# Weird Cryptsetup Behaviour: Cannot Enter Passphrase

## der bastler

Hello.

I am using a nearly-full encrypted (only /boot being unencrypted) Thinkpad without problems.

Now I have created a system for my new HP Mini netbook, using a similar structure.

The HDD is partitioned into /dev/sda1 holding /boot and /dev/sda2 representing a LUKS/dm-crypt partition with a LVM2 substructure. A custom initial ram disk unlocks /dev/sda2, activates all volumes on it, mounts the root file system and switches root.

Boot process:

1. kernel is loaded -- check

2. my InitRamFS (busybox-based) is loaded --check

3. it's init script is executed -- check

3.1 init script calls "cryptsetup luksOpen /dev/sda2 hdd-crypto"...

Cryptsetup's prompt appears and awaits my input. After the first keystroke the input is immediately processed. And because my passphrases are longer than one character, the input gets rejected and thus I am not able to enter the passphrase! 

What I don't understand is that the very same actions work flawlessly on my Thinkpad.

Can anybody help? Any similar experiences? Why does cryptsetup seem to accept only one character?

----------

## avx

Please paste the lines handling your cryptsetup-stuff. On another note, are all (virtual) devices available at the time needed, thinking about /dev/console?

----------

## der bastler

(If you wonder about the ctimes: I wrote a script to build the initial ram disk. This script gets executed from inside the new system (via chroot) and uses the new system's binaries.)

InitRamFS Structure:

```

drwxr-xr-x 2 root root 4096 24. Mär 23:31 bin

drwxr-xr-x 6 root root 4096 24. Mär 23:31 dev

drwxr-xr-x 4 root root 4096 24. Mär 23:31 etc

-rwxr-xr-x 1 root root 1739 24. Mär 23:31 init

drwxr-xr-x 3 root root 4096 24. Mär 23:31 lib

drwxr-xr-x 2 root root 4096 24. Mär 23:31 newroot

drwxr-xr-x 2 root root 4096 24. Mär 23:31 proc

drwxr-xr-x 2 root root 4096 24. Mär 23:31 root

drwxr-xr-x 2 root root 4096 24. Mär 23:31 sbin

drwxr-xr-x 2 root root 4096 24. Mär 23:31 sys

```

ls -l dev

```

crw-r--r-- 1 root root 5, 1 24. Mär 23:31 console

drwxr-xr-x 2 root root 4,0K 24. Mär 23:31 fb

drwxr-xr-x 2 root root 4,0K 24. Mär 23:31 mapper

crw-r--r-- 1 root root 1, 1 24. Mär 23:31 mem

drwxr-xr-x 2 root root 4,0K 24. Mär 23:31 misc

crw-r--r-- 1 root root 1, 3 24. Mär 23:31 null

crw-r--r-- 1 root root 1, 8 24. Mär 23:31 random

brw-r--r-- 1 root root 8, 0 24. Mär 23:31 sda

brw-r--r-- 1 root root 8, 1 24. Mär 23:31 sda1

brw-r--r-- 1 root root 8, 2 24. Mär 23:31 sda2

crw-r--r-- 1 root root 5, 0 24. Mär 23:31 tty

crw-r--r-- 1 root root 4, 0 24. Mär 23:31 tty0

crw-r--r-- 1 root root 4, 1 24. Mär 23:31 tty1

crw-r--r-- 1 root root 1, 9 24. Mär 23:31 urandom

drwxr-xr-x 2 root root 4,0K 24. Mär 23:31 vc

crw-r--r-- 1 root root 1, 5 24. Mär 23:31 zero

```

ls -l bin

```

-rwxr-xr-x 1 root root 1699376 24. Mär 16:51 busybox

lrwxrwxrwx 1 root root       7 24. Mär 23:31 cat -> busybox

lrwxrwxrwx 1 root root       7 24. Mär 23:31 echo -> busybox

lrwxrwxrwx 1 root root       7 24. Mär 23:31 halt -> busybox

lrwxrwxrwx 1 root root       7 24. Mär 23:31 mknod -> busybox

lrwxrwxrwx 1 root root       7 24. Mär 23:31 mount -> busybox

lrwxrwxrwx 1 root root       7 24. Mär 23:31 sed -> busybox

lrwxrwxrwx 1 root root       7 24. Mär 23:31 sh -> busybox

lrwxrwxrwx 1 root root       7 24. Mär 23:31 sleep -> busybox

-rw-r--r-- 1 root root    1899 21. Mär 10:15 splash_functions.sh

lrwxrwxrwx 1 root root       7 24. Mär 23:31 switch_root -> busybox

-rwxr-xr-x 1 root root      17 24. Mär 23:31 udevadm

lrwxrwxrwx 1 root root       7 24. Mär 23:31 umount -> busybox

```

ldd cryptsetup

```

        not a dynamic executable

```

cryptsetup --version

```

cryptsetup 1.1.3

```

Keyboard layout is created via

```

busybox dumpkmap > etc/kmap-de

```

Head of kmap-de as hexdump:

```

00000000  62 6b 65 79 6d 61 70 01  01 01 00 01 01 01 00 01  |bkeymap.........|

00000010  01 01 00 01 00 00 00 00  00 00 00 00 00 00 00 00  |................|

00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000100  00 00 00 00 00 00 00 00  02 1b 00 31 00 32 00 33  |...........1.2.3|

00000110  00 34 00 35 00 36 00 37  00 38 00 39 00 30 00 00  |.4.5.6.7.8.9.0..|

00000120  02 01 04 7f 00 09 00 71  0b 77 0b 65 0b 72 0b 74  |.......q.w.e.r.t|

00000130  0b 7a 0b 75 0b 69 0b 6f  0b 70 0b 00 02 2b 00 01  |.z.u.i.o.p...+..|

```

(Seems ok, qwertzuiop matches my keyboard layout.)

init

```

#!/bin/sh

PATH="/sbin:/bin"

rescue_shell() {

        echo ''

        echo "$1"

        echo 'Falling back to a shell...'

        echo ''

        busybox --install -s

        exec /bin/sh

}

# mount sys and proc filesystem, read kernel parameters and silence kernel

mount -t sysfs sysfs /sys

mount -t proc proc /proc

CMDLINE=$(cat /proc/cmdline)

echo 0 > /proc/sys/kernel/printk

sleep 1

loadkmap < /etc/kmap-de

# try to create mapper control device, specified under

# /sys/class/misc/device-mapper/dev

# if this fails, exit to rescue shell

mknod /dev/mapper/control c $(sed 's/\:/\ /' /sys/class/misc/device-mapper/dev) || rescue_shell "No device mapper available!"

# open encrypted drive

echo ''

echo '====== A U T H E N T I C A T I O N ======'

echo ''

cryptsetup luksOpen /dev/sda2 defiant-crypto || rescue_shell '====== A C C E S S === D E N I E D ======'

echo ''

echo '===== A C C E S S === G R A N T E D ====='

echo ''

# scan devices for volume groups and make swap volume available

# swap should be first mapper device after crypto volume

lvm.static vgscan   --ignorelockingfailure --mknodes    &> /dev/null

lvm.static vgchange --ignorelockingfailure -a y defiant &> /dev/null

# initialise framebuffer splash

. /bin/splash_functions.sh

splash init &> /dev/null

# try to resume on swap device (second mapper device after crypto volume)

echo 254:1 > /sys/power/resume

# mount new root file system (read only for fsck)

mount -o ro /dev/mapper/defiant-slash /newroot || rescue_shell "Mounting root failed!"

# unmount proc and sys filesystems and switch to new root filesystem

umount /sys

umount /proc

exec switch_root /newroot /sbin/init ${CMDLINE}

rescue_shell "Could not switch root filesystem!"

```

----------

## frostschutz

do you have the single character issue also if you do not load the keymap?

(I usually just add another passphrase to luks that works with the same keys under the US layout,  so I don't have to load a keymap in initramfs stage)

also, you shouldn't have to create the control device yourself, cryptsetup takes care of that on its own

----------

## der bastler

 *frostschutz wrote:*   

> do you have the single character issue also if you do not load the keymap?
> 
> (I usually just add another passphrase to luks that works with the same keys under the US layout,  so I don't have to load a keymap in initramfs stage)
> 
> also, you shouldn't have to create the control device yourself, cryptsetup takes care of that on its own

 

I already changed passphrases to simpler ones (less characters, less entropy), but that didn't fix it.

Commenting loadkmap out didn't fix it, too.

Next step in my analysis was to check my kernel config. Perhaps a problem with an input driver. Cross-checked it with the one of my working system, compiled and tried it, but to no avail.

I even inserted sleep commands to avoid race conditions. No success.

It is frustrating that I seem to be the only user with this problem.  :Rolling Eyes: 

Perhaps I have to double-check the compilation environment of cryptsetup. It relies on the function "read" from unistd.h. Perhaps that one was mixed up during compilation...   :Question: 

----------

## norg

 *der bastler wrote:*   

> Cryptsetup's prompt appears and awaits my input. After the first keystroke the input is immediately processed. And because my passphrases are longer than one character, the input gets rejected and thus I am not able to enter the passphrase! 

 

What is displayed then?

Do you have all necessary stuff in your kernel? I forgot once to activate <*>   Crypt Target Support and passphrase prompt came but couldn't be handled  :Smile: 

----------

## der bastler

 *norg wrote:*   

>  *der bastler wrote:*   Cryptsetup's prompt appears and awaits my input. After the first keystroke the input is immediately processed. And because my passphrases are longer than one character, the input gets rejected and thus I am not able to enter the passphrase!  
> 
> What is displayed then?
> 
> Do you have all necessary stuff in your kernel? I forgot once to activate <*>   Crypt Target Support and passphrase prompt came but couldn't be handled 

 

Cryptsetup is compiled in, of course. It just displays

 *Quote:*   

> No key available with this passphrase.

 

As a workaround, I'll try to establish a usb key file infrastructure for my family...  :Wink: 

----------

## norg

Check those two tutorials, maybe you missed something they did:

http://mzanfardino.wordpress.com/2008/10/23/installing-gentoo-with-root-encryption-notes/

http://www.seiichiro0185.org/linux:encryptedsystem

It sounds like you forgot something with the key missing  :Smile: 

----------

## cach0rr0

out of curiosity, does it successfully fall back to the rescue_shell? 

and from there can you luksOpen and enter your passphrase and all of that? 

NB: I was playing with this recently. You can actually omit those block and character devices from your initramfs if you build your kernel with devtmpfs support, and then inside 'init' mount the devtmpfs at /dev

something like this

```

/sbin:                     directory

./sbin/cryptsetup:          ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped

./bin:                      directory

./bin/busybox:              ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped

./mnt:                      directory

./mnt/root:                 directory

./dev:                      directory

./root:                     directory

./etc:                      directory

./lib:                      directory

./init:                     a /bin/busybox sh script text executable

./proc:                     directory

./sys:                      directory

```

and then this in the init (this is my actual init, with comments stripped - note the third line)

```

#!/bin/busybox sh

mount -t proc none /proc

mount -t sysfs none /sys

mount -t devtmpfs none /dev 

cryptsetup -T 5 luksOpen /dev/sda2 root 

mount -o ro /dev/mapper/root /mnt/root || rescue_shell

umount /proc

umount /sys

umount /dev

exec switch_root /mnt/root /sbin/init

rescue_shell() {

        echo "Something went wrong. Dropping you to a shell."

                busybox --install -s

        exec /bin/sh

}

```

----------

## der bastler

 *norg wrote:*   

> It sounds like you forgot something with the key missing 

 

Well, the system is properly installed, using System-Rescue-CD-on-usb. I can luksOpen and mount my root file system when booting from SysRescCD. But in my InitRamFS, when I type the first passphrase character, cryptsetup stops reading the passphrase and of course does not recognize the one character passphrase.

After three tries I am dropped to the rescue shell as intended by my init script. From there I can try another cryptsetup luksOpen -- same result, after one keystroke the passphrase is checked and again it fails.

----------

## norg

Can you post your kernel .config? (with pastebin)

How do you create your initramfs?

----------

## avx

Don't really think it'll help, but have you/can you try with an earlier version of cryptsetup?

----------

## der bastler

Although I recompiled the whole system the problem persists.

I switched to a keyfile based authentication system as a workaround.

----------

