Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 548040

Summary: sys-fs/cryptsetup-1.6.7: Recent "--key-file -" inclusion for GPG protected keys may cause problems on old systems
Product: Gentoo Linux Reporter: steffen.bruederle
Component: [OLD] Core systemAssignee: Gentoo's Team for Core System packages <base-system>
Status: UNCONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=266546
Whiteboard:
Package list:
Runtime testing required: ---

Description steffen.bruederle 2015-04-28 16:21:51 UTC 
I'm not sure if this is actually considered a bug; I decided to report it anyway, as others might run into the same problem.

I've just updated my Gentoo system, which apparently installed an updated version of sys-fs/cryptsetup.

When I rebooted my system afterwards, during booting it failed at mounting my encrypted partition, the key for which is stored in a GPG key file. When I entered the correct pass phrase, the system would print "No key available with this pass phrase".

I have already figured out the reason, it appears to be almost identical to this bug (just the other way around):
https://bugs.gentoo.org/show_bug.cgi?id=266546

More precisely, it appears to be a side-effect of the bugfix announced in this comment:
https://bugs.gentoo.org/show_bug.cgi?id=266546#c3
provided by this patch:
https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-fs/cryptsetup/files/1.5.1-dmcrypt.rc?r1=1.4&r2=1.5

It seems like historically cryptsetup was always using the following command to open a GPG-key-file-protected encrypted device:
gpg ${gpg_options} ${key} 2>/dev/null | cryptsetup ${options} ${arg1} ${arg2} ${arg3}

With the recent cryptsetup-1.6.7 however this command was changed to:
gpg ${gpg_options} ${key} 2>/dev/null | cryptsetup --key-file - ${options} ${arg1} ${arg2} ${arg3}

When I manually ran bother commands, I could successfully open/unlock my partition using the old command without "--key-file -", the new command with "--key-file -" however failed, giving the "No key available with this pass phrase" error described before.

I assume that giving the "--key-file -" option causes cryptsetup to process the passphrase from stdin slightly different, but I don't really understand how.

I guess the newer "--key-file -" is actually the correct way to do it; but back when I set up the encryption some years ago I was following the documentation in the cryptsetup/luks pages in the Gentoo Wiki, and there was no mention of using this "--key-file -" parameter back then. So I guess other people might run into the same problem when updating their system.

As a temporary workaround, I simply removed the new "--key-file -" parameter from the init.d-file, and now it's working fine again.

If the new "--key-file -" is the right way to go, then I would rather use this version however. But I guess in this case I would need to somehow recreate my GPG key file (how?), or should have already acted differently back when I was luksFormating the device?

Reproducible: Always