[Bug 363229] [NEW] decrypt_gpg keyscript fails due to trailing \n in key

Martin Unsal martinunsal at gmail.com
Sat Apr 18 04:40:11 UTC 2009 

Public bug reported:

Binary package hint: cryptsetup

I use cryptsetup with a GPG key and passphrase. Worked fine in Gentoo
but it seems to be deprecated in Ubuntu. At least, I gather that from
the following in /lib/cryptsetup/scripts/decrypt_gpg:

---
echo "gpg decryption not implemented yet" >&2
exit 1
---

This is in Ubuntu 8.10 with cryptsetup 2:1.0.6-6ubuntu2.3.

I commented out these lines but there's a reason this is deprecated:

---
root at petn:~# cryptdisks_start crypt-backup-500
 * Starting crypto disk...                                                                         * crypt-backup-500 (starting)
Performing GPG key decryption
Enter passphrase: 
Command failed: No key available with this passphrase.
Performing GPG key decryption
Enter passphrase: 
---

Here is the relevant line in my crypttab:

crypt-backup-500        /dev/sdg3       /root/key-int-backup.gpg
luks,keyscript=/lib/cryptsetup/scripts/decrypt_gpg

This has been bugging me for years so I think I have tracked down the
problem.

1) /usr/bin/gpg -q --decrypt leaves a trailing \n at the end of the key string on stdout
2) /lib/cryptsetup/cryptdisks.functions uses the cmd line parameter "--key-file=-" to cryptsetup
3) this command line parameter will not accept a trailing \n, whereas the default behaviour of cryptsetup (which also reads key file from stdin) will discard the trailing '\n'

Here is the smoking gun:

---
root at petn:~# gpg -q --decrypt /root/key-int-backup.gpg | cryptsetup --key-file=- luksOpen /dev/sdg3 crypt-backup-500
Enter passphrase: 
Command failed: No key available with this passphrase.
root at petn:~# gpg -q --decrypt /root/key-int-backup.gpg | cryptsetup luksOpen /dev/sdg3 crypt-backup-500
Enter passphrase: 
key slot 0 unlocked.
Command successful.
root at petn:~# cryptsetup luksClose crypt-backup-500
root at petn:~# gpg -q --decrypt /root/key-int-backup.gpg | tr -d \\n | cryptsetup --key-file=- luksOpen /dev/sdg3 crypt-backup-500
Enter passphrase: 
key slot 0 unlocked.
Command successful.
root at petn:~# 
--

Here are a few ways to fix this, in order from best to worst (my
opinion):

1) Fix cryptsetup so that --key-file=- command line parameter discards trailing \n's.
2) Make cryptdisks.functions avoid the --key-file=- idiom, instead just skip --key-file if key is stdin.
3) The following horrible hack in /lib/cryptsetup/scripts/decrypt_gpg:

---
	echo "Performing GPG key decryption" >&2
#	if /usr/bin/gpg -q --decrypt $key; then
	if /usr/bin/gpg -q --decrypt $key | /usr/bin/tr -d \\n; then
---

Can someone choose one of these fixes and implement it? I'm not an
ubuntu developer...

Thanks,
Martin

** Affects: cryptsetup (Ubuntu)
     Importance: Undecided
         Status: New

-- 
decrypt_gpg keyscript fails due to trailing \n in key
https://bugs.launchpad.net/bugs/363229
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list