search

agherzan / yubikey-full-disk-encryption

Use YubiKey to unlock a LUKS partition
Apache License 2.0
808 stars 50 forks source link

Invalid numeric value #98

Closed d066y50 closed 1 year ago

d066y50 commented 1 year ago

I am trying to format LUKS partition by ykfde-format but getting an "Invalid numeric value" error from cryptsetup. I have enabled debug mode and can see the message:

Passing '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c922d1c210a170356c9bab9ab18ecf0e2ae98e48316' to 'cryptsetup'

(don`t worry about the key, this is a dummy run)

I replaced the line: printf '%s\n' "$YKFDE_PASSPHRASE" | cryptsetup luksFormat "$@"

To: printf '%s\n' "$YKFDE_PASSPHRASE" | printf '%s\n' "$@"

The line above does not pass the key to cryptsetup, but only parameters come from ykfde-format:

root@archiso / # ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/nvme0n1p4

YubiKey slot status 'ykinfo -q -2': 1 WARNING: This script will run 'cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/nvme0n1p4'. If this is not what you intended, please abort. Please provide the challenge. Enter challenge: 123456

Please repeat the challenge. Enter challenge: 123456 Running: 'ykchalresp -2 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92'... Remember to touch the device if necessary. Received response: '2d1c210a170356c9bab9ab18ecf0e2ae98e48316' Passing '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c922d1c210a170356c9bab9ab18ecf0e2ae98e48316' to 'cryptsetup' --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/nvme0n1p4 New LUKS device successfully formatted

Please advise (:

d066y50 commented 1 year ago

I think I have figured it out. It needs to be something like this:

echo -n "$YKFDE_PASSPHRASE" | cryptsetup luksFormat "$@" --key-file=-

When I try to check the passphrase, it looks OK:

root@archiso / # cryptsetup luksOpen --test-passphrase --key-slot 0 /dev/nvme0n1p4 Enter passphrase for /dev/nvme0n1p4: cryptsetup luksOpen --test-passphrase --key-slot 0 /dev/nvme0n1p4 18.89s user 0.20s system 85% cpu 22.375 total

Vincent43 commented 1 year ago

That's weird, when I test it work as is:

ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 container.ct
 > YubiKey slot status 'ykinfo -q -2': 1
WARNING: This script will run 'cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 container.ct'.  If this is not what you intended, please abort.
 > Please provide the challenge.
   Enter challenge: 123456

 > Please repeat the challenge.
   Enter challenge: 123456
   Running: 'ykchalresp -2 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92'...
   Remember to touch the device if necessary.
   Received response: 'e7c7429e9ce4da45b277947db8edbbaffe57806d'
 > Passing '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92e7c7429e9ce4da45b277947db8edbbaffe57806d' to 'cryptsetup'
   New LUKS device successfully formatted

Could you check if your command doesn't contain some unprintable characters, extra spaces, etc?

agherzan commented 1 year ago

Could be worth checking tools versions, too - maybe some CLI stuff changed.

d066y50 commented 1 year ago

There wasn`t any typo because I used the command by copy-paste from the installation cheat sheet. I only changed the script, as I explained above.

I think the important thing was using "--key-file=-" at the end of the line. None of my other attempts worked.

agherzan commented 1 year ago

It really sounds like a CLI change.

luksFormat <device> [<key file>]

Initializes  a  LUKS  partition  and sets the initial passphrase (for
              key-slot 0), either via prompting or via <key file>. Note that if the
              second  argument  is  present,  then the passphrase is taken from the
              file given there, without the need to use the --key-file option. Also
              note  that  for  both forms of reading the passphrase from a file you
              can give '-' as file name, which results in the passphrase being read
              from stdin and the safety-question being skipped.

@d066y50 are you up for an MR?

d066y50 commented 1 year ago

Please excuse my stupidity. What stands for MR? Meeting Request? (:

Vincent43 commented 1 year ago

Merge Request (a Pull Request in github terminology).

It's still to early for that - as I said I copied verbatim your ykfde-format command and it worked. I'm using latest commit from this project github and latest cryptsetup available on Arch.

We need something reproducible.

Could you test if running this test script works for you?

d066y50 commented 1 year ago

INFO: 'Manual mode with secret challenge (2FA)' is enabled. INFO: Testing 'ykfde-format' script.

YubiKey slot status 'ykinfo -q -2': 1 WARNING: This script will run 'cryptsetup luksFormat /dev/shm/ykfde-TVYQtd'. If this is not what you intended, please abort. Please provide the challenge. Enter challenge: 123456

Please repeat the challenge. Enter challenge: 123456 Running: 'ykchalresp -2 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92'... Remember to touch the device if necessary. Received response: 'ba6c08a717859011058008f79434e958a96f0870' Passing '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92ba6c08a717859011058008f79434e958a96f0870' to 'cryptsetup' New LUKS device successfully formatted Test 'ykfde-format' script successfully passed. INFO: Testing 'ykfde-enroll' script. WARNING: Device /dev/shm/ykfde-TVYQtd already contains a 'crypto_LUKS' superblock signature. INFO: Old LUKS passphrase is 'test'. INFO: Setting device to '/dev/shm/ykfde-TVYQtd'. INFO: Setting LUKS keyslot to '7'. INFO: Debugging enabled YubiKey slot status 'ykinfo -q -2': 1 WARNING: This script will utilize LUKS keyslot '7' on device '/dev/shm/ykfde-TVYQtd'. If this is not what you intended, please abort. Please provide the challenge. Enter challenge: test

Please repeat the challenge. Enter challenge: test Running: 'ykchalresp -2 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08'... Remember to touch the device if necessary. Received response: '88d0e2c15c045e1b6de18438f9f4db2866f4679e' Please provide the old LUKS passphrase for the existing keyslot. Enter passphrase: test Passing '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a0888d0e2c15c045e1b6de18438f9f4db2866f4679e' to 'cryptsetup' Adding new LUKS passphrase with 'cryptsetup --key-slot=7 luksAddKey /dev/shm/ykfde-TVYQtd'... WARNING: The --key-slot parameter is used for new keyslot number. New LUKS passphrase successfully added Test 'ykfde-enroll' script successfully passed. INFO: Testing 'ykfde-open' script. INFO: Setting device to '/dev/shm/ykfde-TVYQtd'. INFO: Setting name to 'ykfde-test'. INFO: Debugging enabled YubiKey slot status 'ykinfo -q -2': 1 WARNING: This script will try to open the 'ykfde-test' LUKS encrypted volume on drive '/dev/shm/ykfde-TVYQtd' . If this is not what you intended, please abort. Please provide the challenge. Enter challenge: test Running: 'ykchalresp -2 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08'... Remember to touch the device if necessary. Received response: '88d0e2c15c045e1b6de18438f9f4db2866f4679e' Passing '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a0888d0e2c15c045e1b6de18438f9f4db2866f4679e' to 'cryptsetup' Decrypting with 'cryptsetup luksOpen /dev/shm/ykfde-TVYQtd ykfde-test '... Device successfully opened as '/dev/mapper/ykfde-test' Test 'ykfde-open' script successfully passed. All tests successfully passed.

d066y50 commented 1 year ago

Hold on, ykfde-format is in my bin folder. So, I used the fixed binary. Do you want me to change it to its original state?

Vincent43 commented 1 year ago

Yes, please test with the original ykfde-format script.

d066y50 commented 1 year ago

here you go with the original file:

INFO: 'Manual mode with secret challenge (2FA)' is enabled. INFO: Testing 'ykfde-format' script.

YubiKey slot status 'ykinfo -q -2': 1 WARNING: This script will run 'cryptsetup luksFormat /dev/shm/ykfde-YA5rch'. If this is not what you intended, please abort. Please provide the challenge. Enter challenge: 123456

Please repeat the challenge. Enter challenge: 123456 Running: 'ykchalresp -2 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92'... Remember to touch the device if necessary. Received response: 'ba6c08a717859011058008f79434e958a96f0870' Passing '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92ba6c08a717859011058008f79434e958a96f0870' to 'cryptsetup' New LUKS device successfully formatted Test 'ykfde-format' script successfully passed. INFO: Testing 'ykfde-enroll' script. WARNING: Device /dev/shm/ykfde-YA5rch already contains a 'crypto_LUKS' superblock signature. INFO: Old LUKS passphrase is 'test'. INFO: Setting device to '/dev/shm/ykfde-YA5rch'. INFO: Setting LUKS keyslot to '7'. INFO: Debugging enabled YubiKey slot status 'ykinfo -q -2': 1 WARNING: This script will utilize LUKS keyslot '7' on device '/dev/shm/ykfde-YA5rch'. If this is not what you intended, please abort. Please provide the challenge. Enter challenge: test

Please repeat the challenge. Enter challenge: test Running: 'ykchalresp -2 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08'... Remember to touch the device if necessary. Received response: '88d0e2c15c045e1b6de18438f9f4db2866f4679e' Please provide the old LUKS passphrase for the existing keyslot. Enter passphrase: test Passing '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a0888d0e2c15c045e1b6de18438f9f4db2866f4679e' to 'cryptsetup' Adding new LUKS passphrase with 'cryptsetup --key-slot=7 luksAddKey /dev/shm/ykfde-YA5rch'... WARNING: The --key-slot parameter is used for new keyslot number. New LUKS passphrase successfully added Test 'ykfde-enroll' script successfully passed. INFO: Testing 'ykfde-open' script. INFO: Setting device to '/dev/shm/ykfde-YA5rch'. INFO: Setting name to 'ykfde-test'. INFO: Debugging enabled YubiKey slot status 'ykinfo -q -2': 1 WARNING: This script will try to open the 'ykfde-test' LUKS encrypted volume on drive '/dev/shm/ykfde-YA5rch' . If this is not what you intended, please abort. Please provide the challenge. Enter challenge: test Running: 'ykchalresp -2 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08'... Remember to touch the device if necessary. Received response: '88d0e2c15c045e1b6de18438f9f4db2866f4679e' Passing '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a0888d0e2c15c045e1b6de18438f9f4db2866f4679e' to 'cryptsetup' Decrypting with 'cryptsetup luksOpen /dev/shm/ykfde-YA5rch ykfde-test '... Device successfully opened as '/dev/mapper/ykfde-test' Test 'ykfde-open' script successfully passed. All tests successfully passed.

Vincent43 commented 1 year ago

So everything looks good and there isn't Invalid numeric value error from cryptsetup. I don't see other explanation than typo in your command.

Did you tried ykfde-format with different opts? i.e.

ykfde-format --key-size 512 <foo>
ykfde-format --type luks2 <foo>
d066y50 commented 1 year ago

No, I didn`t try.

However, I still insist there was no typo because I used the command from my installation cheatsheet (copy-paste). How it worked after changing the script if there was a typo?

Only the difference; I was getting this error while installing Arch by installation medium. But I tried your test script post-installation.

I am posting the same command by the same way: ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/nvme0n1p4

Anyways, possibly my bad. Sorry for the inconvenience.

Vincent43 commented 1 year ago

You may copied some trailing newline alongside the text and the actual command passed to cryptsetup was different than what was expected.

You can see there is strange command leak close to end of your first log which shouldn't be there:

--cipher
aes-xts-plain64
--key-size
512
--hash
sha256
--iter-time
5000
--type
luks2
/dev/nvme0n1p4

If you try your initial command post-installation then does it still fail?

d066y50 commented 1 year ago

Huh, I created a temp file as you did, then used the same command with the original file. It worked.

Again, sorry for the inconvenience.

Vincent43 commented 1 year ago

Ok, thx for testing.

Vincent43 commented 1 year ago

Here's the example how injecting unprintable newline character can break the command even when it looks legit in the WARNING log:

ykfde-format --cipher aes-xts-plain64 --key-size $'\n' 512 --hash sha256 --iter-time 5000 --type luks2 foo.luks
WARNING: This script will run 'cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 
 512 --hash sha256 --iter-time 5000 --type luks2 foo.luks'.  If this is not what you intended, please abort.
 > Please provide the challenge.
   Enter challenge: 
 > Please repeat the challenge.
   Enter challenge: 
   Remember to touch the device if necessary.
<...snip...>
cryptsetup: invalid numeric value
agherzan commented 1 year ago

Spot on, @Vincent43. The good old unprintable characters.

That aside, maybe we should be "fixing" that to have the expected and documented --key-file.

Vincent43 commented 1 year ago

The --key-file doesn't make difference for my example. I guess it didn't make the difference in the original problem just the executed command may be accidentally fixed at some point without noticing it.

agherzan commented 1 year ago

I didn't mean to say that this would particularly solve anything but it might be a bit more robust in the future as the tool evolves. Maybe - what do you think?

Vincent43 commented 1 year ago

I think both approaches should be equivalent yet since the current approach is bit simpler and was proven to work for years then I'm in favor of keeping it. There is always risk of regression when something changes.