[dm-crypt] cryptsetup 1.6.6: No key available with this passphrase.

[dm-crypt] cryptsetup 1.6.6: No key available with this passphrase.

[Vasas Csaba]

hi there!

i use luks encryption with gpg encrypted key, which nicely works 
cryptsetup 1.6.1/gcrypt 1.5.3 but doesn't works with cryptsetup 
1.6.6/gcrypt 1.6.1

here is the debug message from cryptsetup 1.6.6/gcrypt 1.6.1:
# cryptsetup 1.6.6 processing "cryptsetup --key-file=- luksOpen 
/dev/vg0/root sroot --debug"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/vg0/root context.
# Trying to open and read device /dev/vg0/root.
# Initialising device-mapper backend library.
# Trying to load LUKS1 crypt type from device /dev/vg0/root.
# Crypto backend (gcrypt 1.6.1) initialized.
# Detected kernel Linux 3.14-2-rt-amd64 x86_64.
# Reading LUKS header of size 1024 from device /dev/vg0/root
# Key length 32, device size 1933582336 sectors, header size 2050 sectors.
# Timeout set to 0 miliseconds.
# Password retry count set to 3.
# Password verification disabled.
# Iteration time set to 1000 miliseconds.
# Password retry count set to 1.
# Activating volume sroot [keyslot -1] using keyfile -.
# dm version   OF   [16384] (*1)
# dm versions   OF   [16384] (*1)
# Detected dm-crypt version 1.13.0, dm-ioctl version 4.27.0.
# Device-mapper backend running with UDEV support enabled.
# dm status sroot  OF   [16384] (*1)
# STDIN descriptor passphrase entry requested.
# Trying to open key slot 0 [ACTIVE_LAST].
# Reading key slot 0 area.
# Using userspace crypto wrapper to access keyslot area.
# Trying to open key slot 1 [INACTIVE].
# Trying to open key slot 2 [INACTIVE].
# Trying to open key slot 3 [INACTIVE].
# Trying to open key slot 4 [INACTIVE].
# Trying to open key slot 5 [INACTIVE].
# Trying to open key slot 6 [INACTIVE].
# Trying to open key slot 7 [INACTIVE].
No key available with this passphrase.
# Releasing crypt device /dev/vg0/root context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 1: No key available with this passphrase.

and here is the debug message from cryptsetup 1.6.1/gcrypt 1.5.3
# cryptsetup 1.6.1 processing "cryptsetup --key-file=- luksOpen 
/dev/vg0/root sroot --debug"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/vg0/root context.
# Trying to open and read device /dev/vg0/root.
# Initialising device-mapper backend library.
# Trying to load LUKS1 crypt type from device /dev/vg0/root.
# Crypto backend (gcrypt 1.5.3) initialized.
# Reading LUKS header of size 1024 from device /dev/vg0/root
# Key length 32, device size 1933582336 sectors, header size 2050 sectors.
# Timeout set to 0 miliseconds.
# Password retry count set to 3.
# Password verification disabled.
# Iteration time set to 1000 miliseconds.
# Password retry count set to 1.
# Activating volume sroot [keyslot -1] using keyfile -.
# dm version   OF   [16384] (*1)
# dm versions   OF   [16384] (*1)
# Detected dm-crypt version 1.13.0, dm-ioctl version 4.27.0.
# Udev is not running. Not using udev synchronisation code.
# Device-mapper backend running with UDEV support disabled.
# dm status sroot  OF   [16384] (*1)
# STDIN descriptor passphrase entry requested.
# Trying to open key slot 0 [ACTIVE_LAST].
# Reading key slot 0 area.
# Calculated device size is 250 sectors (RW), offset 8.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-6389
# dm create temporary-cryptsetup-6389 
CRYPT-TEMP-temporary-cryptsetup-6389 OF   [16384] (*1)
# dm reload temporary-cryptsetup-6389  OFRW    [16384] (*1)
# dm resume temporary-cryptsetup-6389  OFRW    [16384] (*1)
# temporary-cryptsetup-6389: Stacking NODE_ADD (254,8) 0:6 0660
# temporary-cryptsetup-6389: Stacking NODE_READ_AHEAD 256 (flags=1)
# temporary-cryptsetup-6389: Processing NODE_ADD (254,8) 0:6 0660
# Created /dev/mapper/temporary-cryptsetup-6389
# temporary-cryptsetup-6389: Processing NODE_READ_AHEAD 256 (flags=1)
# temporary-cryptsetup-6389 (254:8): read ahead is 256
# temporary-cryptsetup-6389 (254:8): Setting read ahead to 256
# dm remove temporary-cryptsetup-6389  OFT    [16384] (*1)
# temporary-cryptsetup-6389: Stacking NODE_DEL
# temporary-cryptsetup-6389: Processing NODE_DEL
# Removed /dev/mapper/temporary-cryptsetup-6389
Key slot 0 unlocked.
# Calculated device size is 1933578240 sectors (RW), offset 4096.
# DM-UUID is CRYPT-LUKS1-2ca6c98f2a90421ebc33d686fb4c2811-sroot
# dm create sroot CRYPT-LUKS1-2ca6c98f2a90421ebc33d686fb4c2811-sroot 
OF   [16384] (*1)
# dm reload sroot  OFW    [16384] (*1)
[  539.319314] bio: create slab <bio-0> at 0
# dm resume sroot  OFW    [16384] (*1)
# sroot: Stacking NODE_ADD (254,8) 0:6 0660
# sroot: Stacking NODE_READ_AHEAD 256 (flags=1)
# sroot: Processing NODE_ADD (254,8) 0:6 0660
# Created /dev/mapper/sroot
# sroot: Processing NODE_READ_AHEAD 256 (flags=1)
# sroot (254:8): read ahead is 256
# sroot (254:8): Setting read ahead to 256
# Releasing crypt device /dev/vg0/root context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.


is this some error in cryptsetup/gcrypt or just simply my fault?

thanks for your answers!

ps.: sorry for my bad english :(

-- 
Csaba Vasas

Re: [dm-crypt] cryptsetup 1.6.6: No key available with this passphrase.

[Milan Broz]

On 08/27/2014 07:31 AM, Vasas Csaba wrote:
>
> hi there!
>
> i use luks encryption with gpg encrypted key, which nicely works
> cryptsetup 1.6.1/gcrypt 1.5.3 but doesn't works with cryptsetup
> 1.6.6/gcrypt 1.6.1

Can you please post also luksDump of the device header?
(you can wipe salt/digest, the encryption mode and cipher here is important here)

Thanks,
Milan

Re: [dm-crypt] cryptsetup 1.6.6: No key available with this passphrase.

[Vasas Csaba]

08/27/2014 09:00 AM keltezéssel, Milan Broz írta:
> On 08/27/2014 07:31 AM, Vasas Csaba wrote:
>>
>> hi there!
>>
>> i use luks encryption with gpg encrypted key, which nicely works
>> cryptsetup 1.6.1/gcrypt 1.5.3 but doesn't works with cryptsetup
>> 1.6.6/gcrypt 1.6.1
>
> Can you please post also luksDump of the device header?
> (you can wipe salt/digest, the encryption mode and cipher here is 
> important here)
>
> Thanks,
> Milan


cryptsetup luksDump /dev/vg0/root
LUKS header information for /dev/vg0/root

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      whirlpool
Payload offset: 4096
MK bits:        256
MK digest:      93 d3 9b 26 de 4f a6 bf 0b 9e 89 6c cd 67 9a f1 96 62 af c6
MK salt:        e9 fc 79 d6 b8 d2 9e d8 9f 55 34 f6 b6 c3 5f 7f
                 20 17 b9 82 cb 0c 04 f0 23 32 f6 b6 1f 93 a8 de
MK iterations:  24375
UUID:           2ca6c98f-2a90-421e-bc33-d686fb4c2811

Key Slot 0: ENABLED
         Iterations:             97560
         Salt:                   86 38 4a 56 cc e1 73 aa 72 2a 78 ee 80 
b9 5d 30
                                 5e 54 2e c8 ce b4 f5 1a b1 25 86 23 80 
1c 89 58
         Key material offset:    8
         AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED


-- 
Csaba Vasas

Re: [dm-crypt] cryptsetup 1.6.6: No key available with this passphrase.

[Matthias Schniedermeyer]

On 27.08.2014 16:34, Vasas Csaba wrote:
> 
> 08/27/2014 09:00 AM keltezéssel, Milan Broz írta:
> >On 08/27/2014 07:31 AM, Vasas Csaba wrote:
> >>
> >>hi there!
> >>
> >>i use luks encryption with gpg encrypted key, which nicely works
> >>cryptsetup 1.6.1/gcrypt 1.5.3 but doesn't works with cryptsetup
> >>1.6.6/gcrypt 1.6.1
> >
> >Can you please post also luksDump of the device header?
> >(you can wipe salt/digest, the encryption mode and cipher here is
> >important here)
> >
> >Thanks,
> >Milan
> 
> 
> cryptsetup luksDump /dev/vg0/root
> LUKS header information for /dev/vg0/root
> 
> Version:        1
> Cipher name:    aes
> Cipher mode:    cbc-essiv:sha256
> Hash spec:      whirlpool

And i think this (whirlpool) is the culprit:

https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
- 8.3 Gcrypt after 1.5.3 breaks Whirlpool




-- 

Matthias

Re: [dm-crypt] cryptsetup 1.6.6: No key available with this passphrase.

[Vasas Csaba]

08/27/2014 05:28 PM keltezéssel, Matthias Schniedermeyer írta:
> On 27.08.2014 16:34, Vasas Csaba wrote:
>> 08/27/2014 09:00 AM keltezéssel, Milan Broz írta:
>>> On 08/27/2014 07:31 AM, Vasas Csaba wrote:
>>>> hi there!
>>>>
>>>> i use luks encryption with gpg encrypted key, which nicely works
>>>> cryptsetup 1.6.1/gcrypt 1.5.3 but doesn't works with cryptsetup
>>>> 1.6.6/gcrypt 1.6.1
>>> Can you please post also luksDump of the device header?
>>> (you can wipe salt/digest, the encryption mode and cipher here is
>>> important here)
>>>
>>> Thanks,
>>> Milan
>>
>> cryptsetup luksDump /dev/vg0/root
>> LUKS header information for /dev/vg0/root
>>
>> Version:        1
>> Cipher name:    aes
>> Cipher mode:    cbc-essiv:sha256
>> Hash spec:      whirlpool
> And i think this (whirlpool) is the culprit:
>
> https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
> - 8.3 Gcrypt after 1.5.3 breaks Whirlpool
>
>
>
>

ok, i get it. it's my fault. thanks very much to you and Milan for help.


-- 
Csaba Vasas