Re: LUKS encryption help
On Mon 11 Oct 2021 at 12:43:21 (-0700), David Christensen wrote:
> On 10/11/21 05:50, detrito@tuta.io wrote:
> > Hello friends, I'm sending this last email to inform you that I have given up on trying to recover the contents of my external hard drive and that I formatted it.
>
> I hope you have implemented backups procedures, to prevent losing data
> in the future.
>
> > Thank you to every single one of you who spared their time to try and help me.
A pity that it's reformatted; I would have liked to know more about
the circumstances of the unlocking attempts.
> > On one last note, I should I drag attention to what seemed to be a bug on the boot screen that asked for my LUKS password: It considered backspaces as a normal character.
What do you mean by a "normal character"? AFAIK you can't put
backspaces into a passphrase, and it would be ill-advised to type
any backspaces when /setting/ a new passphrase: better to Ctrl-C
out of setting it, or type some garbage to make it so that the
verification deliberately fails and you can start over.
When you're typing the /old/ passphrase, then backspace should erase
the previous character as usual, and an excessive number of them
should be ignored.
> > I type my password and it shows an asterisk on the screen for every character I type - instead of deleting the asterisk, the backspace key created one more asterisk each time I pressed it.
There are arguments both ways: reflecting an asterisk indicates that
the key was successfully depressed, whereas erasing an asterisk
allows you to count how far through the passphrase you have typed.
Because of a previous problem¹ I had with stretch on a Lenovo laptop,
I haven't configured my encrypted devices to unlock in the manner
where asterisks are printed. So I can't tell whether it's possible,
as you get asterisks printed, whether there's a possibility that the
backspace key is not doing something unexpected under the exact
circumstances. (I'm recalling the ambiguity of the Backspace and
Delete keys, and whether they emitted ^H, ^?, or escape sequences.)
> When I boot my Debian machines with LUKS encrypted root filesystems, I
> see a bunch of time-stamped bootloader messages followed by the
> prompt:
>
> Please unlock disk sda3_crypt:
>
> When I type on the keyboard, nothing is echoed to the screen.
IIRC that's the prompt I saw when I recently tried out a
root-encrypted installation in order to see how Grub boots it.
And I don't recall asterisks. However, it's not clear to me
what the OP means by "boot screen". If you specify partitions
to be unlocked by passphrase in /etc/crypttab, then part-way
through booting, you get a more fullsome prompt:
Please enter passphrase for disk PARTLABEL (LABEL) on MOUNTPOINT
with relevant substitutions. This dialogue uses asterisks.
If it hadn't, I could have suffered similar consequences to the
OP, as the asterisks were the only reason I knew that there was
a "ghost in the machine".
Nowadays, I only use /etc/crypttab to configure my randomly
encrypted swap partition, so no prompt at all. I explicitly
unlock /home later, mainly because I can then wake machines
up and unlock them remotely. As in your case, udisksctl is
asterisk-less during typing, and it's also terse enough for
me to prefix my own prompt about what exactly I am unlocking.
¹
https://lists.debian.org/debian-user/2018/03/msg01030.html
Cheers,
David.
Reply to: