[pkg-cryptsetup-devel] Bug#748286: cryptsetup: crypttab does not support truecrypt volumes
Dmitriy Matrosov
sgf.dma at gmail.com
Thu May 15 19:49:26 UTC 2014
Package: cryptsetup
Version: 2:1.6.4-4
Severity: important
Tags: patch
Hi.
This bug have already been reported and now marked as fixed (#722509), but
truecrypt volumes still can't be opened from crypttab.
The reason is that cryptsetup for truecrypt interprets '--key-file=-' as "read key file named
dash", so this option causes error "Failed to open key file". And
because all cases are brought to adding such options neither of truecrypt
setups (key file(s) and/or password) work now.
Perhaps, cryptsetup for truecrypt always expects password on stdin (even if key
file(s) were used), because truecrypt does not use key file as header key
directly (like luks do), but just as one more password (well, this is just as i
understand, and may be wrong).
Anyway, the patch below adds two option:
'tcryptsystem' - for opening system truecrypt volumes.
'tcryptkey' - for specifying additional truecrypt keys.
and makes following truecrypt configs working from crypttab:
- System encryption.
- Password only.
- (multiple) key file(s) (without a password).
- Password and (multiple) key file(s).
Keyscripts may be used with truecrypt volumes only, if they output password
(e.g. decrypt_keyctl).
Here are examples for several truecrypt setups:
1. For password with (multiple) key files, specify 'none' in 3rd
crypttab field, and iterate all truecrypt key files in one (or more)
'tcryptkey' options. E.g. volume with password and two key files:
flash /dev/sdc1 none tcrypt,precheck=/bin/true,tcryptkey=/flash-21.tckey,tcryptkey=/flash-22.tckey
Note, precheck= option. I added (in the patch) default for precheck to
'/bin/false', and this is exactly the truecrypt case - precheck is not
defined, and need to be specified explicitly.
2. For (multiple) key files, specify one key file in 3rd crypttab
field, and others in 'tcryptkey' options. E.g. volume with 2 key files
and without password:
flash /dev/sdc1 /flash-21.tckey tcrypt,precheck=/bin/true,tcryptkey=/flash-22.tckey
Here is the patch:
diff --git a/src/cryptdisks.functions b/src/cryptdisks.functions
index ce2c0f0..68b2bc8 100644
--- a/src/cryptdisks.functions
+++ b/src/cryptdisks.functions
@@ -26,6 +26,8 @@ MOUNT="$CRYPTDISKS_MOUNT"
# Parses the option field from the crypttab file
parse_opts () {
local opts opt IFS PARAM VALUE
+ local nl='
+'
# Strip comments - https://bugs.launchpad.net/bugs/185380
opts=$(echo -n $1 | sed 's/ *#.*//')
@@ -206,6 +208,18 @@ parse_opts () {
tcrypthidden)
TCRYPTPARAMS="$TCRYPTPARAMS --tcrypt-hidden"
;;
+ tcryptsystem)
+ TCRYPTPARAMS="$TCRYPTPARAMS --tcrypt-system"
+ ;;
+ tcryptkey)
+ # Make newline separated list of additional key files.
+ # Thus, filenames may not contain newlines.
+ if [ -z "$VALUE" ]; then
+ log_warning_msg "no additional truecrypt key specified, skipping"
+ return 1
+ fi
+ TCRYPTKEYS="${TCRYPTKEYS:+$TCRYPTKEYS$nl}$VALUE"
+ ;;
esac
CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
@@ -342,13 +356,26 @@ do_luks () {
return 0
}
+# Empty password for truecrypt (i'll use it, when opening volume with keys
+# only).
+tcrypt_no_pass()
+{
+ echo a | sed -e's/./\x0/'
+}
+
# Setup a tcrypt mapping
do_tcrypt () {
local tried keyscriptarg
+ local f
+ local OIFS="$IFS"
+ local nl='
+'
tried=0
keyscriptarg=""
- if ! pre_out="$($PRECHECK "$src" 2>/dev/null)" && \
+ # If no precheck have been defined, i'll run $src as command. I'd
+ # better default to /bin/false .
+ if ! pre_out="$(${PRECHECK:-/bin/false} "$src" 2>/dev/null)" && \
! /lib/cryptsetup/checks/blkid "$src" swap >/dev/null; then
log_warning_msg "$dst: the precheck for '$src' failed: $pre_out"
return 1
@@ -356,42 +383,47 @@ do_tcrypt () {
if [ -n "$KEYSCRIPT" ]; then
# keyscript => "key" is just an argument to the keyscript
+ # Only keyscript outputting password (e.g. decrypt_keyctl) will
+ # work.
keyscriptarg="$key"
- key="-"
+ key=""
elif [ -z "$key" ]; then
# no keyscript, no key => password
keyscriptarg="Unlocking the disk $src ($dst)\nEnter passphrase: "
- key="-"
+ key=""
if [ -x /bin/plymouth ] && plymouth --ping; then
KEYSCRIPT="plymouth ask-for-password --prompt"
keyscriptarg=$(printf "$keyscriptarg")
else
KEYSCRIPT="/lib/cryptsetup/askpass"
fi
- elif [ "$key" != "${key%/dev/*}" ]; then
+ else
+ # Two original cases here:
# no keyscript, device key => special treatment
+ # no keyscript, key => file input
keyscriptarg=""
key="$key"
- KEYSCRIPT=""
- else
- # no keyscript, key => file input
- keyscriptarg="$key"
- key="-"
- KEYSCRIPT="cat"
+ KEYSCRIPT="tcrypt_no_pass"
+ PARAMS="$PARAMS --key-file=$key"
+ fi
+ # Add additional key files, if any.
+ if [ -n "$TCRYPTKEYS" ]; then
+ IFS="$nl"
+ # FIXME: Pathname expansion still runs on filenames, may be
+ # disable it?
+ set -- $TCRYPTKEYS
+ for f; do
+ PARAMS="${PARAMS:+$PARAMS }--key-file=$f"
+ done
+ set --
+ IFS="$OIFS"
fi
- PARAMS="$PARAMS --key-file=$key"
-
while [ "$tried" -lt "$TRIES" ] || [ "$TRIES" -eq "0" ]; do
export CRYPTTAB_TRIED="$tried"
- if [ -n "$KEYSCRIPT" ]; then
- if $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS $TCRYPTPARAMS open --type tcrypt "$src" "${dst}_unformatted"; then
- break
- fi
- else
- if cryptsetup $PARAMS $TCRYPTPARAMS open --type tcrypt "$src" "${dst}_unformatted"; then
- break
- fi
+ # KEYSCRIPT is always set, so i don't need to check.
+ if $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS $TCRYPTPARAMS open --type tcrypt "$src" "${dst}_unformatted"; then
+ break
fi
tried=$(( $tried + 1 ))
@@ -402,7 +434,7 @@ do_tcrypt () {
if [ -n "$CHECK" ] && ! "$CHECK" "/dev/mapper/${dst}_unformatted" $CHECKARGS; then
log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed"
- cryptsetup luksClose "${dst}_unformatted"
+ cryptsetup close "${dst}_unformatted"
return 1
fi
--
Dmitriy Matrosov
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.13-1-amd64 root=/dev/mapper/jessie_root ro quiet
-- /etc/crypttab
jessie_root /dev/reiji/enc_jessie_root reiji luks,keyscript=decrypt_keyctl
jessie_usr /dev/reiji/enc_jessie_usr /etc/keys/jessie_usr.lukskey luks
jessie_var /dev/reiji/enc_jessie_var /etc/keys/jessie_var.lukskey luks
jessie_tmp /dev/reiji/enc_jessie_tmp /etc/keys/jessie_tmp.lukskey luks
jessie_swap /dev/reiji/enc_jessie_swap /dev/urandom swap,cipher=aes-xts-plain64,size=256,hash=sha1
home /dev/reiji/enc_home /etc/keys/home.lukskey luks
backup /dev/reiji/enc_backup /etc/keys/backup.lukskey luks
w7_backup /dev/sdb4 reiji tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl
w7_data /dev/sda3 reiji tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl
w7 /dev/sdb2 reiji tcrypt,tcryptsystem,precheck=/bin/true,keyscript=decrypt_keyctl,check=keyctl_clear
flash /dev/sdc1 none tcrypt,precheck=/bin/true,tcryptkey=/root/flash-21.tckey,tcryptkey=/root/flash-22.tckey
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
UUID=227ce6c3-0de7-4436-9e13-6442a3d7d8f4 /boot ext3 defaults 0 2
/dev/mapper/jessie_root / ext4 errors=remount-ro 0 1
/dev/mapper/jessie_usr /usr ext4 defaults 0 2
/dev/mapper/jessie_var /var ext4 defaults 0 2
/dev/mapper/jessie_tmp /var/tmp ext4 defaults 0 2
/dev/mapper/jessie_swap none swap sw 0 0
/dev/mapper/home /home ext4 defaults 0 2
/dev/mapper/backup /var/backups ext4 defaults 0 2
-- lsmod
Module Size Used by
nls_utf8 12456 0
nls_cp437 16553 0
vfat 17135 0
fat 53794 1 vfat
nfsd 259239 2
auth_rpcgss 51202 1 nfsd
oid_registry 12419 1 auth_rpcgss
nfs_acl 12511 1 nfsd
nfs 183626 0
lockd 79321 2 nfs,nfsd
fscache 45542 1 nfs
sunrpc 224626 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
fuse 78793 1
blowfish_generic 12464 0
blowfish_x86_64 21132 0
blowfish_common 16487 2 blowfish_generic,blowfish_x86_64
ecb 12737 0
des_generic 20851 0
cast5_avx_x86_64 49760 0
cast5_generic 20813 1 cast5_avx_x86_64
cast_common 12313 2 cast5_generic,cast5_avx_x86_64
cbc 12696 0
twofish_generic 16569 0
twofish_avx_x86_64 46079 0
twofish_x86_64_3way 25483 1 twofish_avx_x86_64
twofish_x86_64 12541 2 twofish_avx_x86_64,twofish_x86_64_3way
twofish_common 20585 4 twofish_generic,twofish_avx_x86_64,twofish_x86_64_3way,twofish_x86_64
serpent_avx_x86_64 46241 0
serpent_sse2_x86_64 50146 0
serpent_generic 29140 2 serpent_sse2_x86_64,serpent_avx_x86_64
xts 12679 2 serpent_sse2_x86_64,twofish_x86_64_3way
algif_skcipher 13008 0
af_alg 12988 1 algif_skcipher
raid1 34596 2
snd_hda_codec_hdmi 40859 1
x86_pkg_temp_thermal 12951 0
intel_powerclamp 13063 0
intel_rapl 17356 0
coretemp 12854 0
kvm_intel 130584 0
kvm 380332 1 kvm_intel
snd_hda_codec_via 22798 1
eeepc_wmi 12600 0
asus_wmi 22866 1 eeepc_wmi
md_mod 103628 2 raid1
snd_hda_intel 43768 0
snd_hda_codec 146743 3 snd_hda_codec_hdmi,snd_hda_codec_via,snd_hda_intel
snd_hwdep 13148 1 snd_hda_codec
snd_pcm 84153 3 snd_hda_codec_hdmi,snd_hda_codec,snd_hda_intel
snd_page_alloc 17114 2 snd_pcm,snd_hda_intel
snd_timer 26614 1 snd_pcm
snd 60917 7 snd_hwdep,snd_timer,snd_hda_codec_hdmi,snd_hda_codec_via,snd_pcm,snd_hda_codec,snd_hda_intel
soundcore 13026 1 snd
sparse_keymap 12818 1 asus_wmi
rfkill 18867 1 asus_wmi
nouveau 999240 1
iTCO_wdt 12831 0
iTCO_vendor_support 12649 1 iTCO_wdt
mxm_wmi 12515 1 nouveau
ttm 65523 1 nouveau
video 17804 2 nouveau,asus_wmi
button 12944 1 nouveau
wmi 17339 3 mxm_wmi,nouveau,asus_wmi
parport_pc 26300 0
parport 35749 1 parport_pc
pcspkr 12595 0
drm_kms_helper 35695 1 nouveau
drm 236628 3 ttm,drm_kms_helper,nouveau
i2c_algo_bit 12751 1 nouveau
i2c_i801 16965 0
i2c_core 24092 5 drm,i2c_i801,drm_kms_helper,i2c_algo_bit,nouveau
processor 28274 0
lpc_ich 20768 0
mfd_core 12601 1 lpc_ich
mei_me 13400 0
mei 49922 1 mei_me
evdev 17445 13
ext4 465511 7
crc16 12343 1 ext4
mbcache 13082 1 ext4
jbd2 82560 1 ext4
hid_generic 12393 0
usbhid 44439 0
hid 94034 2 hid_generic,usbhid
usb_storage 52036 0
dm_crypt 22595 10
dm_mod 89365 49 dm_crypt
sg 29972 0
sd_mod 44346 10
crc_t10dif 12431 1 sd_mod
crct10dif_pclmul 13387 1
crct10dif_common 12356 2 crct10dif_pclmul,crc_t10dif
crc32_pclmul 12915 0
crc32c_intel 21809 0
ghash_clmulni_intel 12978 0
aesni_intel 50772 20
aes_x86_64 16719 1 aesni_intel
lrw 12757 5 serpent_sse2_x86_64,aesni_intel,serpent_avx_x86_64,twofish_avx_x86_64,twofish_x86_64_3way
gf128mul 12970 2 lrw,xts
glue_helper 12695 5 serpent_sse2_x86_64,aesni_intel,serpent_avx_x86_64,twofish_avx_x86_64,twofish_x86_64_3way
ablk_helper 12572 5 serpent_sse2_x86_64,aesni_intel,serpent_avx_x86_64,twofish_avx_x86_64,cast5_avx_x86_64
cryptd 14516 13 ghash_clmulni_intel,aesni_intel,ablk_helper
ahci 25096 8
libahci 27202 1 ahci
libata 168945 2 ahci,libahci
ehci_pci 12472 0
scsi_mod 182938 4 sg,usb_storage,libata,sd_mod
ehci_hcd 48510 1 ehci_pci
xhci_hcd 107625 0
e1000e 195024 0
ptp 17460 1 e1000e
pps_core 13129 1 ptp
usbcore 154175 5 usb_storage,ehci_hcd,ehci_pci,usbhid,xhci_hcd
usb_common 12440 1 usbcore
thermal 17468 0
fan 12681 0
thermal_sys 27525 6 fan,video,intel_powerclamp,thermal,processor,x86_pkg_temp_thermal
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:1.6.4-4
ii debconf [debconf-2.0] 1.5.53
ii dmsetup 2:1.02.83-2
ii libc6 2.18-5
Versions of packages cryptsetup recommends:
ii busybox 1:1.22.0-5
ii console-setup 1.102
ii initramfs-tools [linux-initramfs-tool] 0.115
ii kbd 1.15.5-1
Versions of packages cryptsetup suggests:
pn dosfstools <none>
ii keyutils 1.5.6-1
ii liblocale-gettext-perl 1.05-8
-- debconf information:
cryptsetup/prerm_active_mappings: true
-- debsums errors found:
debsums: changed file /lib/cryptsetup/cryptdisks.functions (from cryptsetup package)
More information about the pkg-cryptsetup-devel
mailing list