Re: Can AddKey not use stdin for the new key?

public inbox for cryptsetup@lists.linux.dev
 help / color / mirror / Atom feed

From: Milan Broz <gmazyland@gmail.com>
To: cryptsetup@lists.linux.dev
Subject: Re: Can AddKey not use stdin for the new key?
Date: Fri, 25 Aug 2023 09:51:04 +0200	[thread overview]
Message-ID: <c4fac573-49a5-4bed-a7d7-a146af05cfd8@gmail.com> (raw)
In-Reply-To: <20230824191615.GA904@tansi.org>

On 8/24/23 21:16, Arno Wagner wrote:
> Ah, luksAddKey has two key arguments and you can only read
> one from stdin. Somwetimes the most obvious mistakes are
> hard to spot ;-)
> 
> You need:
> 1. The existing passprase from --key-file or interactively
> 2. The new passprase from positional argument or interactively

Yes, the terminal input is tricky because it support
all compatible option since cryptsetup 1.x :)
(If you check tests in sourcecode, you will see various tricky options
we run in CI.)

For the second item there is also --new-keyfile option.

Initially, I thought you just need

cryptsetup luksAddKey <dev> --key-file /key [-q]

- that will ask for the new passphrase only.

You can also send both passphrases from pipe
(but note, this cannot be done for binary input as it rely on
processing \n - do not use "-" as keyfile spec as it switch
to binary processing!):

echo -e "$PWD1\n$PWD2" | cryptsetup luksAddKey <dev>

For LUKS2 you can also add token that will try to read it
from kernel keyring.

Milan

next prev parent reply	other threads:[~2023-08-25  7:51 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-24  9:51 Can AddKey not use stdin for the new key? Chris X Edwards
2023-08-24 10:51 ` Arno Wagner
2023-08-24 15:06   ` Chris X Edwards
2023-08-24 15:23     ` Arno Wagner
2023-08-24 15:54       ` Chris X Edwards
2023-08-24 19:16         ` Arno Wagner
2023-08-25  7:51           ` Milan Broz [this message]
2023-08-24 17:27 ` Michael Kjörling
2023-08-24 18:35   ` Chris X Edwards

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c4fac573-49a5-4bed-a7d7-a146af05cfd8@gmail.com \
    --to=gmazyland@gmail.com \
    --cc=cryptsetup@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox