From ba3ccce0c3573747fadd7b30e576159b15277513 Mon Sep 17 00:00:00 2001 From: olf Date: Sat, 20 Feb 2021 03:31:18 +0100 Subject: [PATCH] Fully read "key-file" in "plain" mode This change should read the complete "key-file", not only up to the first newline character ("\n"). 1. Needs testing: * I faintly remember, that I could not get `-d -` and (equivalent) `--key-file -` working in conjunction with `--type plain`. But that was with a way older Cryptsetup version. Note that for `--type plain`, reading from standard input with `-d -` / `--key-file -` is the only way to apply a hash algorithm to the input (entropy), see [this section of the Cryptsetup man page](https://man7.org/linux/man-pages/man8/cryptsetup.8.html#NOTES_ON_PASSPHRASE_PROCESSING_FOR_PLAIN_MODE) for details. =\> Retry above syntax with Cryptsetup of SFOS 3.2.1 (the currently minimal supported release), and also with the awkward, likely incorrect syntax `--key-file=-` mentioned once (in the whole man page!) in the aforementioned section. * I also believe to remember, that the more elegant input redirection per "`< `" (instead of `cat |`) did not work: Retry that, too. 2. Users have to convert their old keys for "plain" mode, i.e. cut the content of their key-files for "plain" mode at the first newline character. These commands (untested, yet) should perform this conversion: `devel-su` `for i in /etc/crypto-sdcard/crypto_plain_*.key; do mv "$i" "${i}.old" && sed -n 1P "${i}.old" > "$i"; done` --- systemd/system/cryptosd-plain@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/system/cryptosd-plain@.service b/systemd/system/cryptosd-plain@.service index 7fd54951..767790f2 100644 --- a/systemd/system/cryptosd-plain@.service +++ b/systemd/system/cryptosd-plain@.service @@ -12,6 +12,6 @@ Type=oneshot RemainAfterExit=yes # For devices, which need the qcrypto kernel module loaded to support modern cryptographic schemes as e.g. XTS: # ExecStartPre=/sbin/modprobe qcrypto -ExecStart=/bin/sh -c 'cat /etc/crypto-sdcard/%I.key | /usr/sbin/cryptsetup -h sha1 -s 256 -c aes-xts-plain --allow-discards --type plain open /dev/%I %I' +ExecStart=/bin/sh -c 'cat /etc/crypto-sdcard/%I.key | /usr/sbin/cryptsetup -d - -h sha1 -s 256 -c aes-xts-plain --allow-discards --type plain open /dev/%I %I' ExecStop=/usr/sbin/cryptsetup close %I