From: Milan Broz <asi@seznam.cz>
To: Louis <spalax@gresille.org>
Cc: dm-crypt <dm-crypt@saout.de>, gebser@mousecar.com
Subject: Re: [dm-crypt] Option "validate passphrase" for command cryptsetup
Date: Wed, 20 Jun 2012 10:27:31 +0200 [thread overview]
Message-ID: <4FE18973.5080804@seznam.cz> (raw)
In-Reply-To: <4FE17EB7.2090708@gresille.org>
On 06/20/2012 09:41 AM, Louis wrote:
>> Will this program work on just the LUKS header? Or does it work only on
>> the entire mount point (with all the data therein included)?.
> I have no idea.
Hmmmm. Well, for you and others:
crypt_init(device)
- check provide devices exists. It is physical device (disk),
no mount point of activation name required.
It can be even file with full LUKS header backup.
crypt_load(cd, NULL, NULL, ...)
- load LUKS header (you should use explicitly
CRYPT_LUKS1 here to be sure that it is LUKS)
crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, ...)
- tries to activate device with NULL name
this means that device will not be activated and check for device
existence is skipped.
btw we have API docs online
http://wiki.cryptsetup.googlecode.com/git/API/index.html
http://wiki.cryptsetup.googlecode.com/git/API/libcryptsetup_8h.html
If you see my change in cryptsetup, "luksOpen --test-passphrase" will
work even for provided keyfile and for directly provided master key
(--master-key-file). It will simple check if these are correct without
activation of device.
The only disadvantage is that you have to provide some fake device
name in luksOpen command (it will be ignored, only disk parameter is used).
>> Is there a delay of some seconds required between invocations?
No.
> Well, on my computer, it takes more than one second to run, which may
> seem long for a simple verification of a passphrase. But I think it is
> simply the time taken by the API to check the passphrase on my very old
> computer. There is no such delay in my code to prevent brute force
> attack, nor (if I am not wrong) in the functions of the Cryptsetup API I
> am using.
No, it is by design. You can run it even in parallel, but your CPU power
is limited. See FAQ and LUKS design doc for more info about iteration count.
Milan
prev parent reply other threads:[~2012-06-20 8:39 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-19 10:53 [dm-crypt] Option "validate passphrase" for command cryptsetup Louis
2012-06-19 11:26 ` Milan Broz
2012-06-19 12:29 ` Arno Wagner
2012-06-19 13:41 ` Milan Broz
2012-06-19 13:54 ` Thomas Bächler
2012-06-19 14:17 ` Milan Broz
2012-06-19 14:56 ` Matthias Schniedermeyer
2012-06-19 16:20 ` ken
2012-06-19 22:02 ` Heinz Diehl
2012-06-19 15:04 ` jonas
2012-06-19 16:14 ` Milan Broz
2012-06-19 16:46 ` Jonas Meurer
2012-06-20 1:13 ` Arno Wagner
2012-06-19 16:56 ` ken
2012-06-20 7:41 ` Louis
2012-06-20 8:27 ` Milan Broz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FE18973.5080804@seznam.cz \
--to=asi@seznam.cz \
--cc=dm-crypt@saout.de \
--cc=gebser@mousecar.com \
--cc=spalax@gresille.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.