FS#38550 - [cryptsetup] LUKS passphrase not accepted.

Attached to Project: Arch Linux
Opened by Claire Farron (clfarron4) - Friday, 17 January 2014, 10:12 GMT
Last edited by Thomas Bächler (brain0) - Friday, 28 February 2014, 12:01 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Thomas Bächler (brain0)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description: Some users are not able to unlock their LUKS passphrase after updates to cryptsetup (now version 1.6.3) and libgcrypt (1.6.0) with containers created with previous versions of both packages.

Containers created with cryptsetup 1.6.3 and libgcrypt 1.6.0 seem not to be affected


Additional info:
BBS Thread: https://bbs.archlinux.org/viewtopic.php?pid=1371687

Steps to reproduce:
Create LUKS container with cryptsetup < 1.6.3 and libgcrypt < 1.6.0, update to versions in repositories and try to unlock container.
This task depends upon

Closed by  Thomas Bächler (brain0)
Friday, 28 February 2014, 12:01 GMT
Reason for closing:  None
Additional comments about closing:  Workaround available.
Comment by No No (bk) - Friday, 17 January 2014, 22:25 GMT
Issue opened at https://code.google.com/p/cryptsetup/issues/detail?id=200
Two threads started http://www.saout.de/pipermail/dm-crypt/2014-January/003799.html http://www.saout.de/pipermail/dm-crypt/2014-January/003813.html
Comment by No No (bk) - Saturday, 18 January 2014, 19:34 GMT
My current workaround was this:
- cryptsetup-reencrypt -h sha1 /dev/sdaX
- upgrade to libgcrypt 1.6.0
- cryptsetup-reencrypt -h whirlpool /dev/sdaX

I skipped my last point to save time a reencrypt-run takes.

Remember: cryptsetup-reencrypt is experimental!
Comment by No No (bk) - Monday, 20 January 2014, 22:07 GMT
Bug emulation flag added
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=94030e44aaff805d754e368507f16dd51a531b72

Will be backported
http://www.saout.de/pipermail/dm-crypt/2014-January/003823.html
Comment by Thomas Bächler (brain0) - Thursday, 06 February 2014, 22:34 GMT
Fact is, the old cryptsetup/libgcrypt used an incorrect version of the whirlpool hash. It's possible to use the old libgcrypt (or new libgcrypt with bug emulation flag) to retrieve the master key and regenerate the LUKS header (without reencrypting the data). Other than that, all we can do is wait for cryptsetup to learn to work around this. I'd advise everyone to fix their LUKS headers instead.
Comment by Thomas Bächler (brain0) - Friday, 28 February 2014, 12:01 GMT
There is a workaround with the latest cryptsetup: http://www.saout.de/pipermail/dm-crypt/2014-February/003956.html

Loading...