[dm-crypt] about invalid key slots

Milan Broz mbroz at redhat.com
Mon Apr 2 10:42:07 CEST 2012


On 04/02/2012 07:43 AM, .. ink .. wrote:

> is it possible to get or how can i create a volume with an invalid
> key? i would lik3 to test this for my program zulucrypt but i cant
> seem to manage to corrupt a volume. The best i have got after trying
> for hours is inconsistency at best.

You do not need to add test for anything - crypt_load reports invalid header.

Obviously you cannot create invalid LUKS header with libcryptsetup
(or you found a bug :-) but you can easily simulate similar problem
e.g. by overwriting the second sector of device:

# cryptsetup luksFormat /dev/sdb
# dd if=/dev/urandom of=/dev/sdb seek=1 bs=512 count=1

# cryptsetup luksDump /dev/sdb
LUKS keyslot 6 is invalid.
LUKS keyslot 7 is invalid.

Note it is visible header, just keyslot info area, not the keyslot
itself. (Perhaps I should fix the error message.)

> crypt_keyslot_status API shows the key is invalid but cryptsetup
> luksDump shown the key slot as disabled and cryptsetup executable
> just says the password does not exist when trying to open the volume
> with the a key in  slot i try to make invalid

You are parsing some error code wrong, it should fail during
crypt_load() already. If it fails, using any api function
over invalid crypt context is undefined, whatever function it is.

Milan


More information about the dm-crypt mailing list