-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clevis luks bind fails with key file in non-interactive mode #105
Comments
Could you try the following patch (on top of master) and report back the results, please?
|
@sergio-correia I will need some time to prepare a build environment and test this patch, given that I have been just using the default clevis that is present in Fedora. I think it will be faster if I could modify the |
@dnoliver: please try the slightly modified following patch, which should apply on top of
|
Hope I did it corretcly, [intel@fedora-workstation-1 ~]$ diff clevis-luks-bind.bak clevis-luks-bind shows: 114c114
< *) old=`/bin/cat "$KEY"`;;
---
> *) ! IFS= read -rd '' old < "$KEY";;
119,126c119,124
< if ! echo -e "$old\n$key" | cryptsetup luksAddKey --key-slot $SLT $DEV; then
< echo "Error while adding new key to LUKS header!" >&2
< exit 1
< fi
< elif ! SLT=`echo -e "$old\n$key" \
< | cryptsetup luksAddKey -v $DEV \
< | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p'`; then
< echo "Error while adding new key to LUKS header!" >&2
---
> cryptsetup luksAddKey --key-slot "$SLT" --key-file <(echo -n "$old") "$DEV"
> else
> SLT="$(cryptsetup luksAddKey --key-file <(echo -n "$old") -v "$DEV" \
> | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p')"
> fi < <(echo -n "$key")
> if [ $? -ne 0 ]; then echo "Error while adding new key to LUKS header!" >&2 Running the test:
Works! Thank you @sergio-correia! FYI: I tested this in Fedora Workstation 30, not on Ubuntu (there are other reported issues in Ubuntu about versions and such) I am happy that it works in Fedora :) |
Thanks for testing, I will push that fix. |
We now use cryptsetup and key file, and that way we handle passphrases with newlines on them as well. Add also tests to confirm non-interactive mode is working. Fixes: latchset#105
We now use cryptsetup and key file, and that way we handle passphrases with newlines on them as well. Add also tests to confirm non-interactive mode is working. Fixes: latchset#105
We now use cryptsetup and key file, and that way we handle passphrases with newlines on them as well. Add also tests to confirm non-interactive mode is working. Fixes: latchset#105
Thanks! When is this going to be present in an rpm package for Fedora? |
There is a Fedora 31 package currently in testing: https://bodhi.fedoraproject.org/updates/FEDORA-2019-777babd249 |
Thank you @sergio-correia, it works with Clevis 11-11 Apparently it got updated with the latest automatic update [root@fedora-server-1 intel]# sudo dnf upgrade --advisory=FEDORA-2019-777babd249
Last metadata expiration check: 2:03:11 ago on Mon 06 Jan 2020 11:53:20 AM PST.
No security updates needed, but 0 updates available
Dependencies resolved.
Nothing to do.
Complete! The test now pass
Test output: [root@fedora-server-1 intel]# bash test.sh
+ rpm -qa 'clevis*' 'cryptsetup*' 'luks*' 'tpm2*'
cryptsetup-libs-2.2.2-1.fc31.x86_64
tpm2-tools-4.0.1-1.fc31.x86_64
clevis-11-11.fc31.x86_64
cryptsetup-2.2.2-1.fc31.x86_64
tpm2-tss-2.3.1-1.fc31.x86_64
clevis-luks-11-11.fc31.x86_64
tpm2-tss-devel-2.3.1-1.fc31.x86_64
tpm2-pkcs11-tools-0-0.8.20191011git0b7ceff.fc31.x86_64
luksmeta-9-5.fc31.x86_64
+ openssl rand -hex 8
+ cryptsetup --verbose --batch-mode luksFormat /dev/sda1 key
Existing 'crypto_LUKS' superblock signature (offset: 0 bytes) on device /dev/sda1 will be wiped.
Existing 'crypto_LUKS' superblock signature (offset: 16384 bytes) on device /dev/sda1 will be wiped.
Key slot 0 created.
Command successful.
+ cryptsetup open /dev/sda1 c1 --key-file key
+ mkfs.ext4 /dev/mapper/c1
mke2fs 1.45.3 (14-Jul-2019)
Creating filesystem with 7681792 4k blocks and 1921360 inodes
Filesystem UUID: ab3793f3-67ca-4cfb-bbc4-c972b9a9130b
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
+ sleep 1
+ cryptsetup close c1
+ clevis luks bind -f -k key -d /dev/sda1 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"1,2"}'
+ clevis luks unlock -d /dev/sda1 -n c1
+ ls /dev/mapper/c1
/dev/mapper/c1
+ cryptsetup close c1 |
Test Script
Test Output:
OS: Ubuntu 18.04, with ubuntu disco repos to install clevis-11
Result: I need to do it interactively, which have other problems that will describe in other issue
The text was updated successfully, but these errors were encountered: