[dm-crypt] about invalid key slots

.. ink .. mhogomchungu at gmail.com
Mon Apr 2 14:14:16 CEST 2012


> Please do not try to parse physical header structure outside of cryptsetup,
> header can change in future (new version) etc. libcryptsetup should
> be wrapper over these internals.
>
> was not going to. I was puzzled by the "CRYPT_SLOT_INVALID" entry in the
"crypt_keyslot_info" structure when i looked at the API couple of months
ago but i never asked about it. All these posts about invalid key slots
just made me relooked the puzzle and ask about it.


CRYPT_SLOT_INVALID is returned if e.g. slot # is above limit, not
> if header is corrupted.
>
> Milan
>
ok,i guess this solves my confusion.The same term is used for two different
things. crypt_load() will fail when the header is corrupt and my code will
just return "its not luks device",i can live with this or come up with
something within the API. Will not even attempt to go over or under the API.

An invalid key slot due to a corrupted header is a serious problem and
everybody seem to be reporting on this. How serious is the
"CRYPT_SLOT_INVALID" status on a key slot as reported by
crypt_keyslot_status()?

Since my code goes further enoght to see this one( crypt_load() pass ) and
can open volumes if key is on another slot,it seem useful to inform my
users of this status but not confuse them with the more serious one.

This is the output i made the tool generate when it encounters
"CRYPT_SLOT_INVALID"

[ink at mtz ~]$ zuluCrypt-cli -O -d cvol -p xxx
SUCCESS: Volume opened successfully
WARNING: the volume has atleast one corrupted key slot

does "corrupt" differ enough from "invalid"? any suggestion on the term to
use to describe "CRYPT_SLOT_INVALID" status?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20120402/d70130a0/attachment.html>


More information about the dm-crypt mailing list