[pkg-cryptsetup-devel] Bug#1141580: cryptsetup-initramfs: cryptroot-unlock non-interactive mode is buggy in case of trailing newline character
Vincent Lefevre
vincent at vinc17.net
Mon Jul 6 18:06:16 BST 2026
Control: reopen -1
On 2026-07-06 17:52:04 +0200, Guilhem Moulin wrote:
> On Mon, 06 Jul 2026 at 17:34:57 +0200, Vincent Lefevre wrote:
> > but in case the piped content is a text file (usually the case),
> > i.e. with a newline character after the passphrase, then one gets
> > an error, e.g.
>
> It is the intended behavior, feel free to suggest a better wording for
> README.Debian.gz but passphrase processing is already documented in
> cryptsetup(8):
>
> | Passphrase processing for LUKS
> |
> | From a terminal: The passphrase is read until the first newline and
> | then processed by PBKDF2 without the newline character.
> |
> | From stdin: LUKS will read passphrases from stdin up to the first
> | newline character or the compiled-in maximum key file length. If
> | --keyfile-size is given, it is ignored.
> |
> | From key file: The complete keyfile is read up to the compiled-in
> | maximum size. Newline characters do not terminate the input. The
> | --keyfile-size option can be used to limit what is read.
The above man page is about the cryptsetup utility:
NAME
cryptsetup - utility for configuring and managing encrypted storage
devices
My bug report refers to cryptroot-unlock, which is a different command.
And there is no way to provide a file to SSH, so this is "from stdin"
(this is a pipe to ssh, and the input is thus read from stdin).
So, either one considers that the conventions from cryptsetup(8) apply
(thus from stdin), and this is clearly an unexpected behavior; or this
is undocumented for cryptroot-unlock, which does not have a man page.
Thus the only documentation is in the README.Debian.gz file Section 8
"8. Remotely unlock encrypted rootfs" (note that this section doesn't
have any reference to the cryptsetup(8) man page), which does not say
anything about newline characters.
Note also that this README.Debian.gz file Section 8 is what
/usr/share/doc/dropbear-initramfs/README.initramfs points to:
Unlocking procedure
-------------------
You can unlock your rootfs on bootup remotely, using SSH to log in to
the booting system while it's running with the initramfs mounted.
Consult cryptsetup's /usr/share/doc/cryptsetup/README.Debian.gz sec. 8
for details.
But I don't see the point in including a newline character in
a passphrase, since such a passphrase will never be accepted
in interactive mode.
BTW, the cryptsetup(8) man page says:
[...] A passphrase stored in a file is called a key file. The only
difference between a passphrase and a key file is that a key file
can contain binary data. Both are processed the same.
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Even for the cryptsetup utility, this is contradictory.
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
More information about the pkg-cryptsetup-devel
mailing list