* [dm-crypt] Question on cryptsetup options
@ 2010-11-16 9:09 Vinodh Sundararajan
2010-11-16 11:12 ` Milan Broz
0 siblings, 1 reply; 2+ messages in thread
From: Vinodh Sundararajan @ 2010-11-16 9:09 UTC (permalink / raw)
To: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 717 bytes --]
Hello All,
I am trying to use cryptsetup as part of my porgram encrypt a block device with a randomly generated master key that I intend to encrypt (with user password) and store on the device. I see that I could use the cryptsetup option '-d' to provide the key using a file on device but I don't want to store the unencrypted key file on device. Is there an option to "stream" the key file contents as input to cryptsetup?
BTW, I cannot use the -y option either - I am not running these from the console but through my program. Any suggestions? If this is not supported, is there a plan to support this in the near future?
Thanks a ton in advance for tips/suggestions/feeback!
cheers
Vinodh
[-- Attachment #2: Type: text/html, Size: 1377 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [dm-crypt] Question on cryptsetup options
2010-11-16 9:09 [dm-crypt] Question on cryptsetup options Vinodh Sundararajan
@ 2010-11-16 11:12 ` Milan Broz
0 siblings, 0 replies; 2+ messages in thread
From: Milan Broz @ 2010-11-16 11:12 UTC (permalink / raw)
To: Vinodh Sundararajan; +Cc: dm-crypt
On 11/16/2010 10:09 AM, Vinodh Sundararajan wrote:
> I am trying to use cryptsetup as part of my porgram encrypt a block
> devicewith a randomly generated master key that I intend to encrypt
> (with user password) and store on the device. I see that I could use
> the cryptsetup option '-d' to provide the key using a file on device
> but I don't want to store the unencrypted key file on device. Is
> there an option to "stream" the key file contents as input to
> cryptsetup?
You are talking about master key in luksFormat or about passphrase/keyfile
for keyslot?
Passphrase can be send through standad input but note this difference:
If passphrase is sent though standard input, it reads until newline is reached,
so here "xxx" without trailing newline is passphrase.
echo -e "xxx\n" | cryptsetup luksFormat /dev/sde
If you specify "-" as keyfile, no newline is stripped
echo -e "xxx\n" | cryptsetup luksFormat /dev/sde -
(see man page)
So if you want stream it, use something like this:
cat uuu | cryptsetup luksFormat /dev/sde -
cat uuu | cryptsetup luksOpen /dev/sde cdev -d -
(in recent version you can use -d for luksFormat too)
If you need stream master key, it is not possible, only output from file
is available (--master-key-file).
(In this case you can use libcryptsetup, it is easy to write such program.)
> BTW, I cannot use the -y option either
- y is passphrase verify if you stream through stdin, this is always switched off.
> - I am not running these from the console but through my program. Any suggestions?
Use libcryptsetup (from 1.1.x) then, much more easy than wrapping binary and
it allows all this magic (you simple provide buffer with passphrase in API call).
Milan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-11-16 11:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-16 9:09 [dm-crypt] Question on cryptsetup options Vinodh Sundararajan
2010-11-16 11:12 ` Milan Broz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox