[pkg-cryptsetup-devel] Bug#748286: cryptsetup: crypttab does not support truecrypt volumes

Lukas Wunner lukas at wunner.de
Thu Sep 18 13:58:56 UTC 2014


this issue was reported in May but unfortunately TrueCrypt support
is still broken. Maybe the maintainers were hesitant to apply your
patch as it not only contains bugfixes but also introduces new

Attached is a small patch which *only* fixes TrueCrypt support and
does not contain any new features. Maintainers, please consider
applying this patch as soon as possible so as to prevent others
from having to painstakingly debug this all over again. You can
then take as much time as you need to evaluate Dmitriy's new

In particular, this patch fixes two issues in cryptroot-script:

(1) In line 238, variable $crypttcrypt is erroneously referenced as
    $crypttruecrypt. (Dmitriy's patch does not fix this.)

(2) In line 273, "cryptsetup open" is invoked with "--key-file=-"
    to force reading the passphrase from stdin. This doesn't work
    because in TrueCrypt mode, --key-file arguments are interpreted
    differently from LUKS mode. This is obliquely hinted at in the
    manpage: "Note that using keyfiles is compatible with TCRYPT
    and is different from LUKS keyfile logic."

    What this really means: With TrueCrypt volumes, the volume header
    is encrypted and cryptsetup doesn't read the passphrase to decrypt
    it from a keyfile. That passphrase is *always* read from stdin.
    Any --key-file arguments are only for supplying further (optional)
    keyfiles. Therefore, the file name "-" is interpreted verbatim
    and does not denote stdin, as stdin is already used to read
    the volume header passphrase.

    So the option "--key-file=-" may only be used with LUKS or plain
    volumes, not with TrueCrypt volumes.

    If you want to trace this in the code, src/cryptsetup.c:tcrypt_load()
    calls src/utils_password.c:tools_get_key(), setting the key_file
    parameter to NULL. That function calls lib/utils_crypt.c:crypt_get_key()
    which sets read_stdin = (!key_file || !strcmp(key_file, "-")) ? 1 : 0;
    and since key_file == NULL, the passphrase is always read from stdin.

Kind regards,

-------------- next part --------------
Index: cryptroot-script
--- cryptroot-script	(revision 1010)
+++ cryptroot-script	(working copy)
@@ -234,11 +234,11 @@
 		cryptopen="$cryptopen --allow-discards"
 	if /sbin/cryptsetup isLuks $cryptsource >/dev/null 2>&1; then
-		cryptopen="$cryptopen open --type luks $cryptsource $crypttarget"
-	elif [ "$crypttruecrypt" = "yes" ]; then
+		cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --keyfile=-"
+	elif [ "$crypttcrypt" = "yes" ]; then
 		cryptopen="$cryptopen open --type tcrypt $cryptsource $crypttarget"
-		cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget"
+		cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget --keyfile=-"
 	cryptremove="/sbin/cryptsetup remove $crypttarget"
@@ -270,7 +270,7 @@
 		if [ ! -e "$NEWROOT" ]; then
 			if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
-			     $cryptkeyscript "$cryptkey" | $cryptopen --key-file=- ; then
+			     $cryptkeyscript "$cryptkey" | $cryptopen ; then
 				message "cryptsetup: cryptsetup failed, bad password or options?"

More information about the pkg-cryptsetup-devel mailing list