[pkg-cryptsetup-devel] Bug#513596: cryptsetup: Cannot delete a Keyslot from itselfs
Pierre Dinh-van
pierre at qsdf.org
Fri Jan 30 15:18:45 UTC 2009
Package: cryptsetup
Version: 2:1.0.6-7
Severity: normal
I noticed that it is impossible to remove a keyslot with the key of this slot.
Problem occurs either with passphrase and with key-file.
I guess it's not a feature, since it should be possible to delete all key-slots to make
access to the data quite-impossible. There is also a warning message while trying to do it,
so I'm sure it should be possible (and in the case we have to delete the last keyslot, the
only possibility is to use the same key).
Example :
root at pierre:/tmp# ls -sh keyslot*
4.0K keyslot0.rand 4.0K keyslot1.rand
root at pierre:/tmp# cryptsetup luksFormat -s256 /dev/mapper/pierre-testluks /tmp/keyslot0.rand
WARNING!
========
This will overwrite data on /dev/mapper/pierre-testluks irrevocably.
Are you sure? (Type uppercase yes): YES
Command successful.
root at pierre:/tmp# cryptsetup luksAddKey --key-file /tmp/keyslot0.rand /dev/mapper/pierre-testluks /tmp/keyslot1.rand
key slot 0 unlocked.
Command successful.
root at pierre:/tmp# cryptsetup luksDump /dev/mapper/pierre-testluks
LUKS header information for /dev/mapper/pierre-testluks
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 2056
MK bits: 256
MK digest: 84 b0 9a 7e 56 98 ed c0 01 56 cd a8 ab 6a be 25 e6 22 e4 4b
MK salt: a5 4f 46 09 9e 1d 9e 3b 08 d9 5b 35 8b ea 99 41
fb ae 4c 17 f1 03 32 4a af b0 76 c5 06 ed e1 e5
MK iterations: 10
UUID: b6bf43f9-6de5-4290-945f-65faaa8a188d
Key Slot 0: ENABLED
Iterations: 128887
Salt: e3 70 ff b6 d2 94 c0 a7 89 aa 97 33 6a 20 b2 c7
32 9f 65 6d 95 78 48 6b f2 52 3e c0 f8 04 27 34
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 236321
Salt: ba 18 91 42 b7 de 3f d0 db 96 0a 09 9e 9e 1c fb
06 e7 17 73 e6 8b e5 f7 9a c4 4d a7 3c e1 40 d4
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
root at pierre:/tmp# cryptsetup luksKillSlot --key-file /tmp/keyslot1.rand /dev/mapper/pierre-testluks 1
No remaining key available with this passphrase.
Command failed.
root at pierre:/tmp# cryptsetup luksKillSlot --key-file /tmp/keyslot0.rand /dev/mapper/pierre-testluks 0
No remaining key available with this passphrase.
Command failed.
root at pierre:/tmp# cryptsetup luksKillSlot --key-file /tmp/keyslot0.rand /dev/mapper/pierre-testluks 1
key slot 1 verified.
Command successful.
root at pierre:/tmp# cryptsetup luksKillSlot --key-file /tmp/keyslot0.rand /dev/mapper/pierre-testluks 0
WARNING!
========
This is the last keyslot. Device will become unusable after purging this key.
Are you sure? (Type uppercase yes): YES
No remaining key available with this passphrase.
Command failed.
root at pierre:/tmp#
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-6-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages cryptsetup depends on:
ii dmsetup 2:1.02.27-4 The Linux Kernel Device Mapper use
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libdevmapper1.02.1 2:1.02.27-4 The Linux Kernel Device Mapper use
ii libpopt0 1.14-4 lib for parsing cmdline parameters
ii libuuid1 1.41.3-1 universally unique id library
cryptsetup recommends no packages.
Versions of packages cryptsetup suggests:
ii dosfstools 3.0.1-1 utilities for making and checking
ii initramfs-tools [linux-initra 0.92o tools for generating an initramfs
ii udev 0.125-7 /dev/ and hotplug management daemo
-- no debconf information
More information about the pkg-cryptsetup-devel
mailing list