[dm-crypt] key-size argument not working with luksAddKey

Arno Wagner arno at wagner.name
Tue Sep 14 17:26:33 CEST 2010


On Tue, Sep 14, 2010 at 11:17:27AM -0400, Josh Litherland wrote:
> Hrm.  That's not what I thought key-size was doing at all.  I was imagining
> that it controlled how much of a key-file was read in and used for any
> operations that needed a passphrase.  It certainly behaves in the way I
> expected when used with luksOpen... if I try to open with 2000key and no
> key-size param, it doesn't work.

That is done differently. May I direct your attention to the 
item "How do I read a LUKS slot key from file?" in the FAQ?
(Found e.g. here: 
http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions)

Arno

> The patch I sent makes luksAddKey work as I thought it was meant to, but
> it's entirely possible I broke some other aspect of it that I'm not using at
> the moment.
> 
> Thank you for responding.  =)
> 
> On Tue, Sep 14, 2010 at 10:41 AM, Roscoe <eocsor at gmail.com> wrote:
> 
> > On Tue, Sep 14, 2010 at 8:07 AM, Josh Litherland <josh at temp123.org> wrote:
> > > Using cryptsetup 1.1.0~rc2 from Ubuntu Lucid apt package.  As an
> > experiment,
> > > I have a 1000 byte key that I have in a file 1000key.  I have another
> > file
> > > 2000key which is the key followed by 1000 pad bytes.  This works:
> > >
> > > # cryptsetup --key-file 1000key luksOpen /dev/loop0 cryptofs
> > >
> > > This also works:
> > >
> > > # cryptsetup --key-file 2000key --key-size 8000 luksOpen /dev/loop0
> > cryptofs
> > >
> > > This works too:
> > >
> > > # cryptsetup --key-file 1000key luksAddKey /dev/loop0
> > >
> > > But this bit doesn't work:
> > >
> > > # cryptsetup --key-file 2000key --key-size 8000 luksAddKey /dev/loop0
> > > No key available with this passphrase.
> > > #
> > >
> > > That is to say, the --key-size argument doesn't seem to be working with
> > > luksAddKey.
> > >
> > > Any suggestions ?
> >
> > --key-size should specify the size of the key used for
> > encryption/decryption, which is going to almost always be 112-512
> > bits.
> >
> > As this key is stored in the key slots and has a length described in
> > the header it doesn't make any sense to pass it to cryptsetup for any
> > of the luks commands other than luksFormat.
> >
> > Doesn't help your problem at all, though. It seems like you want it to
> > mean the amount of input to the PBKDF2 function.
> >
> > -- Roscoe
> >
> 
> 
> 
> -- 
> Josh Litherland (josh at temp123.org)

> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 


More information about the dm-crypt mailing list