Arch Linux

Midnight Sun

Member

Registered: 2008-06-23

Posts: 47

[Solved] LUKS understanding keyfile offset and size.

Hello.

I am experimenting with Arch and LUKS encrypted partitions. Almost everything works fine, but I am having trouble with using a keyfile to open one of the partition's LUKS container.

I set up the partition and the LUKS header, and a keyslot with my passphrase, which is just a single character "p" because I'm only experimenting and it's easier to type one char.

I am using noauto in fstab and crypttab, and then using ls to cause the open and mount to occur.

I can open the container using command line cryptsetup open just fine, but when I try to use a keyfile it fails and asks for the passphrase on stdin.

At first this was because I used nano to create the keyfile and so it had a trailing newline.

I used echo -n "p" > /etc/cryptsetup-keys.d/six.key instead and it worked fine, so everything in crypttab, fstab and the keyfile's location are correct.

Then I thought, can I extract the single character from the keyfile using a keyfile-size option in crypttab? I tried the following and it did not work.

Can anybody tell me what I am missing about how keyfiles work?

--------------------------
keyfile: /etc/cryptsetup-keys.d/six.key
Using od to inspect the keyfile shows it has the "p" and the newline.

# od -t x1 /etc/cryptsetup-keys.d/six.key
0000000 70 0a
0000002
--------------------------
crypttab entry:
six    /dev/sda6    -    password-echo=masked,noauto,keyfilesize=1
--------------------------
fstab entry:
/dev/mapper/six    /mnt/six    ext4    noauto,x-systemd.automount    0    2
--------------------------

I also tried making a keyfile with a long string of "pppppppppp", and using keyfile-size=1 and keyfile-offset=3 in the crypttab entry in an attempt to index into the file and pick up a single "p", but that didn't work either.

I think the most likely problem is that I HAVE NO CLUE HOW IT ACTUALLY WORKS. I have read the man pages for cryptsetup and crypttab and the wiki, but I just don't get it.
I thought that keyfile-size was how many bytes to grab and keyfile-offset was where to start grabbing from.

If I remove the newline it works fine again:
# od -t x1 /etc/cryptsetup-keys.d/six.key
0000000 70
0000001

Any advice much appreciated.

Last edited by Midnight Sun (2023-03-13 17:22:03)

frostschutz

Member

Registered: 2013-11-15

Posts: 1,536

Re: [Solved] LUKS understanding keyfile offset and size.

there is a - missing (keyfilesize → keyfile-size)

edit:
and it may be possible that, for auto discovered keys in cryptsetup-keys.d, it ignores that size and just uses the filesize, anyway. in that case you also have to specify the keyfile itself explicitely

Last edited by frostschutz (2023-03-13 16:16:06)

Midnight Sun

Member

Registered: 2008-06-23

Posts: 47

Re: [Solved] LUKS understanding keyfile offset and size.

Fantastic! Thanks so much.

The keyfilesize typo was only in the post not the crypttab, so not a problem. Sorry about that; having to type stuff from one machine to another.

You seem to be spot on with the point about auto discovered keys. I changed the crypttab entry from "-" to the specific file path and it all worked fine, even though it is the exact same file.

Also, I changed the file to "aaaapaaaa" and used keyfile-size=1,keyfile-offset=4 and it worked with the specific file path and failed with the "-" auto discovery of the same file.

Thank you, frostschutz. Saved my day.

For others following:
It seems that to extract a byte sequence from a keyfile using the keyfile-size and keyfile-offset options in crypttab you must specify the keyfile's absolute path in column 3, not rely on auto discovery at /etc/cryptsetup-keys.d/<name>.key
If you use "none" or "-" in the 3rd column to trigger auto discovery of the keyfile those options will be ignored, even if the same file is in the same expected location.