* [dm-crypt] How can I write a passphrase hash to key file for plain dm-crypt ?
@ 2014-11-07 16:34 John Lane
2014-11-07 18:56 ` Arno Wagner
0 siblings, 1 reply; 4+ messages in thread
From: John Lane @ 2014-11-07 16:34 UTC (permalink / raw)
To: dm-crypt
I'm trying to use plain dm-crypt. I have an example like this
$ cryptsetup open /dev/sda mydisk --type plain --hash sha512
that works fine. I enter 'password' as the pass phrase when requested.
I want to create an equivalent key-file so that I can do
$ cryptsetup open /dev/sda mydisk --type plain --key-file mykey
I couldn't find a cryptsetup command do to this, so I tried these:
$ openssl dgst -sha512 -binary <<< 'password' > mykey
also
$ sha512sum <<< 'my_passphrase' | head -c 128 > mykey
without success.
As I understand it, the key file contains a binary key that is used
as-is, so I would have thought the first try above would have worked. I
even used xxd to check that mykey contained the hash in binary data.
How can I make a key-file that is equivalent to a keyed-in passphrase?
Thanks in advance.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [dm-crypt] How can I write a passphrase hash to key file for plain dm-crypt ? 2014-11-07 16:34 [dm-crypt] How can I write a passphrase hash to key file for plain dm-crypt ? John Lane @ 2014-11-07 18:56 ` Arno Wagner 2014-11-07 20:47 ` John Lane 0 siblings, 1 reply; 4+ messages in thread From: Arno Wagner @ 2014-11-07 18:56 UTC (permalink / raw) To: dm-crypt Hi John, the cryptsetup man-page has additional information about the different ways a passphrase can be passed to it and what the conventions are in section "NOTES ON PASSPHRASE PROCESSING FOR PLAIN MODE". That should get you started. If you want to generate a key that is the same as generated by a specific passphrase, the easiest way is probably to map the container with the passphrase and then extract the key from dm-crypt. I am not sure this works, but if it does, FAQ Item 6.10 has the information. dm-crypt just gets a cipher and a key and does not know whether that key is a LUKS master key or a plain key. Your example may fail because of differences in padding, for example. Also note that sha512sum <<< 'my_passphrase' | head -c 128 > mykey produces an ASCII representation of the hash truncated to 128 characters, while you probably want a binary representation that is 128 bit long. Arno On Fri, Nov 07, 2014 at 17:34:39 CET, John Lane wrote: > I'm trying to use plain dm-crypt. I have an example like this > > $ cryptsetup open /dev/sda mydisk --type plain --hash sha512 > > that works fine. I enter 'password' as the pass phrase when requested. > > I want to create an equivalent key-file so that I can do > > $ cryptsetup open /dev/sda mydisk --type plain --key-file mykey > > I couldn't find a cryptsetup command do to this, so I tried these: > > $ openssl dgst -sha512 -binary <<< 'password' > mykey > also > $ sha512sum <<< 'my_passphrase' | head -c 128 > mykey > > without success. > > As I understand it, the key file contains a binary key that is used > as-is, so I would have thought the first try above would have worked. I > even used xxd to check that mykey contained the hash in binary data. > > How can I make a key-file that is equivalent to a keyed-in passphrase? > > Thanks in advance. > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] How can I write a passphrase hash to key file for plain dm-crypt ? 2014-11-07 18:56 ` Arno Wagner @ 2014-11-07 20:47 ` John Lane 2014-11-08 1:16 ` Arno Wagner 0 siblings, 1 reply; 4+ messages in thread From: John Lane @ 2014-11-07 20:47 UTC (permalink / raw) To: dm-crypt Thanks Arno, your pointer helped me resolve my problem, which was due to a newline being appended by '<<<'. I successfully created a key file with $ echo -n 'password' | openssl dgst -sha512 -binary > keyfile What really helped was your suggestion to view the key from dm-crypt, which I did like this $ dmsetup table --target crypt --showkey /dev/mapper/mydisk That showed me what the SHA1 was and, once I knew that, I could compare what I was generating with it and quickly realised the difference was probably a terminating end-of-line character. Many thanks to you. John On 07/11/14 18:56, Arno Wagner wrote: > Hi John, > > the cryptsetup man-page has additional information about the > different ways a passphrase can be passed to it and what the > conventions are in section "NOTES ON PASSPHRASE PROCESSING > FOR PLAIN MODE". That should get you started. I had read that, specifically the part "From a Key File" which is why I believed I needed a binary key. > > If you want to generate a key that is the same as generated > by a specific passphrase, the easiest way is probably to > map the container with the passphrase and then extract the > key from dm-crypt. I am not sure this works, but if it does, > FAQ Item 6.10 has the information. dm-crypt just gets a > cipher and a key and does not know whether that key is a > LUKS master key or a plain key. > > Your example may fail because of differences in padding, > for example. Also note that > > sha512sum <<< 'my_passphrase' | head -c 128 > mykey > > produces an ASCII representation of the hash truncated to > 128 characters, while you probably want a binary representation > that is 128 bit long. Yes, I was aware of that but just tried it in case I was wrong about it being a binary key. My other attempt (the openssl one) produces a binary key but didn't work for me. I now know that was due to the here-string <<< appending a newline. > > Arno > > > On Fri, Nov 07, 2014 at 17:34:39 CET, John Lane wrote: >> I'm trying to use plain dm-crypt. I have an example like this >> >> $ cryptsetup open /dev/sda mydisk --type plain --hash sha512 >> >> that works fine. I enter 'password' as the pass phrase when requested. >> >> I want to create an equivalent key-file so that I can do >> >> $ cryptsetup open /dev/sda mydisk --type plain --key-file mykey >> >> I couldn't find a cryptsetup command do to this, so I tried these: >> >> $ openssl dgst -sha512 -binary <<< 'password' > mykey >> also >> $ sha512sum <<< 'my_passphrase' | head -c 128 > mykey >> >> without success. >> >> As I understand it, the key file contains a binary key that is used >> as-is, so I would have thought the first try above would have worked. I >> even used xxd to check that mykey contained the hash in binary data. >> >> How can I make a key-file that is equivalent to a keyed-in passphrase? >> >> Thanks in advance. >> >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> http://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] How can I write a passphrase hash to key file for plain dm-crypt ? 2014-11-07 20:47 ` John Lane @ 2014-11-08 1:16 ` Arno Wagner 0 siblings, 0 replies; 4+ messages in thread From: Arno Wagner @ 2014-11-08 1:16 UTC (permalink / raw) To: dm-crypt You are welcome. Arno On Fri, Nov 07, 2014 at 21:47:23 CET, John Lane wrote: > Thanks Arno, your pointer helped me resolve my problem, which was due to > a newline being appended by '<<<'. > > I successfully created a key file with > > $ echo -n 'password' | openssl dgst -sha512 -binary > keyfile > > What really helped was your suggestion to view the key from dm-crypt, > which I did like this > > $ dmsetup table --target crypt --showkey /dev/mapper/mydisk > > That showed me what the SHA1 was and, once I knew that, I could compare > what I was generating with it and quickly realised the difference was > probably a terminating end-of-line character. > > Many thanks to you. > > John > > > On 07/11/14 18:56, Arno Wagner wrote: > > Hi John, > > > > the cryptsetup man-page has additional information about the > > different ways a passphrase can be passed to it and what the > > conventions are in section "NOTES ON PASSPHRASE PROCESSING > > FOR PLAIN MODE". That should get you started. > I had read that, specifically the part "From a Key File" which is why I > believed I needed a binary key. > > > > If you want to generate a key that is the same as generated > > by a specific passphrase, the easiest way is probably to > > map the container with the passphrase and then extract the > > key from dm-crypt. I am not sure this works, but if it does, > > FAQ Item 6.10 has the information. dm-crypt just gets a > > cipher and a key and does not know whether that key is a > > LUKS master key or a plain key. > > > > Your example may fail because of differences in padding, > > for example. Also note that > > > > sha512sum <<< 'my_passphrase' | head -c 128 > mykey > > > > produces an ASCII representation of the hash truncated to > > 128 characters, while you probably want a binary representation > > that is 128 bit long. > Yes, I was aware of that but just tried it in case I was wrong about it > being a binary key. My other attempt (the openssl one) produces a binary > key but didn't work for me. I now know that was due to the here-string > <<< appending a newline. > > > > Arno > > > > > > On Fri, Nov 07, 2014 at 17:34:39 CET, John Lane wrote: > >> I'm trying to use plain dm-crypt. I have an example like this > >> > >> $ cryptsetup open /dev/sda mydisk --type plain --hash sha512 > >> > >> that works fine. I enter 'password' as the pass phrase when requested. > >> > >> I want to create an equivalent key-file so that I can do > >> > >> $ cryptsetup open /dev/sda mydisk --type plain --key-file mykey > >> > >> I couldn't find a cryptsetup command do to this, so I tried these: > >> > >> $ openssl dgst -sha512 -binary <<< 'password' > mykey > >> also > >> $ sha512sum <<< 'my_passphrase' | head -c 128 > mykey > >> > >> without success. > >> > >> As I understand it, the key file contains a binary key that is used > >> as-is, so I would have thought the first try above would have worked. I > >> even used xxd to check that mykey contained the hash in binary data. > >> > >> How can I make a key-file that is equivalent to a keyed-in passphrase? > >> > >> Thanks in advance. > >> > >> _______________________________________________ > >> dm-crypt mailing list > >> dm-crypt@saout.de > >> http://www.saout.de/mailman/listinfo/dm-crypt > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-11-08 1:16 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-11-07 16:34 [dm-crypt] How can I write a passphrase hash to key file for plain dm-crypt ? John Lane 2014-11-07 18:56 ` Arno Wagner 2014-11-07 20:47 ` John Lane 2014-11-08 1:16 ` Arno Wagner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.