From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from karen.lavabit.com (karen.lavabit.com [72.249.41.33]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 3 Sep 2010 06:25:01 +0200 (CEST) Received: from e.earth.lavabit.com (e.earth.lavabit.com [192.168.111.14]) by karen.lavabit.com (Postfix) with ESMTP id 069DB11B946 for ; Thu, 2 Sep 2010 23:25:01 -0500 (CDT) Received: from 10.10.12.86 (94-76-194-214.static.as29550.net [94.76.194.214]) by lavabit.com with ESMTP id HL4O2HT63LCM for ; Thu, 02 Sep 2010 23:25:01 -0500 From: PsiStormYamato Content-Type: multipart/alternative; boundary="=-d+YOEvMmz95sD5gAnAhj" Date: Fri, 03 Sep 2010 00:24:46 -0400 Message-ID: <1283487886.3576.31.camel@shadowtek.localdomain> Mime-Version: 1.0 Subject: [dm-crypt] Can't add a new key, "No key available with this passphrase". List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "dm-crypt@saout.de" --=-d+YOEvMmz95sD5gAnAhj Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit I'm trying to add a keyfile that I created to a new keyslot for my encrypted swap partition, but I keep getting the error "No key available with this passphrase". I've never done this before, so I might be missing something simple, but I can't get it to work by manually entering a passphase either. Is there something else that has to be done to "enable" a keyslot before a key can be added to it? That's the only other thing that I can think of. # Tried with keyfile. root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key No key available with this passphrase. # Tried with manual passphrase. root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot 1 /dev/sda5 Enter any passphrase: No key available with this passphrase. # luksDump root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5 LUKS header information for /dev/sda5 Version: 1 Cipher name: aes Cipher mode: cbc-essiv:sha256 Hash spec: sha1 Payload offset: 2056 MK bits: 256 MK digest: 25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c MK salt: df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 MK iterations: 10 UUID: bb827496-8fe5-4c55-9b76-1373d850c548 Key Slot 0: ENABLED Iterations: 173012 Salt: 74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED --=-d+YOEvMmz95sD5gAnAhj Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit I'm trying to add a keyfile that I created to a new keyslot for my
encrypted swap partition, but I keep getting the error "No key
available with this passphrase". I've never done this before, so I
might be missing something simple, but I can't get it to work by
manually entering a passphase either.

Is there something else that has to be done to "enable" a keyslot
before a key can be added to it? That's the only other thing that I can
think of.

# Tried with keyfile.
root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key

No key available with this passphrase.


# Tried with manual passphrase.

root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot 1 /dev/sda5

Enter any passphrase: 
No key available with this passphrase.


# luksDump
root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5
LUKS header information for /dev/sda5

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	2056
MK bits:       	256
MK digest:     	25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c 
MK salt:       	df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc 
               	ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 
MK iterations: 	10
UUID:          	bb827496-8fe5-4c55-9b76-1373d850c548

Key Slot 0: ENABLED
	Iterations:         	173012
	Salt:               	74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 
	                      	6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

--=-d+YOEvMmz95sD5gAnAhj-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 3 Sep 2010 09:30:40 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch [84.74.164.239]) by tansi.org (Postfix) with ESMTPA id 1BE4F212804A for ; Fri, 3 Sep 2010 09:30:40 +0200 (CEST) Date: Fri, 3 Sep 2010 09:30:39 +0200 From: Arno Wagner Message-ID: <20100903073039.GB3410@tansi.org> References: <1283487886.3576.31.camel@shadowtek.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1283487886.3576.31.camel@shadowtek.localdomain> Subject: Re: [dm-crypt] Can't add a new key, "No key available with this passphrase". List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de I think you are using the wrong passphrase. You have to give the passphrase of an existing used key-slot to add a new one. Otherwise there would be a rather obvious attack ... It should ask you for the passphrase for the new slot after that. Arno On Fri, Sep 03, 2010 at 12:24:46AM -0400, PsiStormYamato wrote: > I'm trying to add a keyfile that I created to a new keyslot for my > encrypted swap partition, but I keep getting the error "No key > available with this passphrase". I've never done this before, so I > might be missing something simple, but I can't get it to work by > manually entering a passphase either. > > Is there something else that has to be done to "enable" a keyslot > before a key can be added to it? That's the only other thing that I can > think of. > > > # Tried with keyfile. > root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 > -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key > > No key available with this passphrase. > > > # Tried with manual passphrase. > > root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot > 1 /dev/sda5 > > Enter any passphrase: > No key available with this passphrase. > > > # luksDump > root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5 > LUKS header information for /dev/sda5 > > Version: 1 > Cipher name: aes > Cipher mode: cbc-essiv:sha256 > Hash spec: sha1 > Payload offset: 2056 > MK bits: 256 > MK digest: 25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c > MK salt: df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc > ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 > MK iterations: 10 > UUID: bb827496-8fe5-4c55-9b76-1373d850c548 > > Key Slot 0: ENABLED > Iterations: 173012 > Salt: 74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 > 6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 > Key material offset: 8 > AF stripes: 4000 > Key Slot 1: DISABLED > Key Slot 2: DISABLED > Key Slot 3: DISABLED > Key Slot 4: DISABLED > Key Slot 5: DISABLED > Key Slot 6: DISABLED > Key Slot 7: DISABLED > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from karen.lavabit.com (karen.lavabit.com [72.249.41.33]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 3 Sep 2010 17:37:18 +0200 (CEST) Received: from e.earth.lavabit.com (e.earth.lavabit.com [192.168.111.14]) by karen.lavabit.com (Postfix) with ESMTP id 00D9811B950 for ; Fri, 3 Sep 2010 10:37:12 -0500 (CDT) Received: from 10.10.12.86 (94-76-194-214.static.as29550.net [94.76.194.214]) by lavabit.com with ESMTP id RAEJVKHOJFEB for ; Fri, 03 Sep 2010 10:37:11 -0500 From: PsiStormYamato In-Reply-To: <20100903073039.GB3410@tansi.org> References: <1283487886.3576.31.camel@shadowtek.localdomain> <20100903073039.GB3410@tansi.org> Content-Type: multipart/alternative; boundary="=-3iQj3xqYQybTJgxvKXN0" Date: Fri, 03 Sep 2010 11:36:55 -0400 Message-ID: <1283528215.4980.64.camel@shadowtek.localdomain> Mime-Version: 1.0 Subject: Re: [dm-crypt] Can't add a new key, "No key available with this passphrase". List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "dm-crypt@saout.de" --=-3iQj3xqYQybTJgxvKXN0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Ok, I see what the problem is. Thanks. I think it would be good if the terminal response messages were a little more clear on exactly what's going on. #1 Apparently, using the option --key-file after specifying the device makes cryptsetup think that "--key-file" is the name of the file, which causes the error "No key available with this passphrase." I think it would be good to make an exception for that. root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 --key-file /etc/cryptkeys/swap.key No key available with this passphrase. #2 When I tried it without the --key-file option, it appeared to me that the keyfile was again not being read correctly, and that I was being asked to manually enter a new passphrase. root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 /etc/cryptkeys/swap.key Enter any passphrase: No key available with this passphrase. # 3 When I tried to enter a new password manually, I was greeted with the same error, so I was under the impression that I was running into the same problem as before. root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 Enter any passphrase: No key available with this passphrase. After trying #2 again, this time entering an existing passphrase, it worked. Thanks. On Fri, 2010-09-03 at 09:30 +0200, Arno Wagner wrote: > I think you are using the wrong passphrase. You have to give > the passphrase of an existing used key-slot to add a new > one. Otherwise there would be a rather obvious attack ... > > It should ask you for the passphrase for the new slot after that. > > Arno > > On Fri, Sep 03, 2010 at 12:24:46AM -0400, PsiStormYamato wrote: > > I'm trying to add a keyfile that I created to a new keyslot for my > > encrypted swap partition, but I keep getting the error "No key > > available with this passphrase". I've never done this before, so I > > might be missing something simple, but I can't get it to work by > > manually entering a passphase either. > > > > Is there something else that has to be done to "enable" a keyslot > > before a key can be added to it? That's the only other thing that I can > > think of. > > > > > > # Tried with keyfile. > > root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 > > -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key > > > > No key available with this passphrase. > > > > > > # Tried with manual passphrase. > > > > root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot > > 1 /dev/sda5 > > > > Enter any passphrase: > > No key available with this passphrase. > > > > > > # luksDump > > root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5 > > LUKS header information for /dev/sda5 > > > > Version: 1 > > Cipher name: aes > > Cipher mode: cbc-essiv:sha256 > > Hash spec: sha1 > > Payload offset: 2056 > > MK bits: 256 > > MK digest: 25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c > > MK salt: df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc > > ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 > > MK iterations: 10 > > UUID: bb827496-8fe5-4c55-9b76-1373d850c548 > > > > Key Slot 0: ENABLED > > Iterations: 173012 > > Salt: 74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 > > 6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 > > Key material offset: 8 > > AF stripes: 4000 > > Key Slot 1: DISABLED > > Key Slot 2: DISABLED > > Key Slot 3: DISABLED > > Key Slot 4: DISABLED > > Key Slot 5: DISABLED > > Key Slot 6: DISABLED > > Key Slot 7: DISABLED > > > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > --=-3iQj3xqYQybTJgxvKXN0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit Ok, I see what the problem is. Thanks.

I think it would be good if the terminal response messages were a
little more clear on exactly what's going on.

#1
Apparently, using the option --key-file after specifying the device
makes cryptsetup think that "--key-file" is the name of the file, which
causes the error "No key available with this passphrase." I think it
would be good to make an exception for that.

root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 --key-file /etc/cryptkeys/swap.key
No key available with this passphrase.

#2
When I tried it without the --key-file option, it appeared to me that
the keyfile was again not being read correctly, and that I was being asked to
manually enter a new passphrase.

root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 /etc/cryptkeys/swap.key
Enter any passphrase:
No key available with this passphrase.

# 3
When I tried to enter a new password manually, I was greeted with the
same error, so I was under the impression that I was running into the
same problem as before.

root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
Enter any passphrase:
No key available with this passphrase.

After trying #2 again, this time entering an existing passphrase, it worked. Thanks.

On Fri, 2010-09-03 at 09:30 +0200, Arno Wagner wrote:

I think you are using the wrong passphrase. You have to give
the passphrase of an existing used key-slot to add a new
one. Otherwise there would be a rather obvious attack ...

It should ask you for the passphrase for the new slot after that.

Arno

On Fri, Sep 03, 2010 at 12:24:46AM -0400, PsiStormYamato wrote:
> I'm trying to add a keyfile that I created to a new keyslot for my
> encrypted swap partition, but I keep getting the error "No key
> available with this passphrase". I've never done this before, so I
> might be missing something simple, but I can't get it to work by
> manually entering a passphase either.
> 
> Is there something else that has to be done to "enable" a keyslot
> before a key can be added to it? That's the only other thing that I can
> think of.
> 
> 
> # Tried with keyfile.
> root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5
> -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key 
> 
> No key available with this passphrase.
> 
> 
> # Tried with manual passphrase.
> 
> root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot
> 1 /dev/sda5
> 
> Enter any passphrase: 
> No key available with this passphrase.
> 
> 
> # luksDump
> root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5
> LUKS header information for /dev/sda5
> 
> Version:       	1
> Cipher name:   	aes
> Cipher mode:   	cbc-essiv:sha256
> Hash spec:     	sha1
> Payload offset:	2056
> MK bits:       	256
> MK digest:     	25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c 
> MK salt:       	df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc 
>                	ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 
> MK iterations: 	10
> UUID:          	bb827496-8fe5-4c55-9b76-1373d850c548
> 
> Key Slot 0: ENABLED
> 	Iterations:         	173012
> 	Salt:               	74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 
> 	                      	6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 
> 	Key material offset:	8
> 	AF stripes:            	4000
> Key Slot 1: DISABLED
> Key Slot 2: DISABLED
> Key Slot 3: DISABLED
> Key Slot 4: DISABLED
> Key Slot 5: DISABLED
> Key Slot 6: DISABLED
> Key Slot 7: DISABLED
> 

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

--=-3iQj3xqYQybTJgxvKXN0-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 3 Sep 2010 20:16:47 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch [84.74.164.239]) by tansi.org (Postfix) with ESMTPA id 68AFD212804A for ; Fri, 3 Sep 2010 20:16:47 +0200 (CEST) Date: Fri, 3 Sep 2010 20:16:46 +0200 From: Arno Wagner Message-ID: <20100903181646.GB11768@tansi.org> References: <1283487886.3576.31.camel@shadowtek.localdomain> <20100903073039.GB3410@tansi.org> <1283528215.4980.64.camel@shadowtek.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1283528215.4980.64.camel@shadowtek.localdomain> Subject: Re: [dm-crypt] Can't add a new key, "No key available with this passphrase". List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de It is relatively obvious that it asks for an existing passphrase if you think about it. After all, if you could just add a new one, that would be a way to break the encryption. Arno On Fri, Sep 03, 2010 at 11:36:55AM -0400, PsiStormYamato wrote: > Ok, I see what the problem is. Thanks. > > I think it would be good if the terminal response messages were a > little more clear on exactly what's going on. > > #1 > Apparently, using the option --key-file after specifying the device > makes cryptsetup think that "--key-file" is the name of the file, which > causes the error "No key available with this passphrase." I think it > would be good to make an exception for that. > > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 > --key-file /etc/cryptkeys/swap.key > No key available with this passphrase. > > #2 > When I tried it without the --key-file option, it appeared to me that > the keyfile was again not being read correctly, and that I was being > asked to > manually enter a new passphrase. > > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot > 1 /dev/sda5 /etc/cryptkeys/swap.key > Enter any passphrase: > No key available with this passphrase. > > # 3 > When I tried to enter a new password manually, I was greeted with the > same error, so I was under the impression that I was running into the > same problem as before. > > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 > Enter any passphrase: > No key available with this passphrase. > > After trying #2 again, this time entering an existing passphrase, it > worked. Thanks. > > > On Fri, 2010-09-03 at 09:30 +0200, Arno Wagner wrote: > > > I think you are using the wrong passphrase. You have to give > > the passphrase of an existing used key-slot to add a new > > one. Otherwise there would be a rather obvious attack ... > > > > It should ask you for the passphrase for the new slot after that. > > > > Arno > > > > On Fri, Sep 03, 2010 at 12:24:46AM -0400, PsiStormYamato wrote: > > > I'm trying to add a keyfile that I created to a new keyslot for my > > > encrypted swap partition, but I keep getting the error "No key > > > available with this passphrase". I've never done this before, so I > > > might be missing something simple, but I can't get it to work by > > > manually entering a passphase either. > > > > > > Is there something else that has to be done to "enable" a keyslot > > > before a key can be added to it? That's the only other thing that I can > > > think of. > > > > > > > > > # Tried with keyfile. > > > root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 > > > -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key > > > > > > No key available with this passphrase. > > > > > > > > > # Tried with manual passphrase. > > > > > > root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot > > > 1 /dev/sda5 > > > > > > Enter any passphrase: > > > No key available with this passphrase. > > > > > > > > > # luksDump > > > root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5 > > > LUKS header information for /dev/sda5 > > > > > > Version: 1 > > > Cipher name: aes > > > Cipher mode: cbc-essiv:sha256 > > > Hash spec: sha1 > > > Payload offset: 2056 > > > MK bits: 256 > > > MK digest: 25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c > > > MK salt: df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc > > > ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 > > > MK iterations: 10 > > > UUID: bb827496-8fe5-4c55-9b76-1373d850c548 > > > > > > Key Slot 0: ENABLED > > > Iterations: 173012 > > > Salt: 74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 > > > 6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 > > > Key material offset: 8 > > > AF stripes: 4000 > > > Key Slot 1: DISABLED > > > Key Slot 2: DISABLED > > > Key Slot 3: DISABLED > > > Key Slot 4: DISABLED > > > Key Slot 5: DISABLED > > > Key Slot 6: DISABLED > > > Key Slot 7: DISABLED > > > > > > > > _______________________________________________ > > > dm-crypt mailing list > > > dm-crypt@saout.de > > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 3 Sep 2010 20:46:05 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch [84.74.164.239]) by tansi.org (Postfix) with ESMTPA id B77FE212804A for ; Fri, 3 Sep 2010 20:46:04 +0200 (CEST) Date: Fri, 3 Sep 2010 20:46:03 +0200 From: Arno Wagner Message-ID: <20100903184603.GA12405@tansi.org> References: <1283487886.3576.31.camel@shadowtek.localdomain> <20100903073039.GB3410@tansi.org> <1283528215.4980.64.camel@shadowtek.localdomain> <20100903181646.GB11768@tansi.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100903181646.GB11768@tansi.org> Subject: Re: [dm-crypt] Can't add a new key, "No key available with this passphrase". List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Added an FAQ item about this. Arno On Fri, Sep 03, 2010 at 08:16:46PM +0200, Arno Wagner wrote: > It is relatively obvious that it asks for an existing passphrase > if you think about it. After all, if you could just add a new one, > that would be a way to break the encryption. > > Arno > > > On Fri, Sep 03, 2010 at 11:36:55AM -0400, PsiStormYamato wrote: > > Ok, I see what the problem is. Thanks. > > > > I think it would be good if the terminal response messages were a > > little more clear on exactly what's going on. > > > > #1 > > Apparently, using the option --key-file after specifying the device > > makes cryptsetup think that "--key-file" is the name of the file, which > > causes the error "No key available with this passphrase." I think it > > would be good to make an exception for that. > > > > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 > > --key-file /etc/cryptkeys/swap.key > > No key available with this passphrase. > > > > #2 > > When I tried it without the --key-file option, it appeared to me that > > the keyfile was again not being read correctly, and that I was being > > asked to > > manually enter a new passphrase. > > > > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot > > 1 /dev/sda5 /etc/cryptkeys/swap.key > > Enter any passphrase: > > No key available with this passphrase. > > > > # 3 > > When I tried to enter a new password manually, I was greeted with the > > same error, so I was under the impression that I was running into the > > same problem as before. > > > > root@shadowtek-lucid:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 > > Enter any passphrase: > > No key available with this passphrase. > > > > After trying #2 again, this time entering an existing passphrase, it > > worked. Thanks. > > > > > > On Fri, 2010-09-03 at 09:30 +0200, Arno Wagner wrote: > > > > > I think you are using the wrong passphrase. You have to give > > > the passphrase of an existing used key-slot to add a new > > > one. Otherwise there would be a rather obvious attack ... > > > > > > It should ask you for the passphrase for the new slot after that. > > > > > > Arno > > > > > > On Fri, Sep 03, 2010 at 12:24:46AM -0400, PsiStormYamato wrote: > > > > I'm trying to add a keyfile that I created to a new keyslot for my > > > > encrypted swap partition, but I keep getting the error "No key > > > > available with this passphrase". I've never done this before, so I > > > > might be missing something simple, but I can't get it to work by > > > > manually entering a passphase either. > > > > > > > > Is there something else that has to be done to "enable" a keyslot > > > > before a key can be added to it? That's the only other thing that I can > > > > think of. > > > > > > > > > > > > # Tried with keyfile. > > > > root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 > > > > -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key > > > > > > > > No key available with this passphrase. > > > > > > > > > > > > # Tried with manual passphrase. > > > > > > > > root@subuntu:/etc/cryptkeys# cryptsetup luksAddKey --key-slot > > > > 1 /dev/sda5 > > > > > > > > Enter any passphrase: > > > > No key available with this passphrase. > > > > > > > > > > > > # luksDump > > > > root@ubuntu:/etc/cryptkeys# cryptsetup luksDump /dev/sda5 > > > > LUKS header information for /dev/sda5 > > > > > > > > Version: 1 > > > > Cipher name: aes > > > > Cipher mode: cbc-essiv:sha256 > > > > Hash spec: sha1 > > > > Payload offset: 2056 > > > > MK bits: 256 > > > > MK digest: 25 a3 74 7e 25 fd a4 a6 18 b7 a7 63 da 95 68 26 6c da 55 4c > > > > MK salt: df 87 4a c3 0d 93 5a a9 3a 49 71 33 d4 4a ba bc > > > > ca b7 ef d6 cd 89 41 16 6c eb 61 5d 2a 73 2b a5 > > > > MK iterations: 10 > > > > UUID: bb827496-8fe5-4c55-9b76-1373d850c548 > > > > > > > > Key Slot 0: ENABLED > > > > Iterations: 173012 > > > > Salt: 74 03 b2 a6 3c 36 95 28 bb 7f 1b e3 fc ec 84 14 > > > > 6f ee 17 fc 63 7a 33 53 60 5e 43 9f 8a dd 1a 18 > > > > Key material offset: 8 > > > > AF stripes: 4000 > > > > Key Slot 1: DISABLED > > > > Key Slot 2: DISABLED > > > > Key Slot 3: DISABLED > > > > Key Slot 4: DISABLED > > > > Key Slot 5: DISABLED > > > > Key Slot 6: DISABLED > > > > Key Slot 7: DISABLED > > > > > > > > > > > _______________________________________________ > > > > dm-crypt mailing list > > > > dm-crypt@saout.de > > > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > > > > > > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F > ---- > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195]) by mail.saout.de (Postfix) with ESMTP for ; Sat, 4 Sep 2010 11:12:41 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch [84.74.164.239]) by tansi.org (Postfix) with ESMTPA id 5E52E121830C for ; Sat, 4 Sep 2010 11:12:41 +0200 (CEST) Date: Sat, 4 Sep 2010 11:12:40 +0200 From: Arno Wagner Message-ID: <20100904091240.GA22707@tansi.org> References: <1283487886.3576.31.camel@shadowtek.localdomain> <20100903073039.GB3410@tansi.org> <1283528215.4980.64.camel@shadowtek.localdomain> <20100903181646.GB11768@tansi.org> <1283542740.2186.12.camel@shadowtek.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1283542740.2186.12.camel@shadowtek.localdomain> Subject: Re: [dm-crypt] Can't add a new key, "No key available with this passphrase". List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Fri, Sep 03, 2010 at 03:39:00PM -0400, PsiStormYamato wrote: > The basic concept that an existing password should be required to add a > new password is obvious "if you think about", but that doesn't mean that > a newbie will automatically know that the first password that cryptsetup > asks for will be for an existing password. Others may assume, as I did, > that, if an *existing* password is needed to authenticate the the > attempt to add a new key, clear language would be used to indicate that > event. Otherwise, someone may make the mistake of assuming, as I did, > that I was being asked for the new password that I wanted to enter, and > that authentication would follow. > > Anyway, my point is that a simple modification of the wording of > cryptsetup's responses would help to prevent such a problem with future > newbies. I agree. @Milan: Do we have a wish-list process for things like this besides asking on the list? If so, its another thing I should add to the FAQ. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (unknown [209.132.183.28]) by mail.saout.de (Postfix) with ESMTP for ; Sun, 5 Sep 2010 11:54:13 +0200 (CEST) Received: from int-mx08.intmail.prod.int.phx2.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o859s79s009334 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sun, 5 Sep 2010 05:54:08 -0400 Received: from [10.36.8.116] (vpn2-8-116.ams2.redhat.com [10.36.8.116]) by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o859s6al021792 for ; Sun, 5 Sep 2010 05:54:07 -0400 Message-ID: <4C8368BF.2010808@redhat.com> Date: Sun, 05 Sep 2010 11:54:07 +0200 From: Milan Broz MIME-Version: 1.0 References: <1283487886.3576.31.camel@shadowtek.localdomain> <20100903073039.GB3410@tansi.org> <1283528215.4980.64.camel@shadowtek.localdomain> <20100903181646.GB11768@tansi.org> <1283542740.2186.12.camel@shadowtek.localdomain> <20100904091240.GA22707@tansi.org> In-Reply-To: <20100904091240.GA22707@tansi.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Can't add a new key, "No key available with this passphrase". List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 09/04/2010 11:12 AM, Arno Wagner wrote: > On Fri, Sep 03, 2010 at 03:39:00PM -0400, PsiStormYamato wrote: >> Anyway, my point is that a simple modification of the wording of >> cryptsetup's responses would help to prevent such a problem with future >> newbies. > > I agree. > > @Milan: Do we have a wish-list process for things like this > besides asking on the list? Add issue to http://code.google.com/p/cryptsetup/issues/list ideally with description what you think it should display instead. Milan