[dm-crypt] Option "validate passphrase" for command cryptsetup

Milan Broz asi at seznam.cz
Wed Jun 20 10:27:31 CEST 2012

On 06/20/2012 09:41 AM, Louis wrote:
>> Will this program work on just the LUKS header?  Or does it work only on
>> the entire mount point (with all the data therein included)?.
> 	I have no idea.

Hmmmm. Well, for you and others:

  - check provide devices exists. It is physical device (disk),
    no mount point of activation name required.
    It can be even file with full LUKS header backup.

crypt_load(cd, NULL, NULL, ...)
   - load LUKS header (you should use explicitly
      CRYPT_LUKS1 here to be sure  that it is LUKS)

crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, ...)
   - tries to activate device with NULL name
     this means that device will not be activated and check for device
     existence is skipped.

btw we have API docs online

If you see my change in cryptsetup, "luksOpen --test-passphrase" will
work even for provided keyfile and for directly provided master key
(--master-key-file). It will simple check if these are correct without
activation of device.

The only disadvantage is that you have to provide some fake device
name in luksOpen command (it will be ignored, only disk parameter is used).

>> Is there a delay of some seconds required between invocations?


> 	Well, on my computer, it takes more than one second to run, which may
> seem long for a simple verification of a passphrase. But I think it is
> simply the time taken by the API to check the passphrase on my very old
> computer. There is no such delay in my code to prevent brute force
> attack, nor (if I am not wrong) in the functions of the Cryptsetup API I
> am using.

No, it is by design. You can run it even in parallel, but your CPU power
is limited. See FAQ and LUKS design doc for more info about iteration count.


More information about the dm-crypt mailing list