Skip to content

Commit

Permalink
Fully read "key-file" in "plain" mode
Browse files Browse the repository at this point in the history 
This change should read the complete "key-file", not only up to the first newline character ("\n").
1. Needs testing:
   * I faintly remember, that I could not get `-d -` and (equivalent) `--key-file -` working in conjunction with `--type plain`.  But that was with a way older Cryptsetup version.
     Note that for `--type plain`, reading from standard input with `-d -` / `--key-file -` is the only way to apply a hash algorithm to the input (entropy), see [this section of the Cryptsetup man page](https://man7.org/linux/man-pages/man8/cryptsetup.8.html#NOTES_ON_PASSPHRASE_PROCESSING_FOR_PLAIN_MODE) for details.
     =\> Retry above syntax with Cryptsetup of SFOS 3.2.1 (the currently minimal supported release), and also with the awkward, likely incorrect syntax `--key-file=-` mentioned once (in the whole man page!) in the aforementioned section.
   * I also believe to remember, that the more elegant input redirection per "`< <key-file>`" (instead of `cat <key-file> |`) did not work: Retry that, too.
2. Users have to convert their old keys for "plain" mode, i.e. cut the content of their key-files for "plain" mode at the first newline character.
    These commands (untested, yet) should perform this conversion:
    `devel-su`
    `for i in /etc/crypto-sdcard/crypto_plain_*.key; do mv "$i" "${i}.old" && sed -n 1P "${i}.old" > "$i"; done`
  • Loading branch information
@Olf0
Olf0 authored Feb 20, 2021
1 parent 66252a6 commit ba3ccce
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion systemd/system/[email protected]
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,6 @@ Type=oneshot
RemainAfterExit=yes
# For devices, which need the qcrypto kernel module loaded to support modern cryptographic schemes as e.g. XTS:
# ExecStartPre=/sbin/modprobe qcrypto
ExecStart=/bin/sh -c 'cat /etc/crypto-sdcard/%I.key | /usr/sbin/cryptsetup -h sha1 -s 256 -c aes-xts-plain --allow-discards --type plain open /dev/%I %I'
ExecStart=/bin/sh -c 'cat /etc/crypto-sdcard/%I.key | /usr/sbin/cryptsetup -d - -h sha1 -s 256 -c aes-xts-plain --allow-discards --type plain open /dev/%I %I'
ExecStop=/usr/sbin/cryptsetup close %I

1 comment on commit ba3ccce

@Olf0
Copy link
Owner Author

@Olf0 Olf0 commented on ba3ccce Feb 20, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commit text (in Markdown) extended and properly rendered:

This change should read the whole "key"-file, not only up to the first newline character ("\n").

Needs testing

  • I faintly remember, that I could not get -d - and (equivalent) --key-file - working in combination with --type plain. But that was with a way older Cryptsetup version.
    Note that for --type plain, reading from standard input with -d - / --key-file - is the only way to apply a hash algorithm (but only a single round in contrast to LUKS mode) to the input (entropy) without ceasing to read at the first newline character, according to the documentation (see this section of the Cryptsetup man page for details).
    => Retry above syntax with Cryptsetup of SFOS 3.2.1 (the minimal supported release, currently), and also with the awkward, likely incorrect syntax --key-file=- mentioned once (in the whole man page!) in the aforementioned man page section.
    Edit (2021-06-02): Works well under SailfishOS 4.0.1 with -d -; still have to look up what systemd & Cryptsetup versions that translates to, and if that also works under SFOS 3.2.1.
  • I also believe to remember, that the more elegant input redirection per "< <key-file>" (instead of "cat <key-file> |") did not work: Retry that, too.
    Edit 2 (2021-06-02): Still open / to do for SailfishOS < 4, where StandardInput=file:/etc/crypto-sdcard/%I.key does not seem to work.
    Edit 1: Ah, that might work better per StandardInput=file:/etc/crypto-sdcard/%I.key and no explicit input redirection at all (plus also eliminating the enclosing sub-shell call). Side note: This may be used in conjunction with StandardOutput=journal, but that should be the default (but inherit would be dangerous).
    Implemented in the subsequent commit #c3a0e8c.

Conversion of old "keys" for "plain" mode

Users have to convert their old "key"-files for "plain" mode, i.e. cut the content of these files at the first newline character, in order to be still able to unlock extant "plain" "containers".
These commands (untested, yet) should perform this conversion (and save the old "key"-files for "plain" mode):

devel-su
for i in /etc/crypto-sdcard/crypto_plain_*.key; do mv "$i" "${i}.orig" && sed -n 1P "${i}.orig" > "$i"; chmod 0640 "$i"; done

Optimised creation of "plain" "containers"

New "plain" DMcrypt "containers" shall be created (since crypto-sdcard 1.3.4) as described below (i.e., with the "-d - / --key-file - / --key-file=-" option, in order to take advantage of this enhancement), in contrast to the original description in section 4.3.3.b of the "[How-to] Creating partitions on SD-card, optionally encrypted" at TJC (Backup@GitLab):
cat /etc/crypto-sdcard/crypto_plain_mmcblk1pX.key | cryptsetup -d - -v -h sha1 -s 256 -c aes-xts-plain --allow-discards --type plain open /dev/mmcblk1pX mmcblk1pX-crypt # Mind to pick the right partition number three times etc.
If you missed that and applied the original statement from the How-To section 4.3.3.b (i.e., without "-d -"), just convert the "key"-file used (as described at "Conversion of old "keys" for "plain" mode", above), and it should work fine.

Please sign in to comment.