Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure.

Wed, 05 May 2010 01:01:59 -0700 

On 05/05/2010 06:42 AM, Stefan G. Weichinger wrote:
> Am 04.05.2010 23:24, schrieb Daniel Troeder:
> 
>> I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have
>> any issues.
>> Please decrypt your partition from the command line, so we can see if it
>> is a cryptsetup/luks/kernel problem or a pam_mount problem.
>>
>> Cmdline should something like:
>> $ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen
>> /dev/mapper/VG01-crypthome myhome
>> Which should create /dev/mapper/myhome.
> 
> My user sgw is currently not allowed to sudo this (should it be? it
> never was).
> 
> And for root it says "Kein Schlüssel mit diesem Passsatz verfügbar."
> (german) which should be "No key available with this passphrase." in
> english.
That is a message from cryptsetup. As you are using openssl to get the
key, I think the problem might be there.

I followed the guide you linked here (website is down, but google-cache
works:
http://webcache.googleusercontent.com/search?q=cache:7eaSac72CoIJ:home.coming.dk/index.php/2009/05/20/encrypted_home_partition_using_luks_pam_+encrypted_home_partition_using_luks_pam&cd=2&hl=de&ct=clnk&gl=de&client=firefox-a)
and it works for me (kernel is 2.6.33-zen2):

lvcreate -n crypttest -L 100M vg0
KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
echo $KEY | openssl aes-256-ecb > verysekrit.key
openssl aes-256-ecb -d -in verysekrit.key
# (aha :)
openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher
aes-cbc-plain --key-size 256 luksFormat /dev/vg0/crypttest
openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen
/dev/vg0/crypttest decryptedtest
cryptsetup luksClose crypttest
# (i couldn't close it... don't know why...)

The key that cryptsetup is given to decrypt the partition is created by
openssl from the file. Please check the output of
$ openssl aes-256-ecb -d -in verysekrit.key
under both kernel - it should be identical.
BTW: You'll get your error message if you run:
$ echo notmykey | cryptsetup luksOpen /dev/vg0/crypttest decryptedtes

Bye,
Daniel




-- 
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to