On 07/28/2012 12:58 PM, Heiko Baums wrote:
Am Sat, 28 Jul 2012 19:44:01 +0200 schrieb Christoph Vigano <mail@cvigano.de>:
According to crypttab(5): "size= Specifies the key size in bits; see cryptsetup(8) for possible values and the default value of this option."
As it is custom in cryptography, key sizes are given in bits, like RSA 4096 which means the key is 512 bytes long.
If your former size argument was given in bytes, convert that number to bits and try again.
Btw., I read over it, you mentioned man cryptsetup. I guess you're mixing up two different things. The cryptsetup parameter size is something completely different and has nothing to do with the key size and with this issue.
We're talking here about the key size, that is how many bits or bytes have to be read raw from an USB stick. So we're talking here about the dd parameters skip and count.
Heiko
This is really annoying, but the original Debian format for crypttab uses "size" to correspond to --keyfile-size. It would be nice if systemd changed this so all of the options correspond one-to-one. To make matters worse, the variable name in the source code of sysd that stores this param is called "key_size," which is an entirely different option to cryptsetup altogether! For the legacy format of <dev>:<offset>:<length> the corresponding options are --keyfile-offset and --keyfile-size, so in crypttab you want keyfile-offset=<bytes>,size=<bytes>. In summary all of these options are: --keyfile-offset, keyfile-offset= Number of bytes to skip before reading from key-file --keyfile-size, size= Number of bytes to read from key-file --size, (not available in crypttab) The number of 512-byte sectors of the mapped block device, defaults to all available space from the underlying device, and does not apply to mapping a LUKS volume. --offset, (not available in crypttab) Similar to --size, number of 512-byte sectors to skip from the underlying block device before mapping. There is also --skip which is similar but has some subtle differences. --key-size, (not available in crypttab) Number of bits -- must be a multiple of 8 -- of the internal key used for the cipher Stream-of-conscience... it looks like systemd-cryptsetup might use size= for both --key-size and --keyfile-size. I'm currently trying to figure out what the difference between crypt_activate_by_volume_key() and crypt_activate_by_keyfile are. IIRC that former might be for reading from stdin, which is handled differently than reading a file or a password interactively.