unable to unlock disks

[chmol]

Hello,

I've got a stressful problem with my encryption trough this plugin.

I created a full-disk encryption for my drives and everything is running fine. But I was bored to enter the password trough the gui and wanted to do it trough ssh. I realised none of those command worked:

cryptsetup open /dev/sdd sdd-crypt
sudo cryptsetup luksOpen /dev/sdd sdd-crypt

Maybe a key problem, adding a new key trough GUI create this issues similar to ml1950. My pass is made of 45 random char using all sorts special ones.

    Unable to add the key to the encrypted device: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /bin/bash -c 'echo -n '>[' | cryptsetup luksAddKey -q '/dev/sdd' <(echo -n 'haha')' 2>&1' with exit code '2':
    Error #0: exception 'OMV\Exception' with message 'Unable to add the key to the encrypted device: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /bin/bash -c 'echo -n '>[' | cryptsetup luksAddKey -q '/dev/sdd' <(echo -n 'haha')' 2>&1' with exit code '2': ' in /usr/share/openmediavault/engined/rpc/luks.inc:530 Stack trace: #0 [internal function]: OMVRpcServiceLuksMgmt->addContainerKey(Array, Array) #1 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array) #2 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('addContainerKey', Array, Array) #3 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('LuksMgmt', 'addContainerKey', Array, Array, 1) #4 {main}

So my question is:

What is my password? apparently it was never registered as I saved it probably because of special character in it (or maybe I got the wrong command), how can I unlock those drives through cli and add now key cli or gui ?

Thanks in advance

[subzero79]

If the drives are unlockable vía the gui, you can try in terminal first.

monit stop openmediavault-engined
omv-engined -d -f

Then go to the ui and unlock the drive, the password should be in clear text in the console that the backend is applying to unlock the drives.
What version of omv and the plugin?

[chmol]

Hi,

Thanks for your answer. I can unlock via the gui.

Apparently I'm not using the version of OMV that you expected as I get those error :

monit stop openmediavault-engined
Action failed -- There is no service by that name

• OMV-luksencryption 3.0.3
• openmediavault 3.0.99
• Linux 4.9.0-0.bpo.3-amd64 Merge keyfile branch #1 SMP Debian 4.9.30-2+deb9u5~bpo8+1 (2017-09-28) x86_64 GNU/Linux

[subzero79]

sorry is

monit stop omv-engined

[chmol]

Thanks,

I was able to get a password this way:

Executing RPC (service=LuksMgmt, method=openContainer, params={"passphrase":"_somepass_","uuid":"uuid","devicefile":"\/dev\/sda"}, context={"username":"admin","role":1}) ...

The "problem" in somepass seems that all the \ and / are escaped compared to my original password. However when I try to use this in the GUI to add a new key or to unlock with the CLI. The problem persist.

[subzero79]

So your pass phrase contains slashes and backslashes?

I’ll try to reproduce it in 3.x and 4.x. But to be honest is unlikely we push a fix for 3.x because is EOL.

[chmol]

Yes it does contain them. I'm not going to publish it here but you can assume it contain all special character one might encounter, I just generated one long passphrase with keepass.

It is pretty problematic and a warning/solution should be shown to users before a fix is pushed. If not retro-compatible it will makes datas unrecoverable.

[subzero79]

I can reproduce the problem, but only with very large passwords. Cryptsetup (i know now) has a hardcoded limit of 512 characters for interactive passwords.

Is your password longer than that?

Other tests using strings with slashes and other characters show me no problem in between console and UI.

What is not clear is what happens when you format with a longer password, cryptsetup just cut the string to 512?

As for using keyfiles i know there was an issue but i pushed a fix for that long time ago for 4.x

[chmol]

The password is around 60 char, nothing crazy like 512.

List of special char used by keepass, if that's of any help.

!"#$%&'()*+,-./:;<=>?@[]^_`{|}~

I created the volumes a year ago, so that might have been fixed meanwhile?

Do you have any solution to get the "true" password? Or should I find a way to backup my data and reformat the drives?

[ryecoaaron]

No, you can't get the luks password. No need to reformat either. Just set a different password or use a file in a different slot then delete the slot with the strange password.

If you really want to use such a complex password, why not use a file?

[chmol]

Unless I'm mistaken i cannot do that: on cli I can't add a new passphrase slot without knowing the previous one. And on the GUI I get the above mentionned error :

Unable to add the key to the encrypted device: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /bin/bash -c 'echo -n '_mypassword_' | cryptsetup luksAddKey -q '/dev/sda' <(echo -n '_hahadontwork_')' 2>&1' with exit code '2':

60char is not "complex" and I decided to not use a file because it would mean having the passphrase unencrypted on some drive at some point. I would rather have everything in a password manager.

[subzero79]

I did try before attempting 512+ char string a 32 char string with several non alpha chars and it worked. I’ll try later on with 60chars and those characters you’re mentioning here.

If I am not mistaken you should be able to add another simple passphrase in the ui, then with that pass phrase add a key file in cli.
In total you should have 3 slots used.

There was a bug with the key files in the plugin, @ryecoaaron do you know if that was documented in the forum or here ?

[ryecoaaron]

@chmol I'm not sure how you think a 60 char password with lots of special symbols not a complex password... The reason I mentioned using a file was because you said you could backup your data. You have no way to backup your data if you can't unlock the device.

@subzero79 I don't remember where it was. I think if you used a password for the main slot and then tried to add a key file, it had a problem. If you add the key file first, then you were ok. You fixed that though.

[subzero79]

I grab all those characters, smashed the keyboard for some random alphanumeric characters, added through the UI, then unlocked it interactively with the terminal no issue.

!"#$%&q4fcj3twerugsrd'(fadsfradsf)g*+,-rfgwrtgret./gretg:;<=>rgreqtgtr?@[]gtr^_`{|}

However if you attempt to unlock in CLI via stdin the single quote in the middle escapes so i have to double wrap it, like this

echo -n '!"#$%&q4fcj3twerugsrd'"'"'(fadsfradsf)g*+,-rfgwrtgret./gretg:;<=>rgreqtgtr?@[]gtr^_`{|}'  | cryptsetup luksOpen /dev/sdb sdb-crypt

I don't know why it doesn't complain when executing this command in the backend.

[chmol]

@ryecoaaron I can unlock the device but only trough the GUI where some magical black boxtransformation happened. So backup is not a problem per se, I just don't have the space to do so on other drives. The real issues is long term: I have no idea what the passphrase is and any update in the plugin might render the current situation invalid. Moreover, I might not be the only user experiencing this.

@subzero79 I tried escaping in stdin and "regular" mode. No luck. I can still perfectly unlock via GUI. I'll be afk for a few week but I hope you will still be available to help after. Thanks for the time you took on this.

[ryecoaaron]

@chmol if you can unlock the device from the web interface, you must know the passphrase and you can add another passphrase in another slot. Then you can delete the passphrase in the first slot with the new passphrase. As for "fixing" the plugin so you can use it from the command line, I don't think the plugin is the problem. It properly escapes all characters and this can be difficult to do from the command line.

[chmol]

I'm sorry it doesn't work see: #20 (comment)

[subzero79]

@chmol try this

nano +458 /usr/share/php/openmediavault/system/storage/luks/container.inc

before $process = new Process($cmd);, add this

print($cmd);

Now run again omv-engined -d -f

You should see the exact command using echo that the backend is using to unlock and decrypt the drive, if there are single quotes inside the password will get escaped by the php process class i believe.

This is what i saw using the password i mentioned above

notice how the single quote gets escaped differently from what i did before.
Now you can try that command in terminal to unlock your disk (stdin method), should work. But i still don't know why it doesn't work interactively, it shouldn't be necessary to escape characters by using luksOpen interactively

[subzero79]

After you have working command, you can add a keyfile in terminal to a second slot.
once the keyfile has been added to the drive you can add a password interactively not via the GUI in a third slot, to avoid problems don't use single, double quotes or dollar sign char, but shouldn't be a problem at least not in passphrase prompt in terminal.

[chmol]

Hello,
I'm really sorry to write down that I cannot make it work as well.

I've just copy pasted the command shown in the omv-engined ouput:

echo -n 'password' | cryptsetup luksOpen '/dev/sdc' 'sdc'-crypt

or

echo -n 'password' | cryptsetup luksOpen '/dev/sdc' 'sdc'-crypt --key-file=/dev/stdin

Both fail :/

ps: nice editor trick to add +linenumber :)

[Th0maz]

Hello,

same problem here. My password contains the % character, which might cause a problem.
Let's say the password is My%Password

I set the password using the Web UI when encrypting the disk and I can unlock the encryption successfully using the Web UI.

I got the command printed during unlock as described in subzero79's comment and the password is shown there as expected (My%Password).

But when I use the TEST or ADD KEY functionality in the encryption UI, I get something like:
Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; /bin/bash -c 'echo -n 'Myassword' | cryptsetup luksOpen -v --test-passphrase '/dev/sda' --key-file=-' 2>&1' with exit code '2': No key available with this passphrase. Command failed with code 1: Operation not permitted

The % character and the next character is missing: My%Password --> Myassword
I can't test, change or add an encryption key using the Web UI :(

[chmol]

This not a trivial bug people, you should remove this plugin from the repo until fix as it might lead to lost data...

[ryecoaaron]

@chmol simmer down. More people would lose data without the plugin since they don't know how to use cryptsetup.

And still wondering what/how to fix. single and double quotes generate an error in the web interface. So, a key is not added. Percent is working in my tests. $ works but since anything after the $ evaluates as a environment variable (most likely empty string), your password is whatever is before the $ sign.

I guess I could restrict allowing a $ in the password.