Piping key passing
Issue 4 by cle... on 2008-12-19 19:36:01:
From Marc:
> 4) this case is also suboptimal:
>
> If I pass the old key from stdin and expect to type the new one from the
> command line, nothing is asked from the command line and cryptsetup adds
> a new key that it was not able to retreive from anywhere (is it NULL?)
>
> > polgara:~$ echo -n
'sFrxpxOJ1LxbYJy35xrkIuUqn3piE3fy0xvz2zzc2nDmaBYtaT3lmRpYajdhqJVvIwUEc5PMmwWvXYW4bd1j8TxVxrZxQ9tAOMrTnY7zFnolunNDaoN2rvxBTZWr0TWJQfsz77cPnYs3bO1yySUfsH2EljSX0T9N3brBPMP3i6vQHhWm1ZgjPuEwzZ2tjChS1R0V5KxmYkXOGClIMOwqMLUYTPdxKgrYgxtdHKMHYF43kNnk5cpQmfey1tS30LkQDgW9ZuPgoBdmE8islcEaXaJkjWPSSWhUKHyL9uT47SQdSzPjQHSSvE20EY4cNjqTuCPhc0zjGLogs1K8vnLFVSFGz2C9QYUsOYJ5ieggEzjJXoPtFYEZ6wfpCq3Ofg7I1LBCxqywU3WKqdbPrr5x9idZXGijx5YYcSZ9xPJHeG5sNu2meIYm3XUVdRGYiRn60saX2XT3nXmq5NJzet9ZB5xFKObYWmBgAhej62mOToNWhG8aDy4hy7Y507dsv78o'
| sudo cryptsetup luksAddKey --key-slot 1 --key-file - /dev/sda6
> > key slot 2 unlocked.
> > Command successful.
> > polgara:~$ sudo cryptsetup luksDump /dev/sda6
> > LUKS header information for /dev/sda6
> >
> > Version: 1
> > Cipher name: aes
> > Cipher mode: cbc-essiv:sha256
> > Hash spec: sha1
> > Payload offset: 1032
> > MK bits: 128
> > MK digest: e6 f6 15 48 44 22 71 dd 3e 63 35 0a 0a f1 2d ce c5 74 72 f0
> > MK salt: 61 8b 7a e6 c6 73 cd da 85 8e 17 31 88 c6 4b 75
> > 80 00 03 5d 04 de 85 6f a4 2b 6d c6 ee 61 c6 dc
> > MK iterations: 10
> > UUID: fe031e91-b31d-4a3e-8a1f-b12be18edd61
> >
> > Key Slot 0: ENABLED
> > Iterations: 440937
> > Salt: 33 c8 b0 6e 93 61 1d f1 53 79 cb bd 0c
3f ee 91
> > 4b 42 56 95 1a bb 5b 1f 85 d2 ad 1e 9d
9f d4 fa
> > Key material offset: 8
> > AF stripes: 4000
> > Key Slot 1: ENABLED
> > Iterations: 445325
> > Salt: 74 4d e4 13 17 0a 15 ea e1 ed 7f 12 19
0c b0 b0
> > 59 ef 82 6d 8e b9 93 b6 89 a0 cf 97 dc
b3 b7 f4
> > Key material offset: 136
> > AF stripes: 4000
> > Key Slot 2: ENABLED
> > Iterations: 438762
> > Salt: d9 cc e1 ea 94 b1 3d ef 3e 5a b6 97 04
5c 5a a6
> > ab a5 bb c0 a3 3f a0 21 6b aa 76 b1 0b
a7 49 89
> > Key material offset: 264
> > AF stripes: 4000
>
> the supplied key on the stdin was an unlock key, but no key is supplied
> as the replacement key.
>
> Strangely enough, the same happens without --key-file:
> > polgara:~$ echo -n
'sFrxpxOJ1LxbYJy35xrkIuUqn3piE3fy0xvz2zzc2nDmaBYtaT3lmRpYajdhqJVvIwUEc5PMmwWvXYW4bd1j8TxVxrZxQ9tAOMrTnY7zFnolunNDaoN2rvxBTZWr0TWJQfsz77cPnYs3bO1yySUfsH2EljSX0T9N3brBPMP3i6vQHhWm1ZgjPuEwzZ2tjChS1R0V5KxmYkXOGClIMOwqMLUYTPdxKgrYgxtdHKMHYF43kNnk5cpQmfey1tS30LkQDgW9ZuPgoBdmE8islcEaXaJkjWPSSWhUKHyL9uT47SQdSzPjQHSSvE20EY4cNjqTuCPhc0zjGLogs1K8vnLFVSFGz2C9QYUsOYJ5ieggEzjJXoPtFYEZ6wfpCq3Ofg7I1LBCxqywU3WKqdbPrr5x9idZXGijx5YYcSZ9xPJHeG5sNu2meIYm3XUVdRGYiRn60saX2XT3nXmq5NJzet9ZB5xFKObYWmBgAhej62mOToNWhG8aDy4hy7Y507dsv78o'
| sudo cryptsetup luksAddKey --key-slot 1 /dev/sda6
> > key slot 2 unlocked.
> > Command successful.
>
> I found that what we need to do is feed:
> echo "oldkey\nnewkey" | cryptsetup luksAddKey --key-slot 1 /dev/sda6
>
> You do document the change in the man page but it's confusing to me:
> If --key-file=- is used for reading the key from stdin, no trailing
> newline is stripped from the input. Without that option, cryptsetup
> strips trailing newlines from stdin input.
>
> I do have to feed a newline as a delimitor between old and new, so I'm
> not sure if it's meant to work for addkey?
> For now, I'm just using addkey with stdin and without --key-file=- since
> --key-file=- does not seem to be waht I want. If you could explain this
> in more details in the man page, it may help.