[pkg-cryptsetup-devel] Bug#748286: cryptsetup: crypttab does not support truecrypt volumes
Lukas Wunner
lukas at wunner.de
Thu Sep 18 13:58:56 UTC 2014
Hi,
this issue was reported in May but unfortunately TrueCrypt support
is still broken. Maybe the maintainers were hesitant to apply your
patch as it not only contains bugfixes but also introduces new
features.
Attached is a small patch which *only* fixes TrueCrypt support and
does not contain any new features. Maintainers, please consider
applying this patch as soon as possible so as to prevent others
from having to painstakingly debug this all over again. You can
then take as much time as you need to evaluate Dmitriy's new
features.
In particular, this patch fixes two issues in cryptroot-script:
(1) In line 238, variable $crypttcrypt is erroneously referenced as
$crypttruecrypt. (Dmitriy's patch does not fix this.)
(2) In line 273, "cryptsetup open" is invoked with "--key-file=-"
to force reading the passphrase from stdin. This doesn't work
because in TrueCrypt mode, --key-file arguments are interpreted
differently from LUKS mode. This is obliquely hinted at in the
manpage: "Note that using keyfiles is compatible with TCRYPT
and is different from LUKS keyfile logic."
What this really means: With TrueCrypt volumes, the volume header
is encrypted and cryptsetup doesn't read the passphrase to decrypt
it from a keyfile. That passphrase is *always* read from stdin.
Any --key-file arguments are only for supplying further (optional)
keyfiles. Therefore, the file name "-" is interpreted verbatim
and does not denote stdin, as stdin is already used to read
the volume header passphrase.
So the option "--key-file=-" may only be used with LUKS or plain
volumes, not with TrueCrypt volumes.
If you want to trace this in the code, src/cryptsetup.c:tcrypt_load()
calls src/utils_password.c:tools_get_key(), setting the key_file
parameter to NULL. That function calls lib/utils_crypt.c:crypt_get_key()
which sets read_stdin = (!key_file || !strcmp(key_file, "-")) ? 1 : 0;
and since key_file == NULL, the passphrase is always read from stdin.
Kind regards,
Lukas
-------------- next part --------------
Index: cryptroot-script
===================================================================
--- cryptroot-script (revision 1010)
+++ cryptroot-script (working copy)
@@ -234,11 +234,11 @@
cryptopen="$cryptopen --allow-discards"
fi
if /sbin/cryptsetup isLuks $cryptsource >/dev/null 2>&1; then
- cryptopen="$cryptopen open --type luks $cryptsource $crypttarget"
- elif [ "$crypttruecrypt" = "yes" ]; then
+ cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --keyfile=-"
+ elif [ "$crypttcrypt" = "yes" ]; then
cryptopen="$cryptopen open --type tcrypt $cryptsource $crypttarget"
else
- cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget"
+ cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget --keyfile=-"
fi
cryptremove="/sbin/cryptsetup remove $crypttarget"
NEWROOT="/dev/mapper/$crypttarget"
@@ -270,7 +270,7 @@
if [ ! -e "$NEWROOT" ]; then
if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
- $cryptkeyscript "$cryptkey" | $cryptopen --key-file=- ; then
+ $cryptkeyscript "$cryptkey" | $cryptopen ; then
message "cryptsetup: cryptsetup failed, bad password or options?"
continue
fi
More information about the pkg-cryptsetup-devel
mailing list