?

Search Discussions

  • Robert Nichols at Mar 4, 2015 at 11:33 pm

    On 03/04/2015 03:16 PM, Digimer wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi all,

    I created a LUKS encrypted partition via a udev-triggered script on
    6.6 using --key-file /tmp/foo. This worked fine, and I can decrypt the
    LUKS partition via script and manually using --key-file with luksOpen.

    The odd problem is that I can't decrypt the partition using the
    prompt. If I manually create a file with the passphrase in it and then
    point to it with --key-file, it decrypts fine. I used 'cat -A
    /tmp/foo' to verify that there was no '\n' at the end of the phrase.

    Is this expected behaviour? That is; If you create an encrypted
    partition using --key-file, you always decrypt with the same? If so, I
    can't understand the logic... If not, then I am not sure what I am
    doing wrong.

    Try again including "--hash plain" on the command line. When the
    key is read from a keyfile, no hash is used and the key is simply
    truncated to the correct length (too short is an error). A key read
    from the terminal or from stdin is hashed, then truncated or padded
    to the proper length.


    See "NOTES ON PASSWORD PROCESSING" in the cryptsetup manpage.
    Presumably, if you stored the hashed key phrase in the keyfile
    (DAMHTDT) it would work from the terminal without "--hash -plain".


    --
    Bob Nichols "NOSPAM" is really part of my email address.
                      Do NOT delete it.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedMar 4, '15 at 9:16p
activeMar 4, '15 at 11:33p
posts2
users2
websitecentos.org
irc#centos

2 users in discussion

Digimer: 1 post Robert Nichols: 1 post

People

Translate

site design / logo © 2021 Grokbase