Bug 409321

Summary:	sys-kernel/dracut-017-r1 fails to pass gpg encrypted passphrase to cryptsetup
Product:	Gentoo Linux	Reporter:	Hanspeter Spalinger <gentoo>
Component:	Current packages	Assignee:	Amadeusz Żołnowski (RETIRED) <aidecoe>
Status:	RESOLVED WORKSFORME
Severity:	minor	CC:	gentoo, kensington
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	emerge --info output

Description Hanspeter Spalinger 2012-03-22 14:26:44 UTC

Created attachment 306313 [details]
emerge --info output

I use a encrypted LUKS as root, a gpg-encrypted key is on a external disk (using the guide on http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS )

I create a dracut-initramfs (and setup rd.luks.key) and all looks fine, but it can not open the LUKS device.

I tracked this down to the module 90crypt. in the file cryptroot-ask.sh we have
96         info "Using '$keypath' on '$keydev'"
97         readkey "$keypath" "$keydev" "$device" \
98             | cryptsetup -d - luksOpen "$device" "$luksname"
99         unset keypath keydev
100         ask_passphrase=0
101         break
https://git.kernel.org/?p=boot/dracut/dracut.git;a=blob;f=modules.d/90crypt/cryptroot-ask.sh;h=aba1331cf7522933813a4172f6a5f79288e715a2;hb=HEAD

The cryptsetup on line 98 fails due to "-d -" with the Error:
"No Key available with this passphrase" (thats the generic error from cryptsetup if a bad key is given). It drops me into the initramfs, and if i issue the command it fails the same way.

Removing the "-d -" option makes it work for me (however, i don't know if it breaks using a non-encrypted keyfile). This too works on the initramfs shell.

my dracut info (from eix dracut):
     Installed versions:  017-r1!t(21:55:42 19.03.2012)(device-mapper dracut_modules_crypt dracut_modules_crypt-gpg dracut_modules_lvm -debug -dracut_modules_biosdevname -dracut_modules_btrfs -dracut_modules_caps -dracut_modules_dmraid -dracut_modules_dmsquash-live -dracut_modules_gensplash -dracut_modules_iscsi -dracut_modules_livenet -dracut_modules_mdraid -dracut_modules_multipath -dracut_modules_nbd -dracut_modules_nfs -dracut_modules_plymouth -dracut_modules_ssh-client -dracut_modules_syslog -net -selinux)
     Homepage:            http://dracut.wiki.kernel.org
     Description:         Generic initramfs generation tool

maybe IMPORTANT: i use cryptsetup with "-static" USE Flag.


Additional Info:
kernel boot cmdline from /proc/cmdline: 
 BOOT_IMAGE=/vmlinuz-3.3.0-rc7 root=/dev/mapper/hanfi-root ro console=tty1 quiet
dracut build command:
 dracut -H -L 5 -a "crypt-gpg" "" 3.3.0-rc7 -v --force 2>&1 | less
dracut cmdline settings (those are written by the lvm and crypt module, i added some code to the crypt-module setup script so it looks for the gpg-key on the boot device and adds the key if one is found):
 rd.luks.uuid=luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 
 rd.luks.key=/.gnupg/5b1049c3-ae7c-4b4c-99e7-240ba4a76f94.gpg:UUID=468fc485-3aca-4b80-96cd-5b1a4bc5fe60:UUID=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 
 rd.lvm.lv=hanfi/root 

My fstab:
# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.
/dev/hanfi/root		/		ext4		noatime			0 1
/dev/hanfi/home		/home		ext4		noatime			0 1
/dev/hanfi/swap		none		swap		sw			0 0
/dev/cdrom		/mnt/cdrom	auto		noauto,ro		0 0
#proc			/proc		proc		defaults		0 0
#none			/sys		sysfs		defaults		0 0
# use those 8GB of RAM
none			/dev/shm	tmpfs		nodev,nosuid,noexec	0 0
none			/tmp		tmpfs		nodev,nosuid		0 0
none			/var/tmp	tmpfs		nodev,nosuid		0 0

dmsetup ls --tree:
hanfi-home (254:3)
 └─luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 (254:0)
    └─ (8:1)
hanfi-swap (254:2)
 └─luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 (254:0)
    └─ (8:1)
hanfi-root (254:1)
 └─luks-5b1049c3-ae7c-4b4c-99e7-240ba4a76f94 (254:0)
    └─ (8:1)

blkid -o udev:
ID_FS_UUID=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94
ID_FS_UUID_ENC=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94
ID_FS_TYPE=crypto_LUKS

ID_FS_UUID=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94
ID_FS_UUID_ENC=5b1049c3-ae7c-4b4c-99e7-240ba4a76f94
ID_FS_TYPE=crypto_LUKS

ID_FS_LABEL=swap
ID_FS_LABEL_ENC=swap
ID_FS_UUID=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_UUID_ENC=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_TYPE=swap

ID_FS_UUID=0ytFMB-tpel-KM2N-CArM-gIqq-Kyad-okMYGS
ID_FS_UUID_ENC=0ytFMB-tpel-KM2N-CArM-gIqq-Kyad-okMYGS
ID_FS_TYPE=LVM2_member

ID_FS_LABEL=swap
ID_FS_LABEL_ENC=swap
ID_FS_UUID=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_UUID_ENC=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_TYPE=swap

ID_FS_LABEL=swap
ID_FS_LABEL_ENC=swap
ID_FS_UUID=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_UUID_ENC=b54eaa00-9820-46dc-804b-d36509a52687
ID_FS_TYPE=swap

ID_FS_LABEL=home
ID_FS_LABEL_ENC=home
ID_FS_UUID=4a2b78c4-3e6f-4a40-b847-080a98906224
ID_FS_UUID_ENC=4a2b78c4-3e6f-4a40-b847-080a98906224
ID_FS_TYPE=ext4

ID_FS_LABEL=root
ID_FS_LABEL_ENC=root
ID_FS_UUID=b3d4200e-5a33-4b5f-98b6-1be4fac77535
ID_FS_UUID_ENC=b3d4200e-5a33-4b5f-98b6-1be4fac77535
ID_FS_TYPE=ext4

Comment 1 Amadeusz Żołnowski (RETIRED) gentoo-dev

2012-03-23 16:04:49 UTC

This is probably true. There's some weirdness on password processing between how it's done with "-d -" and without. Please read "NOTES ON PASSWORD PROCESSING" sections of cryptsetup man page.

Does your decrypted key works with "cryptsetup -d /path/to/plain.key"?

Comment 2 Hanspeter Spalinger 2012-03-24 11:15:17 UTC

(In reply to comment #1)
> Does your decrypted key works with "cryptsetup -d /path/to/plain.key"?
No, it fails with again the error "No Key available with this passphrase"
'cryptsetup -d /tmp/luks.key luksOpen /dev/sda1 crypto'
'cat /tmp/luks.key | cryptsetup luksOpen /dev/sda1 crypto' works.

But this made me go debugging some more.
reading about cryptsetup I think the problem lies in this (from manpage, as you suggested):
"If --key-file=- is used for reading the key from stdin, no trailing newline is stripped from the input. Without that option, cryptsetup strips trailing newlines from stdin input."

The problem lies how I added the key originally as described in http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

There it is suggested to use 
'gpg --quiet --decrypt rootkey.gpg | cryptsetup -v --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3'

However, this will behave as the std-in and strip the newline.
At decryption stage, using "-d -" will not strip the newline, and it fails.
As I had the key decrypted into /tmp/luks.key, I went on and added that key AS A FILE with
'cat /tmp/luks.key | cryptsetup luksAddKey /dev/sda1 /tmp/luks.key'
(this uses the key as a password and then adds the key as a file)
NOW I can do
'cryptsetup -d /tmp/luks.key luksOpen /dev/sda1 crypto'
and it opens the device and after adding "-d -" to the cryptroot-ask.sh file again (as it was in the original script) works too!

So basically the advice in that wiki page does not work correctly with dracut.

I think the best solution to all of this is to edit the wiki page and tell people to add "-d -" at the key setup if using dracut.
'gpg --quiet --decrypt rootkey.gpg | cryptsetup -d - -v --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3'

Comment 3 Amadeusz Żołnowski (RETIRED) gentoo-dev

2012-03-26 11:47:08 UTC

Right, this should actually be documented. I'll leave it opened as reminder to do so.

Comment 4 Hanspeter Spalinger 2012-03-26 13:10:19 UTC

I tried to add a short note in the wiki page, but as I do not have a account there, I horribly failed by adding it at the luksOpen command instead the luksFormat. And now it seems I can not repair that mistake (but my updates do not appear anyway).
Sorry for the trouble. I should think before act. I let the people with knowledge/expertise do the work.

On a side note, on the discuss page (http://en.gentoo-wiki.com/wiki/Talk:DM-Crypt_with_LUKS ) they give a reasoning for using "-d -" instead just piping (it actually has security implications). So the whole page should be updated (not only about dracut)

Comment 5 Amadeusz Żołnowski (RETIRED) gentoo-dev

2012-07-31 10:35:01 UTC

(In reply to comment #4)
> I tried to add a short note in the wiki page, but as I do not have a account
> there, I horribly failed by adding it at the luksOpen command instead the
> luksFormat. And now it seems I can not repair that mistake (but my updates
> do not appear anyway).
> Sorry for the trouble. I should think before act. I let the people with
> knowledge/expertise do the work.

And have you managed to update Wiki? I've added note to dracut.cmdline man page (you will find it in 023), therefore I'm closing the bug.

diff --git a/dracut.cmdline.7.asc b/dracut.cmdline.7.asc
index 0b1b8a2..884b223 100644
--- a/dracut.cmdline.7.asc
+++ b/dracut.cmdline.7.asc
@@ -233,6 +233,29 @@ rd.luks.key=/foo/bar.key
 ----
 +
 As you see, you can skip colons in such a case.
++
+[NOTE]
+===============================
+Dracut pipes key to cryptsetup with _-d -_ argument, therefore you need to pipe
+to crypsetup luksFormat with _-d -_, too!
+
+Here follows example for key encrypted with GPG:
+
+----
+gpg --quiet --decrypt rootkey.gpg \
+| cryptsetup -d - -v \
+--cipher serpent-cbc-essiv:sha256 \
+--key-size 256 luksFormat /dev/sda3
+----
+
+If you use plain keys, just add path to _-d_ option:
+
+----
+cryptsetup -d rootkey.key -v \
+--cipher serpent-cbc-essiv:sha256 \
+--key-size 256 luksFormat /dev/sda3
+----
+===============================