[dm-crypt] How can I write a passphrase hash to key file for plain dm-crypt ?
dm-crypt at jelmail.com
Fri Nov 7 21:47:23 CET 2014
Thanks Arno, your pointer helped me resolve my problem, which was due to
a newline being appended by '<<<'.
I successfully created a key file with
$ echo -n 'password' | openssl dgst -sha512 -binary > keyfile
What really helped was your suggestion to view the key from dm-crypt,
which I did like this
$ dmsetup table --target crypt --showkey /dev/mapper/mydisk
That showed me what the SHA1 was and, once I knew that, I could compare
what I was generating with it and quickly realised the difference was
probably a terminating end-of-line character.
Many thanks to you.
On 07/11/14 18:56, Arno Wagner wrote:
> Hi John,
> the cryptsetup man-page has additional information about the
> different ways a passphrase can be passed to it and what the
> conventions are in section "NOTES ON PASSPHRASE PROCESSING
> FOR PLAIN MODE". That should get you started.
I had read that, specifically the part "From a Key File" which is why I
believed I needed a binary key.
> If you want to generate a key that is the same as generated
> by a specific passphrase, the easiest way is probably to
> map the container with the passphrase and then extract the
> key from dm-crypt. I am not sure this works, but if it does,
> FAQ Item 6.10 has the information. dm-crypt just gets a
> cipher and a key and does not know whether that key is a
> LUKS master key or a plain key.
> Your example may fail because of differences in padding,
> for example. Also note that
> sha512sum <<< 'my_passphrase' | head -c 128 > mykey
> produces an ASCII representation of the hash truncated to
> 128 characters, while you probably want a binary representation
> that is 128 bit long.
Yes, I was aware of that but just tried it in case I was wrong about it
being a binary key. My other attempt (the openssl one) produces a binary
key but didn't work for me. I now know that was due to the here-string
<<< appending a newline.
> On Fri, Nov 07, 2014 at 17:34:39 CET, John Lane wrote:
>> I'm trying to use plain dm-crypt. I have an example like this
>> $ cryptsetup open /dev/sda mydisk --type plain --hash sha512
>> that works fine. I enter 'password' as the pass phrase when requested.
>> I want to create an equivalent key-file so that I can do
>> $ cryptsetup open /dev/sda mydisk --type plain --key-file mykey
>> I couldn't find a cryptsetup command do to this, so I tried these:
>> $ openssl dgst -sha512 -binary <<< 'password' > mykey
>> $ sha512sum <<< 'my_passphrase' | head -c 128 > mykey
>> without success.
>> As I understand it, the key file contains a binary key that is used
>> as-is, so I would have thought the first try above would have worked. I
>> even used xxd to check that mykey contained the hash in binary data.
>> How can I make a key-file that is equivalent to a keyed-in passphrase?
>> Thanks in advance.
>> dm-crypt mailing list
>> dm-crypt at saout.de
More information about the dm-crypt