[Bug 1397049] Re: initramfs cryptroot with keyscript and binary passphrase

Launchpad Bug Tracker 1397049 at bugs.launchpad.net
Sat Feb 11 14:53:38 UTC 2017 

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: cryptsetup (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1397049

Title:
  initramfs cryptroot with keyscript and binary passphrase

Status in cryptsetup package in Ubuntu:
  Confirmed

Bug description:
  cryptsetup --key-file=-
  is not the same as
  cryptsetup --key-file=/dev/stdin

  I use initramfs cryptroot script to set up an encrypted device early,
  and i have a keyscript that decrypts a keyfile and writes the
  decrypted key to stdout. (binary key 512 bytes long)

  # /etc/crypttab was this before running update-initramfs -u #
  swap  /dev/disk/by-partlabel/swap /etc/key.enc  cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap,tries=1,keyscript=/etc/initramfs-tools/decrypt-key,precheck=un_blkid,noauto

  But despite the decrypt-key keyscript workes fine inside the initramfs environment, and the decrypted key it produces is correct, cryptroot script failes with "unknown fs type" error.
  I used keyscript manually to decrypt the key to a file, then call cryptsetup with --key-file=key.decrypted along with the appropirate options, and it successfully opened the drive with a valid fstype.

  I've discovered that by replacing a part of the initramfs script "cryptroot"
  $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ;
  to
  $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=/dev/stdin ;
  fixed the problem. (/scripts/local-top/cryptroot around line 263)

  I could reproduce the problem in initramfs environment with a /conf/conf.d/cryptroot like this:
  target=swap,source=/dev/disk/by-partlabel/swap,key=/etc/key,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,tries=1,keyscript=/bin/cat
  Where /etc/key is a 512 byte binary keyfile (already decrypted).
  (try /bin/dd if /bin/cat is missing in your initramfs environment or ln -s /bin/busybox /bin/cat)

  
  My Quick-Fix was:
  cp /usr/share/initramfs-tools/scripts/local-top/cryptroot to /etc/initramfs-tools/scripts/local-top/cryptroot
  Edit and replace --key-file=- with --key-file=/dev/stdin around line 263.
  update-initramfs -u

  
  Description:	Ubuntu 14.04.1 LTS
  Release:	14.04

  Package: cryptsetup
  Version: 2:1.6.1-1ubuntu1
  Architecture: amd64

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1397049/+subscriptions

More information about the foundations-bugs mailing list