Bug#408976: [Pkg-cryptsetup-devel] Bug#408976: cryptsetup: --key-file=- produces different mapper device than --key-file=<keyfile>

David Härdeman david at hardeman.nu
Tue Jan 30 10:43:20 CET 2007


On Mon, January 29, 2007 9:15, Goran Gmitrovic said:
> Using one of the previous verions of
> "/usr/share/initramfs-tools/scripts/local-top/cryptroot" together with the
> option "keyscript" in "/etc/crypttab"
> worked fine for me until you add "--key-file=-" to this line 198
> "$cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=-".
>
> My keyscript was
> ROOTKEY="$1"
> /bin/cat $ROOTKEY | /bin/sha1sum
> The output was then hashed by cryptsetup. So I changed the last line to
> /bin/cat $ROOTKEY | /bin/sha1sum | /sbin/hashalot -n 32 sha256
> to produce now the raw keyfile information. However, it did not work.

Actually, I'm surprised either of the two work unless you've made sure
that the sha1sum and hashalot binaries are also copied into the initramfs
image for you.

Anyways, your problem is probably what is documented in the NEWS file:

"The --key-file=- argument has changed. If a --hash parameter is passed,
it will now be honored...To emulate the old behaviour, make sure that you
pass "--hash=plain" to cryptsetup."

i.e. previously the input to cryptsetup was not hashed, now it is hashed
unless you specifically tell cryptsetup not to.

So, could you please try to add "hash=plain" to the relevant line(s) in
/etc/crypttab, regenerate your initramfs image ("update-initramfs -u -k
<KERNEL-VERSION>") and reboot and see if that fixes your problem?

> Should "--key-file=-" really be used to get the raw keyfile information
> from the stdin, because "cryptsetup --key-file=- create <name> <device>"
> asks for
> the passphrase?

Yes, "--key-file=-" will do a binary read on stdin if stdin is a file (or
pipe), what it will do if stdin is a terminal I'm not sure (and I can't
check at the moment).

-- 
David Härdeman





More information about the Pkg-cryptsetup-devel mailing list