Re: [dm-crypt] Can't add a new key, "No key available with this passphrase".

From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Can't add a new key, "No key available with this	passphrase".
Date: Fri, 3 Sep 2010 20:46:03 +0200	[thread overview]
Message-ID: <20100903184603.GA12405@tansi.org> (raw)
In-Reply-To: <20100903181646.GB11768@tansi.org>

Added an FAQ item about this.

Arno

On Fri, Sep 03, 2010 at 08:16:46PM +0200, Arno Wagner wrote:
> It is relatively obvious that it asks for an existing passphrase
> if you think about it. After all, if you could just add a new one,
> that would be a way to break the encryption.
> 
> Arno
> 
> 
> On Fri, Sep 03, 2010 at 11:36:55AM -0400, PsiStormYamato wrote:
> > Ok, I see what the problem is. Thanks.
> > 
> > I think it would be good if the terminal response messages were a
> > little more clear on exactly what's going on.
> > 
> > #1
> > Apparently, using the option --key-file after specifying the device
> > makes cryptsetup think that "--key-file" is the name of the file, which
> > causes the error "No key available with this passphrase." I think it
> > would be good to make an exception for that.
> > 
> > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> > --key-file /etc/cryptkeys/swap.key
> > No key available with this passphrase.
> > 
> > #2
> > When I tried it without the --key-file option, it appeared to me that
> > the keyfile was again not being read correctly, and that I was being
> > asked to
> > manually enter a new passphrase.
> > 
> > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot
> > 1 /dev/sda5 /etc/cryptkeys/swap.key 
> > Enter any passphrase: 
> > No key available with this passphrase.
> > 
> > # 3
> > When I tried to enter a new password manually, I was greeted with the
> > same error, so I was under the impression that I was running into the
> > same problem as before.
> > 
> > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> > Enter any passphrase: 
> > No key available with this passphrase.
> > 
> > After trying #2 again, this time entering an existing passphrase, it
> > worked. Thanks.
> > 
> > 
> > On Fri, 2010-09-03 at 09:30 +0200, Arno Wagner wrote:
> > 
> > > I think you are using the wrong passphrase. You have to give
> > > the passphrase of an existing used key-slot to add a new
> > > one. Otherwise there would be a rather obvious attack ...
> > > 
> > > It should ask you for the passphrase for the new slot after that.
> > > 
> > > Arno
> > > 
> > > On Fri, Sep 03, 2010 at 12:24:46AM -0400, PsiStormYamato wrote:
> > > > I'm trying to add a keyfile that I created to a new keyslot for my
> > > > encrypted swap partition, but I keep getting the error "No key
> > > > available with this passphrase". I've never done this before, so I
> > > > might be missing something simple, but I can't get it to work by
> > > > manually entering a passphase either.
> > > > 
> > > > Is there something else that has to be done to "enable" a keyslot
> > > > before a key can be added to it? That's the only other thing that I can
> > > > think of.
> > > > 
> > > > 
> > > > # Tried with keyfile.
> > > > root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> > > > -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key 
> > > > 
> > > > No key available with this passphrase.
> > > > 
> > > > 
> > > > # Tried with manual passphrase.
> > > > 
> > > > root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot
> > > > 1 /dev/sda5
> > > > 
> > > > Enter any passphrase: 
> > > > No key available with this passphrase.
> > > > 
> > > > 
> > > > # luksDump
> > > > root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5
> > > > LUKS header information for /dev/sda5
> > > > 
> > > > Version:       	1
> > > > Cipher name:   	aes
> > > > Cipher mode:   	cbc-essiv:sha256
> > > > Hash spec:     	sha1
> > > > Payload offset:	2056
> > > > MK bits:       	256
> > > > MK digest:     	25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c 
> > > > MK salt:       	df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc 
> > > >                	ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 
> > > > MK iterations: 	10
> > > > UUID:          	bb827496-8fe5-4c55-9b76-1373d850c548
> > > > 
> > > > Key Slot 0: ENABLED
> > > > 	Iterations:         	173012
> > > > 	Salt:               	74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 
> > > > 	                      	6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 
> > > > 	Key material offset:	8
> > > > 	AF stripes:            	4000
> > > > Key Slot 1: DISABLED
> > > > Key Slot 2: DISABLED
> > > > Key Slot 3: DISABLED
> > > > Key Slot 4: DISABLED
> > > > Key Slot 5: DISABLED
> > > > Key Slot 6: DISABLED
> > > > Key Slot 7: DISABLED
> > > > 
> > > 
> > > > _______________________________________________
> > > > dm-crypt mailing list
> > > > dm-crypt@saout.de
> > > > http://www.saout.de/mailman/listinfo/dm-crypt
> > > 
> > > 
> > 
> > 
> 
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> 
> -- 
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
> 
> If it's in the news, don't worry about it.  The very definition of 
> "news" is "something that hardly ever happens." -- Bruce Schneier 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 