[Replying to http://thread.gmane.org/gmane.linux.gentoo.user/229533/focus=229542 ]
On 2010-05-05 08:00:43 GMT, Daniel Troeder wrote: >On 05/05/2010 06:42 AM, Stefan G. Weichinger wrote: >> Am 04.05.2010 23:24, schrieb Daniel Troeder: >> >>> I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have >>> any issues. >>> Please decrypt your partition from the command line, so we can see if it >>> is a cryptsetup/luks/kernel problem or a pam_mount problem. >>> >>> Cmdline should something like: >>> $ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen >>> /dev/mapper/VG01-crypthome myhome >>> Which should create /dev/mapper/myhome. >> >> My user sgw is currently not allowed to sudo this (should it be? it >> never was). >> >> And for root it says "Kein Schlüssel mit diesem Passsatz verfügbar." >> (german) which should be "No key available with this passphrase." in >> english. >That is a message from cryptsetup. As you are using openssl to get the >key, I think the problem might be there. > >I followed the guide you linked here (website is down, but google-cache >works: >http://webcache.googleusercontent.com/search?q=cache:7eaSac72CoIJ:home.coming.dk/index.php/2009/05/20/encrypted_home_partition_using_luks_pam_+encrypted_home_partition_using_luks_pam&cd=2&hl=de&ct=clnk&gl=de&client=firefox-a) >and it works for me (kernel is 2.6.33-zen2): > >lvcreate -n crypttest -L 100M vg0 >KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79` >echo $KEY | openssl aes-256-ecb > verysekrit.key >openssl aes-256-ecb -d -in verysekrit.key In my personal opinion, both the quality of shell commands and key generation is suboptimal. What makes it bad is that people follow it. First, it generates a key which does not exploit the entire space. People claim it's because they want an ASCII readout, but frankly, you get the same with `hexdump -C`. Second, it's using echo without the -n parameter, thus implicitly inserting a newline into the key -- which is the cause for yoru observed mounting problems. Third, because you are passing the key via stdin into cryptsetup, it only uses the first line of whatever you pipe into it; whereas pam_mount uses the entire keyfile as it is supposed to be. (Fourth, the howto suggests ECB, which, well, looks rather weak considering the ECB's Tux picture on Wikipedia.) All of that should be in doc/bugs.txt, and mount.crypt even warns about ECB. You really cannot ignore seeing that. Phew!
