Unlock a Veracrypt/Truecrypt partition which uses a keyfile with a passphrase from /etc/crypttab

Unlock a Veracrypt/Truecrypt partition which uses a keyfile with a passphrase from /etc/crypttab

[Kent Larsson]

Hi! I have a Veracrypt (/Truecrypt) volume, which I can successfully
unlock manually by providing a key file and passphrase:

    # cryptsetup --type tcrypt --key-file /.keyfile open /dev/nvme0n1p5 shared
    Enter passphrase for /dev/nvme0n1p5:

Only root has `rw` on the key file, a binary file of 64 bytes.

    # ls -l /.keyfile
    -rw------- 1 root root 64 aug 21 08:09 /.keyfile
    # file /.keyfile
    /.keyfile: data
    # du -b /.keyfile
    64 /.keyfile

Is there a way to unlock a Veracrypt (/Truecrypt, `/dev/nvme0n1p5` in
my case) partition that uses a key file with a password in
`/etc/crypttab`?

I have tried constructing a file with the structure
`{passphrase}{newline}{key file contents}` and manually using it to
unlock as above, but I still got the passphrase question. To create
that file, I did the following:

    # echo 'mypassword' > /.keyfile_psw
    # cat /.keyfile >> /.keyfile_psw

Re: Unlock a Veracrypt/Truecrypt partition which uses a keyfile with a passphrase from /etc/crypttab

[Arno Wagner]

That sounds like a question for the Veracrypt maintainers.
/etc/crypttab is not even used by cryptestup, the topic
of this mailing list.

Regards,
Arno

On Tue, Aug 22, 2023 at 11:31:33 CEST, Kent Larsson wrote:
> Hi! I have a Veracrypt (/Truecrypt) volume, which I can successfully
> unlock manually by providing a key file and passphrase:
> 
>     # cryptsetup --type tcrypt --key-file /.keyfile open /dev/nvme0n1p5 shared
>     Enter passphrase for /dev/nvme0n1p5:
> 
> Only root has `rw` on the key file, a binary file of 64 bytes.
> 
>     # ls -l /.keyfile
>     -rw------- 1 root root 64 aug 21 08:09 /.keyfile
>     # file /.keyfile
>     /.keyfile: data
>     # du -b /.keyfile
>     64 /.keyfile
> 
> Is there a way to unlock a Veracrypt (/Truecrypt, `/dev/nvme0n1p5` in
> my case) partition that uses a key file with a password in
> `/etc/crypttab`?
> 
> I have tried constructing a file with the structure
> `{passphrase}{newline}{key file contents}` and manually using it to
> unlock as above, but I still got the passphrase question. To create
> that file, I did the following:
> 
>     # echo 'mypassword' > /.keyfile_psw
>     # cat /.keyfile >> /.keyfile_psw

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: Unlock a Veracrypt/Truecrypt partition which uses a keyfile with a passphrase from /etc/crypttab

[Milan Broz]

On 8/22/23 11:31, Kent Larsson wrote:
> Hi! I have a Veracrypt (/Truecrypt) volume, which I can successfully
> unlock manually by providing a key file and passphrase:
> 
>      # cryptsetup --type tcrypt --key-file /.keyfile open /dev/nvme0n1p5 shared
>      Enter passphrase for /dev/nvme0n1p5:
> 
> Only root has `rw` on the key file, a binary file of 64 bytes.
> 
>      # ls -l /.keyfile
>      -rw------- 1 root root 64 aug 21 08:09 /.keyfile
>      # file /.keyfile
>      /.keyfile: data
>      # du -b /.keyfile
>      64 /.keyfile
> 
> Is there a way to unlock a Veracrypt (/Truecrypt, `/dev/nvme0n1p5` in
> my case) partition that uses a key file with a password in
> `/etc/crypttab`?

Crypttab should support keyfile as standard option (3rd option), see
https://www.freedesktop.org/software/systemd/man/crypttab.html

There was even dependency mechanism in systemd that mounts the device
with keyfile if not yet mounted.

(Crypttab is processed by systemd not cryptsetup itself. Ignoring
the old crypttab processing - but even there keyfile option was present.)

Milan

> 
> I have tried constructing a file with the structure
> `{passphrase}{newline}{key file contents}` and manually using it to
> unlock as above, but I still got the passphrase question. To create
> that file, I did the following:
> 
>      # echo 'mypassword' > /.keyfile_psw
>      # cat /.keyfile >> /.keyfile_psw
> 

Re: Unlock a Veracrypt/Truecrypt partition which uses a keyfile with a passphrase from /etc/crypttab

[Milan Broz]

On 8/22/23 11:37, Arno Wagner wrote:
> That sounds like a question for the Veracrypt maintainers.
> /etc/crypttab is not even used by cryptestup, the topic
> of this mailing list.

Actually, this has nothing to do with Veracrypt code, systemd crypttab
supports mounting of Veracrypt volumes through libcryptsetup.

Milan

Re: Unlock a Veracrypt/Truecrypt partition which uses a keyfile with a passphrase from /etc/crypttab

[Arno Wagner]

On Tue, Aug 22, 2023 at 12:01:37 CEST, Milan Broz wrote:
> On 8/22/23 11:37, Arno Wagner wrote:
> > That sounds like a question for the Veracrypt maintainers.
> > /etc/crypttab is not even used by cryptestup, the topic
> > of this mailing list.
> 
> Actually, this has nothing to do with Veracrypt code, systemd crypttab
> supports mounting of Veracrypt volumes through libcryptsetup.
> 
> Milan

Thanks for the correction. I would not know, I am still 
running systemd-free and have no intentions of changing that.

Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: Unlock a Veracrypt/Truecrypt partition which uses a keyfile with a passphrase from /etc/crypttab

[Milan Broz]

On 8/22/23 12:09, Arno Wagner wrote:
> On Tue, Aug 22, 2023 at 12:01:37 CEST, Milan Broz wrote:
>> On 8/22/23 11:37, Arno Wagner wrote:
>>> That sounds like a question for the Veracrypt maintainers.
>>> /etc/crypttab is not even used by cryptestup, the topic
>>> of this mailing list.
>>
>> Actually, this has nothing to do with Veracrypt code, systemd crypttab
>> supports mounting of Veracrypt volumes through libcryptsetup.
>>
>> Milan
> 
> Thanks for the correction. I would not know, I am still
> running systemd-free and have no intentions of changing that.

I think Debian non-systemd crypttab parsing supports tcrypt
libcryptsetup mounting options as well - I was quite surprised too :)

Milan