Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 493690 - sys-fs/cryptsetup: add support for detached LUKS header
Summary: sys-fs/cryptsetup: add support for detached LUKS header
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal enhancement with 3 votes (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2013-12-08 19:25 UTC by Oleg Akimov
Modified: 2022-11-13 09:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
plain diff (dmcrypt.luks_header.patch,1.58 KB, patch)
2013-12-08 19:26 UTC, Oleg Akimov
Details | Diff
enable detached LUKS header support (dmcrypt.patch,2.56 KB, patch)
2013-12-10 14:53 UTC, Oleg Akimov
Details | Diff
updated patch for 2.4.0-dmcrypt.rc (2.4.0-dmcrypt.rc.patch,2.42 KB, patch)
2022-03-16 09:23 UTC, Stephen Kirkby
Details | Diff
updated patch for 2.4.0-dmcrypt.confd (2.4.0-dmcrypt.confd.patch,446 bytes, patch)
2022-03-16 09:24 UTC, Stephen Kirkby
Details | Diff
updated patch for 2.4.0-dmcrypt.rc (2.4.0-dmcrypt.rc.patch,5.36 KB, patch)
2022-03-26 16:59 UTC, Stephen Kirkby
Details | Diff
updated patch for 2.4.0-dmcrypt.rc (2.4.0-dmcrypt.rc.patch,5.87 KB, patch)
2022-04-27 11:07 UTC, Stephen Kirkby
Details | Diff
updated patch for 2.4.0-dmcrypt.rc (2.4.0-dmcrypt.rc.patch,5.87 KB, patch)
2022-05-11 14:20 UTC, Stephen Kirkby
Details | Diff
Updated patch for latest stable cryptsetup 2.4.3-r2 (2.4.3-dmcrypt.confd.patch,474 bytes, patch)
2022-11-13 09:53 UTC, Stephen Kirkby
Details | Diff
Updated patch for latest stable cryptsetup 2.4.3-r2 (2.4.3-dmcrypt.rc.patch,4.04 KB, patch)
2022-11-13 09:56 UTC, Stephen Kirkby
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Oleg Akimov 2013-12-08 19:25:16 UTC
/etc/conf.d/dmcrypt contains argument for detached luks header

/etc/init.d/dmcrypt misses support of it

but we have a patch now )

Reproducible: Always

Steps to Reproduce:
1. create luks volume with detached header on file

# create dir for experiments
mkdir -p /var/tmp/luks_header_test

# create 20M image
dd if=/dev/zero of=/var/tmp/luks_header_test/img bs=1M count=20

# generate key
dd if=/dev/urandom of=/var/tmp/luks_header_test/key bs=1K count=4

# generate 10M header file
dd if=/dev/zero of=/var/tmp/luks_header_test/header bs=1M count=10

# converting image file to device loop7
losetup -v /dev/loop7 /var/tmp/luks_header_test/img

# format luks volume
cryptsetup luksFormat --header /var/tmp/luks_header_test/header --key-file /var/tmp/luks_header_test/key /dev/loop7


2. configure /etc/conf.d/dmcrypt with luks_header

add this lines to config:

target=luks_header_test
source='/dev/loop7'
key='/var/tmp/luks_header_test/key'
luks_header='/var/tmp/luks_header_test/header'

3. restart dmcrypt

4. check status

cryptsetup status luks_header_test

# you will see for wrong plain mode:
#
# > cryptsetup status luks_header_test
# /dev/mapper/luks_header_test is active.
#  type:    PLAIN
#  cipher:  aes-cbc-essiv:sha256
#  keysize: 256 bits
#  device:  /dev/loop7
#  loop:    /var/tmp/luks_header_test/img
#  offset:  0 sectors
#  size:    40960 sectors
#  mode:    read/write

# you can manualy open luks volume and play with it
# cryptsetup open --type luks --header /var/tmp/luks_header_test/header --key-file /var/tmp/luks_header_test/key /dev/loop7 luks_header_test

# properly opened luks volume will produce:
# > cryptsetup status luks_header_test
# /dev/mapper/luks_header_test is active.

5. cleanup

# remove test lines from config, then

cryptsetup close luks_header_test
losetup -d /dev/loop7
rm -r /var/tmp/luks_header_test
Actual Results:  
cryptsetup create/open plain mode volume (not luks)

Expected Results:  
open luks volume with detached header
Comment 1 Oleg Akimov 2013-12-08 19:26:40 UTC
Created attachment 364964 [details, diff]
plain diff

patch for /etc/init.d/dmcrypt
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-12-10 11:02:16 UTC
Comment on attachment 364964 [details, diff]
plain diff

Please attach a unified patch next time.
Comment 3 Oleg Akimov 2013-12-10 14:53:09 UTC
Created attachment 365052 [details, diff]
enable detached LUKS header support
Comment 4 SpanKY gentoo-dev 2013-12-19 08:48:38 UTC
Comment on attachment 365052 [details, diff]
enable detached LUKS header support

>+		cryptsetup isLuks ${source} 2>/dev/null \
>+			&& { arg1="luksOpen"; arg2="${source}"; arg3="${target}"; luks=1; }

i know existing code style likes to pack multiple statements on one line, but let's get away from that

if cryptsetup isLuks ${source} 2>/dev/null ; then
  ... var assignments ...
fi

otherwise, patch looks fine
Comment 5 Lucian Poston 2016-10-09 17:55:20 UTC
I'd like to see this enhancement go in.

The code style suggestion above is already in the gentoo tree. Is something else blocking this issue?
Comment 6 Stephen Kirkby 2022-03-16 09:23:41 UTC
Created attachment 767170 [details, diff]
updated patch for 2.4.0-dmcrypt.rc
Comment 7 Stephen Kirkby 2022-03-16 09:24:14 UTC
Created attachment 767171 [details, diff]
updated patch for 2.4.0-dmcrypt.confd
Comment 8 Stephen Kirkby 2022-03-16 09:24:47 UTC
I've brought the original patch from Oleg up to date, so it patches against 2.4.0-dmcrypt.rc (used by the currently stable sys-fs/cryptsetup-2.4.3).

I've also patched the 2.4.0-dmcrypt.conf to add an example of using the detached header with a usb stick.

I've tested them and am currently using both patches applied to my system, it would be nice to get these included for others to use.
Comment 9 Stephen Kirkby 2022-03-26 16:59:50 UTC
Created attachment 767898 [details, diff]
updated patch for 2.4.0-dmcrypt.rc
Comment 10 Stephen Kirkby 2022-03-26 17:01:14 UTC
I realised that the patches included an 'isLuks' check which fails when using a partition with a detached header, with the following:

# cryptsetup -v isLuks /dev/<my_device>
Command failed with code -1 (wrong or missing parameters).

so the conditional to assign the arg_header never executes in 2.4.0-dmcrypt.rc, and it appears to be treated as --type=plain (it becomes clear when the removable drive isn't plugged in).

I've updated the patch with a fix.
Comment 11 Stephen Kirkby 2022-04-27 11:07:01 UTC
Created attachment 775014 [details, diff]
updated patch for 2.4.0-dmcrypt.rc

Updated patch to unset the luks header file path variable after use, so subsequent encrypted volumes can work when a detached header is not used.
Comment 12 tusooa 2022-05-10 02:47:44 UTC
(In reply to Stephen Kirkby from comment #11)
> Created attachment 775014 [details, diff] [details, diff]
> updated patch for 2.4.0-dmcrypt.rc
> 
> Updated patch to unset the luks header file path variable after use, so
> subsequent encrypted volumes can work when a detached header is not used.

```
+	if [ cryptsetup isLuks ${source} 2>/dev/null ] || [ -n "${luks_header}" ] ; then
```

should be

```
+	if cryptsetup isLuks ${source} 2>/dev/null || [ -n "${luks_header}" ] ; then
```
.
Comment 13 Stephen Kirkby 2022-05-11 14:20:44 UTC
Created attachment 778130 [details, diff]
updated patch for 2.4.0-dmcrypt.rc

Patch updated
Comment 14 Stephen Kirkby 2022-11-13 09:53:23 UTC
Created attachment 832213 [details, diff]
Updated patch for latest stable cryptsetup 2.4.3-r2
Comment 15 Stephen Kirkby 2022-11-13 09:56:51 UTC
Created attachment 832215 [details, diff]
Updated patch for latest stable cryptsetup 2.4.3-r2

Although the latest cryptsetup-2.4.3-r2 supports detached headers, I've kept this patch alive as it supports the detached header on a removable drive.