Re: [dm-crypt] Question on cryptsetup options

[Milan Broz <mbroz@redhat.com>]

On 11/16/2010 10:09 AM, Vinodh Sundararajan wrote:
> I am trying to use cryptsetup as part of my porgram encrypt a block
> devicewith a randomly generated master key that I intend to encrypt
> (with user password) and store on the device. I see that I could use
> the cryptsetup option '-d' to provide the key using a file on device
> but I don't want to store the unencrypted key file on device. Is
> there an option to "stream" the key file contents as input to
> cryptsetup?

You are talking about master key in luksFormat or about passphrase/keyfile
for keyslot?

Passphrase can be send through standad input but note this difference:

If passphrase is sent though standard input, it reads until newline is reached,
so here "xxx" without trailing newline is passphrase.
echo -e "xxx\n" | cryptsetup luksFormat /dev/sde

If you specify "-" as keyfile, no newline is stripped
echo -e "xxx\n" | cryptsetup luksFormat /dev/sde -

(see man page)

So if you want stream it, use something like this:
 cat uuu | cryptsetup luksFormat /dev/sde -
 cat uuu | cryptsetup luksOpen /dev/sde cdev -d -

(in recent version you can use -d for luksFormat too)


If you need stream master key, it is not possible, only output from file
is available (--master-key-file).
(In this case you can use libcryptsetup, it is easy to write such program.)

> BTW, I cannot use the -y option either
- y is passphrase verify if you stream through stdin, this is always switched off.


> - I am not running these from the console but through my program. Any suggestions?

Use libcryptsetup (from 1.1.x) then, much more easy than wrapping binary and
it allows all this magic (you simple provide buffer with passphrase in API call).

Milan