You are not logged in.

#1 2019-02-04 03:00:05

sowieso
Member
Registered: 2016-02-02
Posts: 7

[Solved] LuksFormat doesn't accept fresh passphrase

Does anyone have an idea how this is happening:

#> echo verysecurepassword | cryptsetup -v luksFormat --type luks2 /dev/sda1
WARNING: Device /dev/sda1 already contains a 'crypto_LUKS' superblock signature.
Existing 'crypto_LUKS' superblock signature on device /dev/sda1 will be wiped.
Existing 'crypto_LUKS' superblock signature on device /dev/sda1 will be wiped.
Key slot 0 created.
Command successful.

#> echo verysecurepassword | cryptsetup -v open /dev/sda1 home
No key available with this passphrase.
Command failed with code -2 (no permission or bad passphrase).

So I'm not able to setup a passphrase. Typing instead of stdin didn't work either. Nor did specifiying a keyfile.
I'm following the instructions here: https://wiki.archlinux.org/index.php/Dm … ire_system.

What I did before was wiping the disk with dd and formatting it with cfdisk (gpt). /etc/crypttab is empty. Using other names than "home" doesn't work either.

Last edited by sowieso (2019-02-05 02:34:13)

Offline

#2 2019-02-04 11:08:54

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: [Solved] LuksFormat doesn't accept fresh passphrase

Can't reproduce your issue.

Are you actually literally using "verysecurepassword" and still have this problem? If you are using special characters (unquoted) then bash expansion might be playing tricks on you (esp. with history expansion).

# echo verysecurepassword | cryptsetup -v luksFormat --type luks2 foobar.luks 
WARNING: Device foobar.luks already contains a 'crypto_LUKS' superblock signature.
Existing 'crypto_LUKS' superblock signature on device foobar.luks will be wiped.
Existing 'crypto_LUKS' superblock signature on device foobar.luks will be wiped.
Key slot 0 created.
Command successful.
# echo verysecurepassword | cryptsetup -v open foobar.luks schnitzelkuchen
Key slot 0 unlocked.
Command successful.

However it would be better to use 'echo -n' so no newline will be appended.

I thought perhaps the name you're trying to use (home) is already taken but the error message seems different in this case:

# echo verysecurepassword | cryptsetup -v open foobar.luks schnitzelkuchen
Device schnitzelkuchen already exists.
Command failed with code -5 (device already exists or device is busy).

You could also check dmesg if there were any write errors to sda1, or try a regular file (truncate -s 8M foobar.luks) instead of the device.

Sometimes opening LUKS containers fails due to modules not being loaded but that should happen automagically, it could be a problem though if you updated your kernel but have not rebooted ( so current running kernel had its modules removed, ArchLinux is not kind to you that way ).

Last edited by frostschutz (2019-02-04 11:11:39)

Offline

#3 2019-02-04 13:07:54

sowieso
Member
Registered: 2016-02-02
Posts: 7

Re: [Solved] LuksFormat doesn't accept fresh passphrase

Thanks for your advice.

Yes, I tried it literally with "verysecurepassword" and this happened. I was expecting the same result that you got.
I forgot to mention that this is not a clean installation, just a new harddrive.

Here's the dmesg output, but I didn't spot anything specific to /dev/sda:
https://pastebin.com/JuqJZ7v0

Good idea trying it with a file. This doesn't work either. Formatting the disk with ext4 without any encryption worked flawlessly btw.

Last edited by sowieso (2019-02-04 13:24:11)

Offline

#4 2019-02-04 13:22:19

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: [Solved] LuksFormat doesn't accept fresh passphrase

It could be missing kernel modules, if you're not properly booted - installed new kernel without reboot, or live cd chroot environment and unable to load modules from within chroot (try running same command outside chroot first, then modules may be loaded).

Some livecds also come without cryptsetup and related modules installed in the first place and you have to manually install first.

Maybe you would see more if you run it with 'strace'. If there is a missing kernel module, you'd get an unexpected error in some ioctl or other.

Last edited by frostschutz (2019-02-04 13:23:51)

Offline

#5 2019-02-04 13:24:19

sowieso
Member
Registered: 2016-02-02
Posts: 7

Re: [Solved] LuksFormat doesn't accept fresh passphrase

I got more insight:
I created a file "somefile" on the newly formated unencrypted /dev/sda1 == /home partition, and it failed like it does all the time. But when executing the same commands on file on my root partition /dev/mapper/root on /dev/sdc it works.

I totally forgot to mention that my root partition is also luks-encrypted. Maybe there is some connection? The encryption was performed with a kernel serveral years ago. Encrypting the file on /dev/sda1 with luks1 doesn't help though.

Offline

#6 2019-02-04 13:35:40

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: [Solved] LuksFormat doesn't accept fresh passphrase

*scratches head*

selinux / apparmor / systemd interfering somehow?

cryptsetup luksdump works and shows new uuid etc. after luksformat?

Last edited by frostschutz (2019-02-04 13:36:34)

Offline

#7 2019-02-04 13:42:51

sowieso
Member
Registered: 2016-02-02
Posts: 7

Re: [Solved] LuksFormat doesn't accept fresh passphrase

Looks fine to me:
cryptsetup luksDump somefile   
LUKS header information
Version:        2
Epoch:          3
Metadata area:  12288 bytes
UUID:           6017bf6c-bfad-4bda-85e3-c1f9acf3164f
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

There should be no selinux and apparmor running. Systemd could be the culprit though. Are there maybe some configuration files in /etc that could interfere?

Last edited by sowieso (2019-02-04 13:44:17)

Offline

#8 2019-02-04 13:46:49

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: [Solved] LuksFormat doesn't accept fresh passphrase

and the UUID changes for each subsequent luksFormat?

Sorry - no idea right now. Anything in strace?

Does it work if you write /bin/cryptsetup instead of just cryptsetup? (could be a defined function or alias that does something else)

tampered binaries? thinking of really weird stuff now. ;-)

Last edited by frostschutz (2019-02-04 13:52:33)

Offline

#9 2019-02-04 13:53:17

sowieso
Member
Registered: 2016-02-02
Posts: 7

Re: [Solved] LuksFormat doesn't accept fresh passphrase

Yes, UUID changes normally. Here's the strace, it looks fine to me, at least not obviously wrong.
https://pastebin.com/3hzbJTin

/bin/cryptsetup instead of cryptsetup didn't change anything. But it was a creative idea smile

I guess I'll have to prepare an usbstick and see if it works from outside the system.

--

Cryptsetup really hates this HDD. Reports the same error message from a clean arch install medium. This is so strange...

Last edited by sowieso (2019-02-04 14:53:31)

Offline

#10 2019-02-04 15:09:04

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: [Solved] LuksFormat doesn't accept fresh passphrase

There's something going on with subprocesses there (need strace -ff to see that) but it pretty much looks identical to mine, except the passphrase is accepted here.

You're still sending a newline \n with your very secure passphrase, use 'echo -n ...' or 'printf "%s" ...' on both format and open just to rule this out completely.

Does it accept the passphrase when you type it manually?

Does it accept the passphrase when you copy the file (if you're using one for this test) to another location first?

Do the files differ?

It's a mystery, sorry. Perhaps do a bad ram test? luks2 uses a ram-intensive hashing method so... so perhaps bad ram could... really grasping at straws here

Default PBKDF for LUKS2: argon2i
	Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^

It operates over 1GiB of RAM so if the RAM misbehaved it could explain unexplainable failure to accept pass.

Last edited by frostschutz (2019-02-04 15:13:53)

Offline

#11 2019-02-05 02:32:48

sowieso
Member
Registered: 2016-02-02
Posts: 7

Re: [Solved] LuksFormat doesn't accept fresh passphrase

I think I found the error. It's pretty boring, it's just a hardware malfunction. I plugged the HDD in another port on the mainboard and now luks is working as expected. So the disk is fine, it's the mainboard that's broken. Not sure if it's writing or reading, but I think it' scrambling some bits in the process, maybe with preference to the start of the disk.

I'm sorry for keeping you busy with this, thanks a lot for your support!

Offline

#12 2019-02-05 04:39:01

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: [Solved] LuksFormat doesn't accept fresh passphrase

Hmmm, my guess was a freshly created LUKS header should still be cached and not be re-read from disk at all, however cryptsetup does open with O_DIRECT so ...

Reading up on this in man 2 open...

              "The thing that has always disturbed me about O_DIRECT is that
              the whole interface is just stupid, and was probably designed by
              a  deranged  monkey  on  some  serious mind-controlling substances."—Linus

Offline

Board footer

Powered by FluxBB