[dm-crypt] Secret data from stdin
shpedoikal at gmail.com
Wed Aug 15 00:19:43 CEST 2012
I recently came across some code that did this:
cat binary_secret | cryptsetup luksFormat /dev/loop0
This appears to work (no message printed, exit status 0).
What might not be obvious is that if binary_secret contains a '\n'
character, input gets truncated at this point. This is different
cat binary_secret | cryptsetup luksFormat --key-file=- /dev/loop0
which will read all of binary_secret, regardless of whether there's
a \n in it or not.
This difference seems subtle and could lead to truncation of the
secret. This should probably be clearer in the man page at a
minimum (see patch), but I think a warning is appropriate too.
Secret processing that stops at \n isn't appropriate for binary
IBM LTC Security
diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
index b9298a5..f8d7abb 100644
@@ -476,7 +476,8 @@ will quit with an error.
If \-\-key-file=- is used for reading the key from stdin, no
trailing newline is stripped from the input. Without that option,
-cryptsetup strips trailing newlines from stdin input.
+cryptsetup stops reading from stdin when it encounters a newline,
+even if found in your binary key data!
.SH NOTES ON PASSWORD PROCESSING FOR LUKS
LUKS uses PBKDF2 to protect against dictionary attacks (see RFC 2898).
More information about the dm-crypt