Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 493690

Summary: sys-fs/cryptsetup: add support for detached LUKS header
Product: Gentoo Linux Reporter: Oleg Akimov <akimov.shop>
Component: [OLD] Core systemAssignee: Gentoo's Team for Core System packages <base-system>
Status: UNCONFIRMED ---    
Severity: enhancement CC: gokturk, lucianposton
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: plain diff
enable detached LUKS header support
updated patch for 2.4.0-dmcrypt.rc
updated patch for 2.4.0-dmcrypt.confd
updated patch for 2.4.0-dmcrypt.rc
updated patch for 2.4.0-dmcrypt.rc
updated patch for 2.4.0-dmcrypt.rc
Updated patch for latest stable cryptsetup 2.4.3-r2
Updated patch for latest stable cryptsetup 2.4.3-r2
Updated patch for latest stable cryptsetup 2.4.3-r2
Updated patch for latest stable cryptsetup 2.4.3-r2
Updated patch for latest stable cryptsetup 2.6.1

Description Oleg Akimov 2013-12-08 19:25:16 UTC 
/etc/conf.d/dmcrypt contains argument for detached luks header

/etc/init.d/dmcrypt misses support of it

but we have a patch now )

Reproducible: Always

Steps to Reproduce:
1. create luks volume with detached header on file

# create dir for experiments
mkdir -p /var/tmp/luks_header_test

# create 20M image
dd if=/dev/zero of=/var/tmp/luks_header_test/img bs=1M count=20

# generate key
dd if=/dev/urandom of=/var/tmp/luks_header_test/key bs=1K count=4

# generate 10M header file
dd if=/dev/zero of=/var/tmp/luks_header_test/header bs=1M count=10

# converting image file to device loop7
losetup -v /dev/loop7 /var/tmp/luks_header_test/img

# format luks volume
cryptsetup luksFormat --header /var/tmp/luks_header_test/header --key-file /var/tmp/luks_header_test/key /dev/loop7


2. configure /etc/conf.d/dmcrypt with luks_header

add this lines to config:

target=luks_header_test
source='/dev/loop7'
key='/var/tmp/luks_header_test/key'
luks_header='/var/tmp/luks_header_test/header'

3. restart dmcrypt

4. check status

cryptsetup status luks_header_test

# you will see for wrong plain mode:
#
# > cryptsetup status luks_header_test
# /dev/mapper/luks_header_test is active.
#  type:    PLAIN
#  cipher:  aes-cbc-essiv:sha256
#  keysize: 256 bits
#  device:  /dev/loop7
#  loop:    /var/tmp/luks_header_test/img
#  offset:  0 sectors
#  size:    40960 sectors
#  mode:    read/write

# you can manualy open luks volume and play with it
# cryptsetup open --type luks --header /var/tmp/luks_header_test/header --key-file /var/tmp/luks_header_test/key /dev/loop7 luks_header_test

# properly opened luks volume will produce:
# > cryptsetup status luks_header_test
# /dev/mapper/luks_header_test is active.

5. cleanup

# remove test lines from config, then

cryptsetup close luks_header_test
losetup -d /dev/loop7
rm -r /var/tmp/luks_header_test
Actual Results:  
cryptsetup create/open plain mode volume (not luks)

Expected Results:  
open luks volume with detached header
Comment 1 Oleg Akimov 2013-12-08 19:26:40 UTC 
Created attachment 364964 [details, diff]
plain diff

patch for /etc/init.d/dmcrypt
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-12-10 11:02:16 UTC 
Comment on attachment 364964 [details, diff]
plain diff

Please attach a unified patch next time.
Comment 3 Oleg Akimov 2013-12-10 14:53:09 UTC 
Created attachment 365052 [details, diff]
enable detached LUKS header support
Comment 4 SpanKY gentoo-dev 2013-12-19 08:48:38 UTC 
Comment on attachment 365052 [details, diff]
enable detached LUKS header support

>+		cryptsetup isLuks ${source} 2>/dev/null \
>+			&& { arg1="luksOpen"; arg2="${source}"; arg3="${target}"; luks=1; }

i know existing code style likes to pack multiple statements on one line, but let's get away from that

if cryptsetup isLuks ${source} 2>/dev/null ; then
  ... var assignments ...
fi

otherwise, patch looks fine
Comment 5 Lucian Poston 2016-10-09 17:55:20 UTC 
I'd like to see this enhancement go in.

The code style suggestion above is already in the gentoo tree. Is something else blocking this issue?
Comment 6 Stephen Kirkby 2022-03-16 09:23:41 UTC 
Created attachment 767170 [details, diff]
updated patch for 2.4.0-dmcrypt.rc
Comment 7 Stephen Kirkby 2022-03-16 09:24:14 UTC 
Created attachment 767171 [details, diff]
updated patch for 2.4.0-dmcrypt.confd
Comment 8 Stephen Kirkby 2022-03-16 09:24:47 UTC 
I've brought the original patch from Oleg up to date, so it patches against 2.4.0-dmcrypt.rc (used by the currently stable sys-fs/cryptsetup-2.4.3).

I've also patched the 2.4.0-dmcrypt.conf to add an example of using the detached header with a usb stick.

I've tested them and am currently using both patches applied to my system, it would be nice to get these included for others to use.
Comment 9 Stephen Kirkby 2022-03-26 16:59:50 UTC 
Created attachment 767898 [details, diff]
updated patch for 2.4.0-dmcrypt.rc
Comment 10 Stephen Kirkby 2022-03-26 17:01:14 UTC 
I realised that the patches included an 'isLuks' check which fails when using a partition with a detached header, with the following:

# cryptsetup -v isLuks /dev/<my_device>
Command failed with code -1 (wrong or missing parameters).

so the conditional to assign the arg_header never executes in 2.4.0-dmcrypt.rc, and it appears to be treated as --type=plain (it becomes clear when the removable drive isn't plugged in).

I've updated the patch with a fix.
Comment 11 Stephen Kirkby 2022-04-27 11:07:01 UTC 
Created attachment 775014 [details, diff]
updated patch for 2.4.0-dmcrypt.rc

Updated patch to unset the luks header file path variable after use, so subsequent encrypted volumes can work when a detached header is not used.
Comment 12 tusooa 2022-05-10 02:47:44 UTC 
(In reply to Stephen Kirkby from comment #11)
> Created attachment 775014 [details, diff] [details, diff]
> updated patch for 2.4.0-dmcrypt.rc
> 
> Updated patch to unset the luks header file path variable after use, so
> subsequent encrypted volumes can work when a detached header is not used.

```
+	if [ cryptsetup isLuks ${source} 2>/dev/null ] || [ -n "${luks_header}" ] ; then
```

should be

```
+	if cryptsetup isLuks ${source} 2>/dev/null || [ -n "${luks_header}" ] ; then
```
.
Comment 13 Stephen Kirkby 2022-05-11 14:20:44 UTC 
Created attachment 778130 [details, diff]
updated patch for 2.4.0-dmcrypt.rc

Patch updated
Comment 14 Stephen Kirkby 2022-11-13 09:53:23 UTC 
Created attachment 832213 [details, diff]
Updated patch for latest stable cryptsetup 2.4.3-r2
Comment 15 Stephen Kirkby 2022-11-13 09:56:51 UTC 
Created attachment 832215 [details, diff]
Updated patch for latest stable cryptsetup 2.4.3-r2

Although the latest cryptsetup-2.4.3-r2 supports detached headers, I've kept this patch alive as it supports the detached header on a removable drive.
Comment 16 Stephen Kirkby 2023-05-03 07:49:02 UTC 
Created attachment 861072 [details, diff]
Updated patch for latest stable cryptsetup 2.4.3-r2

Added additional logic to wait for a specified time after unmounting the removable media, to ensure the device doesn't get remounted before the user removes it.
Comment 17 Stephen Kirkby 2023-05-03 07:49:55 UTC 
Created attachment 861073 [details, diff]
Updated patch for latest stable cryptsetup 2.4.3-r2

Added additional logic to wait for a specified time after unmounting the removable media, to ensure the device doesn't get remounted before the user removes it.
Comment 18 Stephen Kirkby 2023-12-02 11:51:37 UTC 
Created attachment 876383 [details, diff]
Updated patch for latest stable cryptsetup 2.6.1

Added fix for when user doesn't have encrypted swap enabled, so subsequent detached header targets will still work (simple change to move function declaration higher).