409321 – sys-kernel/dracut-017-r1 fails to pass gpg encrypted passphrase to cryptsetup

Bug 409321 - sys-kernel/dracut-017-r1 fails to pass gpg encrypted passphrase to cryptsetup

Summary: sys-kernel/dracut-017-r1 fails to pass gpg encrypted passphrase to cryptsetup

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Amadeusz Żołnowski (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-03-22 14:26 UTC by Hanspeter Spalinger
Modified:	2012-07-31 10:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge --info output (emerge.info,14.32 KB, text/plain) 2012-03-22 14:26 UTC, Hanspeter Spalinger	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanspeter Spalinger 2012-03-22 14:26:44 UTC

Created attachment 306313 [details]
emerge --info output

I use a encrypted LUKS as root, a gpg-encrypted key is on a external disk (using the guide on http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS )

I create a dracut-initramfs (and setup rd.luks.key) and all looks fine, but it can not open the LUKS device.

I tracked this down to the module 90crypt. in the file cryptroot-ask.sh we have
96         info "Using '$keypath' on '$keydev'"
97         readkey "$keypath" "$keydev" "$device" \
98             | cryptsetup -d - luksOpen "$device" "$luksname"
99         unset keypath keydev
100         ask_passphrase=0
101         break
https://git.kernel.org/?p=boot/dracut/dracut.git;a=blob;f=modules.d/90crypt/cryptroot-ask.sh;h=aba1331cf7522933813a4172f6a5f79288e715a2;hb=HEAD

The cryptsetup on line 98 fails due to "-d -" with the Error:
"No Key available with this passphrase" (thats the generic error from cryptsetup if a bad key is given). It drops me into the initramfs, and if i issue the command it fails the same way.

Removing the "-d -" option makes it work for me (however, i don't know if it breaks using a non-encrypted keyfile). This too works on the initramfs shell.

my dracut info (from eix dracut):
     Installed versions:  017-r1!t(21:55:42 19.03.2012)(device-mapper dracut_modules_crypt dracut_modules_crypt-gpg dracut_modules_lvm -debug -dracut_modules_biosdevname -dracut_modules_btrfs -dracut_modules_caps -dracut_modules_dmraid -dracut_modules_dmsquash-live -dracut_modules_gensplash -dracut_modules_iscsi -dracut_modules_livenet -dracut_modules_mdraid -dracut_modules_multipath -dracut_modules_nbd -dracut_modules_nfs -dracut_modules_plymouth -dracut_modules_ssh-client -dracut_modules_syslog -net -selinux)
     Homepage:            http://dracut.wiki.kernel.org
     Description:         Generic initramfs generation tool

maybe IMPORTANT: i use cryptsetup with "-static" USE Flag.


Additional Info:
kernel boot cmdline from /proc/cmdline: 
 BOOT_IMAGE=/vmlinuz-3.3.0-rc7 root=/dev/mapper/hanfi-root ro console=tty1 quiet
dracut build command:
 dracut -H -L 5 -a "crypt-gpg" "" 3.3.0-rc7 -v --force 2>&1 | less
dracut cmdline settings (those are written by the lvm and crypt module, i added some code to the crypt-module setup script so it looks for the gpg-key on the boot device and adds the key if one is found):
 rd.luks.uuid=luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 
 rd.luks.key=/.gnupg/5b1049c3-ae7c-4b4c-99e7-240ba4a76f94.gpg:UUID=468fc485-3aca-4b80-96cd-5b1a4bc5fe60:UUID=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 
 rd.lvm.lv=hanfi/root 

My fstab:
# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.
/dev/hanfi/root		/		ext4		noatime			0 1
/dev/hanfi/home		/home		ext4		noatime			0 1
/dev/hanfi/swap		none		swap		sw			0 0
/dev/cdrom		/mnt/cdrom	auto		noauto,ro		0 0
#proc			/proc		proc		defaults		0 0
#none			/sys		sysfs		defaults		0 0
# use those 8GB of RAM
none			/dev/shm	tmpfs		nodev,nosuid,noexec	0 0
none			/tmp		tmpfs		nodev,nosuid		0 0
none			/var/tmp	tmpfs		nodev,nosuid		0 0

dmsetup ls --tree:
hanfi-home (254:3)
 └─luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 (254:0)
    └─ (8:1)
hanfi-swap (254:2)
 └─luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 (254:0)
    └─ (8:1)
hanfi-root (254:1)
 └─luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 (254:0)
    └─ (8:1)

blkid -o udev:
ID_FS_UUID=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94
ID_FS_UUID_ENC=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94
ID_FS_TYPE=crypto_LUKS

ID_FS_UUID=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94
ID_FS_UUID_ENC=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94
ID_FS_TYPE=crypto_LUKS

ID_FS_LABEL=swap
ID_FS_LABEL_ENC=swap
ID_FS_UUID=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_UUID_ENC=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_TYPE=swap

ID_FS_UUID=0ytFMB-tpel-KM2N-CArM-gIqq-Kyad-okMYGS
ID_FS_UUID_ENC=0ytFMB-tpel-KM2N-CArM-gIqq-Kyad-okMYGS
ID_FS_TYPE=LVM2_member

ID_FS_LABEL=swap
ID_FS_LABEL_ENC=swap
ID_FS_UUID=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_UUID_ENC=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_TYPE=swap

ID_FS_LABEL=swap
ID_FS_LABEL_ENC=swap
ID_FS_UUID=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_UUID_ENC=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_TYPE=swap

ID_FS_LABEL=home
ID_FS_LABEL_ENC=home
ID_FS_UUID=4a2b78c4-3e6f-4a40-b847-080a98906224
ID_FS_UUID_ENC=4a2b78c4-3e6f-4a40-b847-080a98906224
ID_FS_TYPE=ext4

ID_FS_LABEL=root
ID_FS_LABEL_ENC=root
ID_FS_UUID=b3d4200e-5a33-4b5f-98b6-1be4fac77535
ID_FS_UUID_ENC=b3d4200e-5a33-4b5f-98b6-1be4fac77535
ID_FS_TYPE=ext4

Comment 1 Amadeusz Żołnowski (RETIRED) gentoo-dev

2012-03-23 16:04:49 UTC

This is probably true. There's some weirdness on password processing between how it's done with "-d -" and without. Please read "NOTES ON PASSWORD PROCESSING" sections of cryptsetup man page.

Does your decrypted key works with "cryptsetup -d /path/to/plain.key"?

Comment 2 Hanspeter Spalinger 2012-03-24 11:15:17 UTC

(In reply to comment #1)
> Does your decrypted key works with "cryptsetup -d /path/to/plain.key"?
No, it fails with again the error "No Key available with this passphrase"
'cryptsetup -d /tmp/luks.key luksOpen /dev/sda1 crypto'
'cat /tmp/luks.key | cryptsetup luksOpen /dev/sda1 crypto' works.

But this made me go debugging some more.
reading about cryptsetup I think the problem lies in this (from manpage, as you suggested):
"If --key-file=- is used for reading the key from stdin, no trailing newline is stripped from the input. Without that option, cryptsetup strips trailing newlines from stdin input."

The problem lies how I added the key originally as described in http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

There it is suggested to use 
'gpg --quiet --decrypt rootkey.gpg | cryptsetup -v --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3'

However, this will behave as the std-in and strip the newline.
At decryption stage, using "-d -" will not strip the newline, and it fails.
As I had the key decrypted into /tmp/luks.key, I went on and added that key AS A FILE with
'cat /tmp/luks.key | cryptsetup luksAddKey /dev/sda1 /tmp/luks.key'
(this uses the key as a password and then adds the key as a file)
NOW I can do
'cryptsetup -d /tmp/luks.key luksOpen /dev/sda1 crypto'
and it opens the device and after adding "-d -" to the cryptroot-ask.sh file again (as it was in the original script) works too!

So basically the advice in that wiki page does not work correctly with dracut.

I think the best solution to all of this is to edit the wiki page and tell people to add "-d -" at the key setup if using dracut.
'gpg --quiet --decrypt rootkey.gpg | cryptsetup -d - -v --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3'

Comment 3 Amadeusz Żołnowski (RETIRED) gentoo-dev

2012-03-26 11:47:08 UTC

Right, this should actually be documented. I'll leave it opened as reminder to do so.

Comment 4 Hanspeter Spalinger 2012-03-26 13:10:19 UTC

I tried to add a short note in the wiki page, but as I do not have a account there, I horribly failed by adding it at the luksOpen command instead the luksFormat. And now it seems I can not repair that mistake (but my updates do not appear anyway).
Sorry for the trouble. I should think before act. I let the people with knowledge/expertise do the work.

On a side note, on the discuss page (http://en.gentoo-wiki.com/wiki/Talk:DM-Crypt_with_LUKS ) they give a reasoning for using "-d -" instead just piping (it actually has security implications). So the whole page should be updated (not only about dracut)

Comment 5 Amadeusz Żołnowski (RETIRED) gentoo-dev

2012-07-31 10:35:01 UTC

(In reply to comment #4)
> I tried to add a short note in the wiki page, but as I do not have a account
> there, I horribly failed by adding it at the luksOpen command instead the
> luksFormat. And now it seems I can not repair that mistake (but my updates
> do not appear anyway).
> Sorry for the trouble. I should think before act. I let the people with
> knowledge/expertise do the work.

And have you managed to update Wiki? I've added note to dracut.cmdline man page (you will find it in 023), therefore I'm closing the bug.

diff --git a/dracut.cmdline.7.asc b/dracut.cmdline.7.asc
index 0b1b8a2..884b223 100644
--- a/dracut.cmdline.7.asc
+++ b/dracut.cmdline.7.asc
@@ -233,6 +233,29 @@ rd.luks.key=/foo/bar.key
 ----
 +
 As you see, you can skip colons in such a case.
++
+[NOTE]
+===============================
+Dracut pipes key to cryptsetup with _-d -_ argument, therefore you need to pipe
+to crypsetup luksFormat with _-d -_, too!
+
+Here follows example for key encrypted with GPG:
+
+----
+gpg --quiet --decrypt rootkey.gpg \
+| cryptsetup -d - -v \
+--cipher serpent-cbc-essiv:sha256 \
+--key-size 256 luksFormat /dev/sda3
+----
+
+If you use plain keys, just add path to _-d_ option:
+
+----
+cryptsetup -d rootkey.key -v \
+--cipher serpent-cbc-essiv:sha256 \
+--key-size 256 luksFormat /dev/sda3
+----
+===============================