| View previous topic :: View next topic |
| Author |
Message |
vcmota
Guru
Joined: 19 Jun 2017
Posts: 377
|
 Posted: Wed Jun 09, 2021 2:37 am Post subject: [SOLVED] How to decrypt from either a file or a password? |
 |
|
Lets say I am going to encrypt a partition or a disk. There seems to be multiple ways, but lets focus on those two:
First, typing the password from stdin:
| Quote: |
cryptsetup luksFormat /dev/sda
|
Second, writing the password into a file, say mykey.key, and using it like this:
| Quote: |
cryptsetup luksFormat /dev/sda -d mykey.key
|
The question is: what if I want the password that is going to be typed to be the same that is stored in file mykey.key? The reason I am asking is that this is exactly what I have been trying for a while now without any success. The reason I want that is because I would love to encrypt a novel SSD I have added to my laptop in such a way that it could be decrypted either from a file (which would allow me to decrypt it automatically from boot) or a command line (in case I ever need to remove this disk from the laptop and read its contents somewhere else.
Thank you all!
Last edited by vcmota on Wed Jun 09, 2021 4:25 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23014
|
| Posted: Wed Jun 09, 2021 5:00 am Post subject: |
|
|
| LUKS supports having multiple independent passwords that unlock the same device. Any one of the passwords is sufficient to unlock. Use luksFormat to create the control information and assign the first password. Use luksAddKey to assign additional passwords. Make one of those passwords the one you type, and another one the one in the file. |
|
| Back to top |
|
|
wwdev16
n00b
Joined: 29 Aug 2018
Posts: 53
|
| Posted: Wed Jun 09, 2021 7:29 am Post subject: |
|
|
Note that the key file must not contain a trailing new-line if you are trying to match
a typed password. So if you typed secret as the password during luksFormat
and then used an editor to create a file containing secret, the file would not work
because it has a trailing new-line.
As Hu said you can have multiple passwords. What I do is create the container with a typed
password, create a key-file with random binary data and then luksAddKey using the key-file. |
|
| Back to top |
|
|
vcmota
Guru
Joined: 19 Jun 2017
Posts: 377
|
| Posted: Wed Jun 09, 2021 4:24 pm Post subject: |
|
|
Thank you Hu and wwdev16 for your replies. I am definitely going to implement the password+separate key file, it seems to be the most robust solution. But just out of curiosity:
| wwdev16 wrote: | Note that the key file must not contain a trailing new-line if you are trying to match
a typed password. So if you typed secret as the password during luksFormat
and then used an editor to create a file containing secret, the file would not work |
How to generate a file containing the exact password and without the trailing character? Typing seems not to be possible (I have tried multiple times), and I tried with echo too and also without success.
Thank you both again! |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23014
|
| Posted: Wed Jun 09, 2021 5:09 pm Post subject: |
|
|
| printf would work, as would echo -n, or configuring your editor not to add a trailing newline to the end of the file. Unless you plan to manually type the password from the key file, it doesn't matter. Make a random blob for the key file, and never try to type it. Always let LUKS read from that file when it needs that password. |
|
| Back to top |
|
|
|
Networking & Security
