[Bug 1397049] [NEW] initramfs cryptroot with keyscript and binary passphrase

d4 d4 at mailinator.com
Thu Nov 27 16:31:14 UTC 2014 

Public bug reported:

cryptsetup --key-file=-
is not the same as
cryptsetup --key-file=/dev/stdin

I use initramfs cryptroot script to set up an encrypted device early,
and i have a keyscript that decrypts a keyfile and writes the decrypted
key to stdout. (binary key 512 bytes long)

# /etc/crypttab was this before running update-initramfs -u #
swap  /dev/disk/by-partlabel/swap /etc/key.enc  cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap,tries=1,keyscript=/etc/initramfs-tools/decrypt-key,precheck=un_blkid,noauto

But despite the decrypt-key keyscript workes fine inside the initramfs environment, and the decrypted key it produces is correct, cryptroot script failes with "unknown fs type" error.
I used keyscript manually to decrypt the key to a file, then call cryptsetup with --key-file=key.decrypted along with the appropirate options, and it successfully opened the drive with a valid fstype.

I've discovered that by replacing a part of the initramfs script "cryptroot"
$cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ;
to
$cryptkeyscript "$cryptkey" | $cryptcreate --key-file=/dev/stdin ;
fixed the problem. (/scripts/local-top/cryptroot around line 263)

I could reproduce the problem in initramfs environment with a /conf/conf.d/cryptroot like this:
target=swap,source=/dev/disk/by-partlabel/swap,key=/etc/key,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,tries=1,keyscript=/bin/cat
Where /etc/key is a 512 byte binary keyfile (already decrypted).
(try /bin/dd if /bin/cat is missing in your initramfs environment or ln -s /bin/busybox /bin/cat)


My Quick-Fix was:
cp /usr/share/initramfs-tools/scripts/local-top/cryptroot to /etc/initramfs-tools/scripts/local-top/cryptroot
Edit and replace --key-file=- with --key-file=/dev/stdin around line 263.
update-initramfs -u


Description:	Ubuntu 14.04.1 LTS
Release:	14.04

Package: cryptsetup
Version: 2:1.6.1-1ubuntu1
Architecture: amd64

** Affects: cryptsetup (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1397049

Title:
  initramfs cryptroot with keyscript and binary passphrase

Status in “cryptsetup” package in Ubuntu:
  New

Bug description:
  cryptsetup --key-file=-
  is not the same as
  cryptsetup --key-file=/dev/stdin

  I use initramfs cryptroot script to set up an encrypted device early,
  and i have a keyscript that decrypts a keyfile and writes the
  decrypted key to stdout. (binary key 512 bytes long)

  # /etc/crypttab was this before running update-initramfs -u #
  swap  /dev/disk/by-partlabel/swap /etc/key.enc  cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap,tries=1,keyscript=/etc/initramfs-tools/decrypt-key,precheck=un_blkid,noauto

  But despite the decrypt-key keyscript workes fine inside the initramfs environment, and the decrypted key it produces is correct, cryptroot script failes with "unknown fs type" error.
  I used keyscript manually to decrypt the key to a file, then call cryptsetup with --key-file=key.decrypted along with the appropirate options, and it successfully opened the drive with a valid fstype.

  I've discovered that by replacing a part of the initramfs script "cryptroot"
  $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ;
  to
  $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=/dev/stdin ;
  fixed the problem. (/scripts/local-top/cryptroot around line 263)

  I could reproduce the problem in initramfs environment with a /conf/conf.d/cryptroot like this:
  target=swap,source=/dev/disk/by-partlabel/swap,key=/etc/key,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,tries=1,keyscript=/bin/cat
  Where /etc/key is a 512 byte binary keyfile (already decrypted).
  (try /bin/dd if /bin/cat is missing in your initramfs environment or ln -s /bin/busybox /bin/cat)

  
  My Quick-Fix was:
  cp /usr/share/initramfs-tools/scripts/local-top/cryptroot to /etc/initramfs-tools/scripts/local-top/cryptroot
  Edit and replace --key-file=- with --key-file=/dev/stdin around line 263.
  update-initramfs -u

  
  Description:	Ubuntu 14.04.1 LTS
  Release:	14.04

  Package: cryptsetup
  Version: 2:1.6.1-1ubuntu1
  Architecture: amd64

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1397049/+subscriptions

More information about the foundations-bugs mailing list