Manual access of Tomb

[yzmet]

Hi.
In interest I am testing out the manual access of a tomb file with a key file as described.
The fourth step, after having set the variables, gives the error "No key available with this passphrase."
That is it. What is the problem with this?

[Narrat]

Beginning with some trivial questions, but we want to be sure
You made sure the variables had some valid content?
You didn't split the problemativ command line?
You checked for typos?
What tomb version? Or what was the tomb version you created the tomb and its keyfile?

Version of crypsetup and gpg?

[jaromil]

yes, please reproduce all steps and paste them here, from creation of a test tomb to your try of script, including the output of tomb -v.

[yzmet]

tomb -v
  Tomb 2.4 - a strong and gentle undertaker for your secrets
  
   Copyright (C) 2007-2017 Dyne.org Foundation, License GNU GPL v3+
   This is free software: you are free to change and redistribute it
   For the latest sourcecode go to <http://dyne.org/software/tomb>
  
   This source code is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
   When in need please refer to <http://dyne.org/support>.
  
  System utils:
  
  Sudo version 1.8.16
  cryptsetup 2.0.0
  pinentry-gnome3 (pinentry) 0.9.7
Copyright (C) 2015 g10 Code GmbH
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
  gpg (GnuPG) 1.4.20 - key forging algorithms (GnuPG symmetric ciphers):
  /usr/bin/gpg
 IDEA 3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH CAMELLIA128 CAMELLIA192 CAMELLIA256
  
  Optional utils:
  
  /usr/bin/gettext
  dcfldd not found
  wipe not found
  /usr/bin/steghide
  /sbin/resize2fs
  tomb-kdb-pbkdf2 not found
  qrencode not found
  swish-e not found
  unoconv not found
/* this first test is with a previous tomb file */
root@pc:/home/user# lo=$(losetup -f)
root@pc:/home/user# losetup -f secret.tomb
root@pc:/home/user# pass="$(gpg -d secret.tomb.key)"
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
root@pc:/home/user# echo -n -e "$pass" | cryptsetup --key-file - luksOpen $lo secret
No key available with this passphrase.
root@pc:/home/user# echo -n -e "$pass" | cryptsetup --key-file - luksOpen $lo pass
No key available with this passphrase.
root@pc:/home/user# echo -n -e "$pass" | cryptsetup --key-file - luksOpen $lo secret.tomb
No key available with this passphrase.
root@pc:/home/user# echo -n -e "$pass" | cryptsetup --key-file - luksOpen $lo secret.tomb.key
No key available with this passphrase.
/* this next test is a fresh tomb, and I try to mount this one manually.  I also installed cryptsetup 2.2.0 to have the newest version */
root@pc:/home/user# tomb dig -s 10 secret.tomb
tomb  .  Commanded to dig tomb secret.tomb
tomb (*) Creating a new tomb in secret.tomb
tomb  .  Generating secret.tomb of 10MiB
10+0 records in
10+0 records out
10485760 bytes (10 MB, 10 MiB) copied, 0.537503 s, 19.5 MB/s
-rw------- 1 root root 10M Dec 14 11:36 secret.tomb
tomb (*) Done digging secret
tomb  .  Your tomb is not yet ready, you need to forge a key and lock it:
tomb  .  tomb forge secret.tomb.key
tomb  .  tomb lock secret.tomb -k secret.tomb.key
root@pc:/home/user# tomb forge secret.tomb.key -f
tomb  .  Commanded to forge key secret.tomb.key with cipher algorithm AES256
tomb [W] This operation takes time, keep using this computer on other tasks,
tomb [W] once done you will be asked to choose a password for your tomb.
tomb [W] To make it faster you can move the mouse around.
tomb [W] If you are on a server, you can use an Entropy Generation Daemon.
512+0 records in
512+0 records out
512 bytes copied, 252.697 s, 0.0 kB/s
tomb (*) Choose the password of your key: secret.tomb.key
tomb  .  (You can also change it later using 'tomb passwd'.)
tomb  .  Key is valid.
tomb  .  Done forging secret.tomb.key
tomb (*) Your key is ready:
-rw------- 1 root root 873 Dec 14 11:40 secret.tomb.key
root@pc:/home/user# tomb lock secret.tomb -k secret.tomb.key 
tomb  .  Commanded to lock tomb secret.tomb
tomb  .  Checking if the tomb is empty (we never step on somebody else's bones).
tomb  .  Fine, this tomb seems empty.
tomb  .  Key is valid.
tomb  .  Locking using cipher: aes-xts-plain64:sha256
tomb  .  A password is required to use key secret.tomb.key
tomb  .  Password OK.
tomb (*) Locking secret.tomb with secret.tomb.key
tomb  .  Formatting Luks mapped device.
tomb  .  Formatting your Tomb with Ext3/Ext4 filesystem.
tomb  .  Done locking secret using Luks dm-crypt aes-xts-plain64:sha256
tomb (*) Your tomb is ready in secret.tomb and secured with key secret.tomb.key
root@pc:/home/user# lo=$(losetup -f)
root@pc:/home/user# losetup -f secret.tomb
root@pc:/home/user# pass="$(gpg -d secret.tomb.key)"
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
root@pc:/home/user# echo -n -e "$pass" | cryptsetup --key-file - luksOpen $lo secret
No key available with this passphrase.
/* this is the recommended phrase*/
/* the rest are just random guesses */
root@pc:/home/user# echo -n -e "$pass" | cryptsetup --key-file - luksOpen $lo secret.tomb
No key available with this passphrase.
root@pc:/home/user# echo -n -e "$pass" | cryptsetup --key-file - luksOpen $lo secret.tomb.key
No key available with this passphrase.
root@pc:/home/user# echo -n -e "$pass" | cryptsetup --key-file - luksOpen $lo pass
No key available with this passphrase.
root@pc:/home/user# echo -n -e "$pass" | cryptsetup --key-file - luksOpen $lo $secret.tomb
No key available with this passphrase.

Okay, here are the results after reproducing all steps. My system is Ubuntu Xenial 16.04.
For variables, I set pass equal to the existing key file. Steps #1 and #2 were used without modification from the instructions.

[Narrat]

Ah, great. Thank you for the detailed steps.
Your variations from the random guesses could have gone wrong though. The last entry in the cryptsetup command just defines the /dev/mapper name. And as the content of pass contains non ascii chars funny stuff could happen.
And you didn't show if $pass is an empty var or not. Use only the echo part of the command for a quick and dirty look at the content of pass.

Sadly I cannot reproduce this on tomb version 2.4 but there is one big thing that differs in our setups. And this is gpg. I'm on gpg 2.x whereas Xenial still defaults to the old 1.x.
Alas I cannot test it currently as I don't have a fitting VM.
Also of interest would what happens if you only run the necessary commands with root rights (losetup, cryptsetup and mount). Cannot test that either, as gpg refuses to work for me as root (although I probably just need to adjust some agent settings).

On a sidenote. Although the manual steps are working for me, I need to enter the password twice and from the messages it seems, the keyfile is decrypted twice. And the result of the first decrypt is printed back to the terminal. Dunno currently whats going on there.

Edit: Why the -f on forging the key? The force option only helps with swap partitions (if I remember correctly)

[jaromil]

Also what I see new is cryptsetup 2.0 which is very recently released AFAIK. Lets investigate this further. Many thanks @yzmet for following up and posting more details.

[Narrat]

Didn't take that into account, because I was also testing with cryptsetup 2.0.0. Although there could be distribution/downstream introduced bugs.

[jaromil]

Not sure where we are with this, but can we add a test unit also for this task?

[jaromil]

cannot reproduce. with no feedback means this may be closed soon