Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 266546 - sys-fs/cryptsetup-1.0.5-r1: /lib/rcscripts/addons/ doesn't work when using the --key-file argument
Summary: sys-fs/cryptsetup-1.0.5-r1: /lib/rcscripts/addons/ doesn't w...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: AMD64 Linux
: High major (vote)
Assignee: Gentoo's Team for Core System packages
Depends on: 273039
  Show dependency tree
Reported: 2009-04-17 15:06 UTC by forums
Modified: 2015-05-04 02:47 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description forums 2009-04-17 15:06:28 UTC
On line 135 of /lib/rcscripts/addons/ the key file that is decrypted with gpg is passed via a pipe to cryptsetup so that it can open a device with that key file. Cryptsetup does not have a documented feature with the luksOpen argument to get the key file through a pipe. The only documented (and working for me) way is to add "--key-file -" as an argument explicitly telling cryptsetup that the key file will should be read from stdin. I had to change the line 135* as followed:

gpg ${gpg_options} ${key} 2>/dev/null | cryptsetup ${options} ${arg1} ${arg2} ${arg3} --key-file -

Reproducible: Always

Steps to Reproduce:
Try to open a LUKS device with a gpg-encrypted key as described in /etc/conf.d/dmcrypt
Actual Results:  
I replacced the variables of the bash script with appropriate values and ran the command manually:

# gpg -q -d /root/hddkeys/storage1.gpg 2>/dev/null | cryptsetup luksOpen /dev/sdc2 storage1

You need a passphrase to unlock the secret key for
user: "system (system encryption)"
4096-bit ELG key, ID 1*******, created 2009-04-01 (main key ID 4*******)

Command failed: No key available with this passphrase.

Expected Results:  
I added "--key-file -" and it worked like expected:
# gpg -q -d /root/hddkeys/storage1.gpg 2>/dev/null | cryptsetup luksOpen /dev/sdc2 storage1 --key-file -
You need a passphrase to unlock the secret key for
user: "system (system encryption)"
4096-bit ELG key, ID 1*******, created 2009-04-01 (main key ID 4*******)

key slot 0 unlocked.
Command successful.

Portage (default/linux/amd64/2008.0/desktop, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.27-gentoo-r4 x86_64)
System uname: Linux-2.6.27-gentoo-r4-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9300_@_2.50GHz-with-glibc2.2.5
Timestamp of tree: Fri, 17 Apr 2009 03:00:02 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7-r1, 2.1.7
dev-lang/python:     2.5.2-r7
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.4.8
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
CFLAGS="-march=nocona -O2 -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=nocona -O2 -pipe"
FEATURES="ccache distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
LINGUAS="de en"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="7zip X a52 aac acpi ada addbookmarks alsa amd64 amrnb amrwb bash-completion berkdb bluetooth branding bzip2 cairo cddb cdio cdparanoia cdr cli cracklib crypt css cups custom-optimization dbus divx doc dri dts dv dvd dvdr dvdread emboss enca encode evo fam fbcon ffmpeg firefox flac fortran gdbm gif gimp gnutls gpm gstreamer gtk hal hddtemp iconv icq id3tag ieee1394 imap isdnlog jabber java javascript jpeg kate kcal kde ldap libass libcaca libnotify libv4l2 lirc live lm_sensors lzo mad matroska midi mikmod mmx mmxext mozilla mp2 mp3 mpeg mplayer mudflap multilib musepack musicbrainz ncurses nls nptl nptlonly nsplugin nvidia offensive ogg openal opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection rtc schroedinger sdl session slang sound speex spell spl srt sse sse2 ssl ssse3 startup-notification svg sysfs taglib tcpd tetex theora threads tiff truetype type1 unicode usb v4l v4l2 vcd vdpau videos vim vim-syntax vim-with-x vorbis wifi wxwindows x264 xml xorg xulrunner xv xvid xvmc zlib zvbi" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en" LIRC_DEVICES="hauppauge" USERLAND="GNU" VIDEO_CARDS="nv nvidia vesa"
Comment 1 forums 2010-05-25 22:55:55 UTC
One year over. Does nobody care?
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-05-26 01:31:45 UTC
1. attach an actual patch for your change, that applies against the latest version.
2. test with baselayout1 and cryptsetup-1.1.1
3. test with baselayout2 and cryptsetup-1.1.1
Comment 3 SpanKY gentoo-dev 2015-04-12 20:20:02 UTC
should be all set now in the tree; thanks for the report!

Commit message: Explicitly have cryptsetup read the key from stdin