[dm-crypt] Secret data from stdin

Arno Wagner arno at wagner.name
Wed Aug 15 00:50:21 CEST 2012

On Tue, Aug 14, 2012 at 05:19:43PM -0500, Kent Yoder wrote:
> Hi,
> I recently came across some code that did this:
>   cat binary_secret | cryptsetup luksFormat /dev/loop0
> This appears to work (no message printed, exit status 0).
> What might not be obvious is that if binary_secret contains a '\n'
> character, input gets truncated at this point. 

This is documented in the man-page of the current release under

> This is different
> than
>   cat binary_secret | cryptsetup luksFormat --key-file=- /dev/loop0
> which will read all of binary_secret, regardless of whether there's
> a \n in it or not.

Indeed. Documented under the entry for "--key-file" in the current
release man-page.
> This difference seems subtle and could lead to truncation of the
> secret.  

I agree. I tried to make very sure it is clear what is done 
on my man-page revision.

> This should probably be clearer in the man page at a
> minimum (see patch), but I think a warning is appropriate too.
> Secret processing that stops at \n isn't appropriate for binary
> data.

And that is the thing here. A passphrase is _not_ binary data!

   "cat binary_secret | cryptsetup luksFormat /dev/loop0"

is inherently wrong. What you need to do is

  "cat file_with_passphrase_that_could_also_be_entered_interactively
  | cryptsetup luksFormat /dev/loop0"

As to your patch, I am unable to match your patch to the 
current version of the man-page. Did you do a "git pull" 
before? May also be a problem on my side, please verify:

> md5sum cryptsetup.8
4fd70bbd1018f95818902144499c2234  cryptsetup.8


> Thanks,
> Kent
> --
> IBM LTC Security
> diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
> index b9298a5..f8d7abb 100644
> --- a/man/cryptsetup.8
> +++ b/man/cryptsetup.8
> @@ -476,7 +476,8 @@ will quit with an error.
>  If \-\-key-file=- is used for reading the key from stdin, no
>  trailing newline is stripped from the input. Without that option,
> -cryptsetup strips trailing newlines from stdin input.
> +cryptsetup stops reading from stdin when it encounters a newline,
> +even if found in your binary key data!
>  LUKS uses PBKDF2 to protect against dictionary attacks (see RFC 2898).
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 

More information about the dm-crypt mailing list