[dm-crypt] Can't add a new key, "No key available with this passphrase".

[dm-crypt] Can't add a new key, "No key available with this passphrase".

[PsiStormYamato]

[-- Attachment #1: Type: text/plain, Size: 1710 bytes --]

I'm trying to add a keyfile that I created to a new keyslot for my
encrypted swap partition, but I keep getting the error "No key
available with this passphrase". I've never done this before, so I
might be missing something simple, but I can't get it to work by
manually entering a passphase either.

Is there something else that has to be done to "enable" a keyslot
before a key can be added to it? That's the only other thing that I can
think of.


# Tried with keyfile.
root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
-d /media/Ubuntu_10_04/etc/cryptkeys/swap.key 

No key available with this passphrase.


# Tried with manual passphrase.

root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot
1 /dev/sda5

Enter any passphrase: 
No key available with this passphrase.


# luksDump
root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5
LUKS header information for /dev/sda5

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	2056
MK bits:       	256
MK digest:     	25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c 
MK salt:       	df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc 
               	ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 
MK iterations: 	10
UUID:          	bb827496-8fe5-4c55-9b76-1373d850c548

Key Slot 0: ENABLED
	Iterations:         	173012
	Salt:               	74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 
	                      	6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED


[-- Attachment #2: Type: text/html, Size: 2579 bytes --]

Re: [dm-crypt] Can't add a new key, "No key available with this passphrase".

[Arno Wagner]

I think you are using the wrong passphrase. You have to give
the passphrase of an existing used key-slot to add a new
one. Otherwise there would be a rather obvious attack ...

It should ask you for the passphrase for the new slot after that.

Arno

On Fri, Sep 03, 2010 at 12:24:46AM -0400, PsiStormYamato wrote:
> I'm trying to add a keyfile that I created to a new keyslot for my
> encrypted swap partition, but I keep getting the error "No key
> available with this passphrase". I've never done this before, so I
> might be missing something simple, but I can't get it to work by
> manually entering a passphase either.
> 
> Is there something else that has to be done to "enable" a keyslot
> before a key can be added to it? That's the only other thing that I can
> think of.
> 
> 
> # Tried with keyfile.
> root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key 
> 
> No key available with this passphrase.
> 
> 
> # Tried with manual passphrase.
> 
> root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot
> 1 /dev/sda5
> 
> Enter any passphrase: 
> No key available with this passphrase.
> 
> 
> # luksDump
> root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5
> LUKS header information for /dev/sda5
> 
> Version:       	1
> Cipher name:   	aes
> Cipher mode:   	cbc-essiv:sha256
> Hash spec:     	sha1
> Payload offset:	2056
> MK bits:       	256
> MK digest:     	25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c 
> MK salt:       	df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc 
>                	ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 
> MK iterations: 	10
> UUID:          	bb827496-8fe5-4c55-9b76-1373d850c548
> 
> Key Slot 0: ENABLED
> 	Iterations:         	173012
> 	Salt:               	74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 
> 	                      	6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 
> 	Key material offset:	8
> 	AF stripes:            	4000
> Key Slot 1: DISABLED
> Key Slot 2: DISABLED
> Key Slot 3: DISABLED
> Key Slot 4: DISABLED
> Key Slot 5: DISABLED
> Key Slot 6: DISABLED
> Key Slot 7: DISABLED
> 

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] Can't add a new key, "No key available with this passphrase".

[PsiStormYamato]

[-- Attachment #1: Type: text/plain, Size: 3771 bytes --]

Ok, I see what the problem is. Thanks.

I think it would be good if the terminal response messages were a
little more clear on exactly what's going on.

#1
Apparently, using the option --key-file after specifying the device
makes cryptsetup think that "--key-file" is the name of the file, which
causes the error "No key available with this passphrase." I think it
would be good to make an exception for that.

root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
--key-file /etc/cryptkeys/swap.key
No key available with this passphrase.

#2
When I tried it without the --key-file option, it appeared to me that
the keyfile was again not being read correctly, and that I was being
asked to
manually enter a new passphrase.

root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot
1 /dev/sda5 /etc/cryptkeys/swap.key 
Enter any passphrase: 
No key available with this passphrase.

# 3
When I tried to enter a new password manually, I was greeted with the
same error, so I was under the impression that I was running into the
same problem as before.

root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
Enter any passphrase: 
No key available with this passphrase.

After trying #2 again, this time entering an existing passphrase, it
worked. Thanks.


On Fri, 2010-09-03 at 09:30 +0200, Arno Wagner wrote:

> I think you are using the wrong passphrase. You have to give
> the passphrase of an existing used key-slot to add a new
> one. Otherwise there would be a rather obvious attack ...
> 
> It should ask you for the passphrase for the new slot after that.
> 
> Arno
> 
> On Fri, Sep 03, 2010 at 12:24:46AM -0400, PsiStormYamato wrote:
> > I'm trying to add a keyfile that I created to a new keyslot for my
> > encrypted swap partition, but I keep getting the error "No key
> > available with this passphrase". I've never done this before, so I
> > might be missing something simple, but I can't get it to work by
> > manually entering a passphase either.
> > 
> > Is there something else that has to be done to "enable" a keyslot
> > before a key can be added to it? That's the only other thing that I can
> > think of.
> > 
> > 
> > # Tried with keyfile.
> > root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> > -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key 
> > 
> > No key available with this passphrase.
> > 
> > 
> > # Tried with manual passphrase.
> > 
> > root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot
> > 1 /dev/sda5
> > 
> > Enter any passphrase: 
> > No key available with this passphrase.
> > 
> > 
> > # luksDump
> > root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5
> > LUKS header information for /dev/sda5
> > 
> > Version:       	1
> > Cipher name:   	aes
> > Cipher mode:   	cbc-essiv:sha256
> > Hash spec:     	sha1
> > Payload offset:	2056
> > MK bits:       	256
> > MK digest:     	25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c 
> > MK salt:       	df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc 
> >                	ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 
> > MK iterations: 	10
> > UUID:          	bb827496-8fe5-4c55-9b76-1373d850c548
> > 
> > Key Slot 0: ENABLED
> > 	Iterations:         	173012
> > 	Salt:               	74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 
> > 	                      	6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 
> > 	Key material offset:	8
> > 	AF stripes:            	4000
> > Key Slot 1: DISABLED
> > Key Slot 2: DISABLED
> > Key Slot 3: DISABLED
> > Key Slot 4: DISABLED
> > Key Slot 5: DISABLED
> > Key Slot 6: DISABLED
> > Key Slot 7: DISABLED
> > 
> 
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> 



[-- Attachment #2: Type: text/html, Size: 4368 bytes --]

Re: [dm-crypt] Can't add a new key, "No key available with this passphrase".

[Arno Wagner]

It is relatively obvious that it asks for an existing passphrase
if you think about it. After all, if you could just add a new one,
that would be a way to break the encryption.

Arno


On Fri, Sep 03, 2010 at 11:36:55AM -0400, PsiStormYamato wrote:
> Ok, I see what the problem is. Thanks.
> 
> I think it would be good if the terminal response messages were a
> little more clear on exactly what's going on.
> 
> #1
> Apparently, using the option --key-file after specifying the device
> makes cryptsetup think that "--key-file" is the name of the file, which
> causes the error "No key available with this passphrase." I think it
> would be good to make an exception for that.
> 
> root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> --key-file /etc/cryptkeys/swap.key
> No key available with this passphrase.
> 
> #2
> When I tried it without the --key-file option, it appeared to me that
> the keyfile was again not being read correctly, and that I was being
> asked to
> manually enter a new passphrase.
> 
> root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot
> 1 /dev/sda5 /etc/cryptkeys/swap.key 
> Enter any passphrase: 
> No key available with this passphrase.
> 
> # 3
> When I tried to enter a new password manually, I was greeted with the
> same error, so I was under the impression that I was running into the
> same problem as before.
> 
> root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> Enter any passphrase: 
> No key available with this passphrase.
> 
> After trying #2 again, this time entering an existing passphrase, it
> worked. Thanks.
> 
> 
> On Fri, 2010-09-03 at 09:30 +0200, Arno Wagner wrote:
> 
> > I think you are using the wrong passphrase. You have to give
> > the passphrase of an existing used key-slot to add a new
> > one. Otherwise there would be a rather obvious attack ...
> > 
> > It should ask you for the passphrase for the new slot after that.
> > 
> > Arno
> > 
> > On Fri, Sep 03, 2010 at 12:24:46AM -0400, PsiStormYamato wrote:
> > > I'm trying to add a keyfile that I created to a new keyslot for my
> > > encrypted swap partition, but I keep getting the error "No key
> > > available with this passphrase". I've never done this before, so I
> > > might be missing something simple, but I can't get it to work by
> > > manually entering a passphase either.
> > > 
> > > Is there something else that has to be done to "enable" a keyslot
> > > before a key can be added to it? That's the only other thing that I can
> > > think of.
> > > 
> > > 
> > > # Tried with keyfile.
> > > root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> > > -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key 
> > > 
> > > No key available with this passphrase.
> > > 
> > > 
> > > # Tried with manual passphrase.
> > > 
> > > root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot
> > > 1 /dev/sda5
> > > 
> > > Enter any passphrase: 
> > > No key available with this passphrase.
> > > 
> > > 
> > > # luksDump
> > > root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5
> > > LUKS header information for /dev/sda5
> > > 
> > > Version:       	1
> > > Cipher name:   	aes
> > > Cipher mode:   	cbc-essiv:sha256
> > > Hash spec:     	sha1
> > > Payload offset:	2056
> > > MK bits:       	256
> > > MK digest:     	25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c 
> > > MK salt:       	df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc 
> > >                	ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 
> > > MK iterations: 	10
> > > UUID:          	bb827496-8fe5-4c55-9b76-1373d850c548
> > > 
> > > Key Slot 0: ENABLED
> > > 	Iterations:         	173012
> > > 	Salt:               	74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 
> > > 	                      	6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 
> > > 	Key material offset:	8
> > > 	AF stripes:            	4000
> > > Key Slot 1: DISABLED
> > > Key Slot 2: DISABLED
> > > Key Slot 3: DISABLED
> > > Key Slot 4: DISABLED
> > > Key Slot 5: DISABLED
> > > Key Slot 6: DISABLED
> > > Key Slot 7: DISABLED
> > > 
> > 
> > > _______________________________________________
> > > dm-crypt mailing list
> > > dm-crypt@saout.de
> > > http://www.saout.de/mailman/listinfo/dm-crypt
> > 
> > 
> 
> 

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] Can't add a new key, "No key available with this passphrase".

[Arno Wagner]

Added an FAQ item about this.

Arno

On Fri, Sep 03, 2010 at 08:16:46PM +0200, Arno Wagner wrote:
> It is relatively obvious that it asks for an existing passphrase
> if you think about it. After all, if you could just add a new one,
> that would be a way to break the encryption.
> 
> Arno
> 
> 
> On Fri, Sep 03, 2010 at 11:36:55AM -0400, PsiStormYamato wrote:
> > Ok, I see what the problem is. Thanks.
> > 
> > I think it would be good if the terminal response messages were a
> > little more clear on exactly what's going on.
> > 
> > #1
> > Apparently, using the option --key-file after specifying the device
> > makes cryptsetup think that "--key-file" is the name of the file, which
> > causes the error "No key available with this passphrase." I think it
> > would be good to make an exception for that.
> > 
> > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> > --key-file /etc/cryptkeys/swap.key
> > No key available with this passphrase.
> > 
> > #2
> > When I tried it without the --key-file option, it appeared to me that
> > the keyfile was again not being read correctly, and that I was being
> > asked to
> > manually enter a new passphrase.
> > 
> > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot
> > 1 /dev/sda5 /etc/cryptkeys/swap.key 
> > Enter any passphrase: 
> > No key available with this passphrase.
> > 
> > # 3
> > When I tried to enter a new password manually, I was greeted with the
> > same error, so I was under the impression that I was running into the
> > same problem as before.
> > 
> > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> > Enter any passphrase: 
> > No key available with this passphrase.
> > 
> > After trying #2 again, this time entering an existing passphrase, it
> > worked. Thanks.
> > 
> > 
> > On Fri, 2010-09-03 at 09:30 +0200, Arno Wagner wrote:
> > 
> > > I think you are using the wrong passphrase. You have to give
> > > the passphrase of an existing used key-slot to add a new
> > > one. Otherwise there would be a rather obvious attack ...
> > > 
> > > It should ask you for the passphrase for the new slot after that.
> > > 
> > > Arno
> > > 
> > > On Fri, Sep 03, 2010 at 12:24:46AM -0400, PsiStormYamato wrote:
> > > > I'm trying to add a keyfile that I created to a new keyslot for my
> > > > encrypted swap partition, but I keep getting the error "No key
> > > > available with this passphrase". I've never done this before, so I
> > > > might be missing something simple, but I can't get it to work by
> > > > manually entering a passphase either.
> > > > 
> > > > Is there something else that has to be done to "enable" a keyslot
> > > > before a key can be added to it? That's the only other thing that I can
> > > > think of.
> > > > 
> > > > 
> > > > # Tried with keyfile.
> > > > root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> > > > -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key 
> > > > 
> > > > No key available with this passphrase.
> > > > 
> > > > 
> > > > # Tried with manual passphrase.
> > > > 
> > > > root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot
> > > > 1 /dev/sda5
> > > > 
> > > > Enter any passphrase: 
> > > > No key available with this passphrase.
> > > > 
> > > > 
> > > > # luksDump
> > > > root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5
> > > > LUKS header information for /dev/sda5
> > > > 
> > > > Version:       	1
> > > > Cipher name:   	aes
> > > > Cipher mode:   	cbc-essiv:sha256
> > > > Hash spec:     	sha1
> > > > Payload offset:	2056
> > > > MK bits:       	256
> > > > MK digest:     	25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c 
> > > > MK salt:       	df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc 
> > > >                	ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 
> > > > MK iterations: 	10
> > > > UUID:          	bb827496-8fe5-4c55-9b76-1373d850c548
> > > > 
> > > > Key Slot 0: ENABLED
> > > > 	Iterations:         	173012
> > > > 	Salt:               	74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 
> > > > 	                      	6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 
> > > > 	Key material offset:	8
> > > > 	AF stripes:            	4000
> > > > Key Slot 1: DISABLED
> > > > Key Slot 2: DISABLED
> > > > Key Slot 3: DISABLED
> > > > Key Slot 4: DISABLED
> > > > Key Slot 5: DISABLED
> > > > Key Slot 6: DISABLED
> > > > Key Slot 7: DISABLED
> > > > 
> > > 
> > > > _______________________________________________
> > > > dm-crypt mailing list
> > > > dm-crypt@saout.de
> > > > http://www.saout.de/mailman/listinfo/dm-crypt
> > > 
> > > 
> > 
> > 
> 
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> 
> -- 
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
> 
> If it's in the news, don't worry about it.  The very definition of 
> "news" is "something that hardly ever happens." -- Bruce Schneier 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] Can't add a new key, "No key available with this passphrase".

[Arno Wagner]

On Fri, Sep 03, 2010 at 03:39:00PM -0400, PsiStormYamato wrote:
> The basic concept that an existing password should be required to add a
> new password is obvious "if you think about", but that doesn't mean that
> a newbie will automatically know that the first password that cryptsetup
> asks for will be for an existing password. Others may assume, as I did,
> that, if an *existing* password is needed to authenticate the the
> attempt to add a new key, clear language would be used to indicate that
> event. Otherwise, someone may make the mistake of assuming, as I did,
> that I was being asked for the new password that I wanted to enter, and
> that authentication would follow.
> 
> Anyway, my point is that a simple modification of the wording of
> cryptsetup's responses would help to prevent such a problem with future
> newbies.

I agree. 

@Milan: Do we have a wish-list process for things like this
besides asking on the list?

If so, its another thing I should add to the FAQ.


Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] Can't add a new key, "No key available with this passphrase".

[Milan Broz]

On 09/04/2010 11:12 AM, Arno Wagner wrote:
> On Fri, Sep 03, 2010 at 03:39:00PM -0400, PsiStormYamato wrote:
>> Anyway, my point is that a simple modification of the wording of
>> cryptsetup's responses would help to prevent such a problem with future
>> newbies.
> 
> I agree. 
> 
> @Milan: Do we have a wish-list process for things like this
> besides asking on the list?

Add issue to http://code.google.com/p/cryptsetup/issues/list
ideally with description what you think it should display instead.

Milan