You are not logged in.

#1 2023-03-13 15:59:43

Midnight Sun
Registered: 2008-06-23
Posts: 47

[Solved] LUKS understanding keyfile offset and size.


I am experimenting with Arch and LUKS encrypted partitions. Almost everything works fine, but I am having trouble with using a keyfile to open one of the partition's LUKS container.

I set up the partition and the LUKS header, and a keyslot with my passphrase, which is just a single character "p" because I'm only experimenting and it's easier to type one char.

I am using noauto in fstab and crypttab, and then using ls to cause the open and mount to occur.

I can open the container using command line cryptsetup open just fine, but when I try to use a keyfile it fails and asks for the passphrase on stdin.

At first this was because I used nano to create the keyfile and so it had a trailing newline.

I used echo -n "p" > /etc/cryptsetup-keys.d/six.key instead and it worked fine, so everything in crypttab, fstab and the keyfile's location are correct.

Then I thought, can I extract the single character from the keyfile using a keyfile-size option in crypttab? I tried the following and it did not work.

Can anybody tell me what I am missing about how keyfiles work?

keyfile: /etc/cryptsetup-keys.d/six.key
Using od to inspect the keyfile shows it has the "p" and the newline.

# od -t x1 /etc/cryptsetup-keys.d/six.key
0000000 70 0a
crypttab entry:
six    /dev/sda6    -    password-echo=masked,noauto,keyfilesize=1
fstab entry:
/dev/mapper/six    /mnt/six    ext4    noauto,x-systemd.automount    0    2

I also tried making a keyfile with a long string of "pppppppppp", and using keyfile-size=1 and keyfile-offset=3 in the crypttab entry in an attempt to index into the file and pick up a single "p", but that didn't work either.

I think the most likely problem is that I HAVE NO CLUE HOW IT ACTUALLY WORKS. I have read the man pages for cryptsetup and crypttab and the wiki, but I just don't get it.
I thought that keyfile-size was how many bytes to grab and keyfile-offset was where to start grabbing from.

If I remove the newline it works fine again:
# od -t x1 /etc/cryptsetup-keys.d/six.key
0000000 70

Any advice much appreciated.

Last edited by Midnight Sun (2023-03-13 17:22:03)


#2 2023-03-13 16:09:38

Registered: 2013-11-15
Posts: 1,269

Re: [Solved] LUKS understanding keyfile offset and size.

there is a - missing (keyfilesize → keyfile-size)

and it may be possible that, for auto discovered keys in cryptsetup-keys.d, it ignores that size and just uses the filesize, anyway. in that case you also have to specify the keyfile itself explicitely

Last edited by frostschutz (2023-03-13 16:16:06)


#3 2023-03-13 17:21:07

Midnight Sun
Registered: 2008-06-23
Posts: 47

Re: [Solved] LUKS understanding keyfile offset and size.

Fantastic! Thanks so much.

The keyfilesize typo was only in the post not the crypttab, so not a problem. Sorry about that; having to type stuff from one machine to another.

You seem to be spot on with the point about auto discovered keys. I changed the crypttab entry from "-" to the specific file path and it all worked fine, even though it is the exact same file.

Also, I changed the file to "aaaapaaaa" and used keyfile-size=1,keyfile-offset=4 and it worked with the specific file path and failed with the "-" auto discovery of the same file.

Thank you, frostschutz. Saved my day.

For others following:
It seems that to extract a byte sequence from a keyfile using the keyfile-size and keyfile-offset options in crypttab you must specify the keyfile's absolute path in column 3, not rely on auto discovery at /etc/cryptsetup-keys.d/<name>.key
If you use "none" or "-" in the 3rd column to trigger auto discovery of the keyfile those options will be ignored, even if the same file is in the same expected location.


Board footer

Powered by FluxBB