[dm-crypt] Can I test for LUKS passphrase strength without formatting a device?

Jan Tulak jtulak at redhat.com
Tue Nov 7 22:34:23 CET 2017


On Tue, Nov 7, 2017 at 7:45 PM, Milan Broz <gmazyland at gmail.com> wrote:
> On 11/07/2017 05:51 PM, Jan Tulak wrote:
>> Is it possible to test whether a passphrase is strong enough (and
>> luksFormat will accept it), without the need to really create a device
>> with this passphrase? I ask because I want to test the password before
>> I run a sequence of commands and I don't want them to fail in the
>> middle just because of a weak passphrase.
>
> Cryptsetup/LUKS does not itself enforce any passphrase quality, it is libpwquality
> that libcryptsetup can be linked to (optionally, we use it in all Red Hat distros).
>
> See man for pwquality library (the idea is to enforce password policy for the whole
> distro, so it uses configuration pwquality file).
>
>> I checked for the --test-passphrase, but that verifies if the
>> passphrase would decrypt an existing device, which is not what I want.
>
> This tests only LUKS, pwquality is called only in Format.
>
> m.

Ah, thanks for directing me the right way. :-)

Cheers,
Jan


More information about the dm-crypt mailing list