killSlot batch mode flag is failing when called via. systemd
Dear cryptosetup maintainers,
I can verify that the following is working under Debian Jessie with cryptsetup v=1.6.6
, but not anymore with v=1.7.3-4
.
My minimal unit-file looks like:
/etc/systemd/system/luksKillSlot.service
[Unit]
Description=luksKillSlot batch mode
[Service]
Type=oneshot
ExecStart=/sbin/cryptsetup --debug luksKillSlot -q /dev/MYLUKSDEVICE 7
Commands for getting to log
systemctl daemon-reload
systemctl start luksKillSlot.service
journalctl -u luksKillSlot.service
Output 1.7.3 when called from systemd service (Putting the ExecStart call into a separate Bash script same):
# cryptsetup 1.7.3 processing "cryptsetup --debug luksKillSlot -q /dev/MYLUKSDEVICE 7"
# Running command luksKillSlot.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/MYLUKSDEVICE context.
# Trying to open and read device /dev/MYLUKSDEVICE with direct-io.
# Initialising device-mapper backend library.
# Timeout set to 0 miliseconds.
# Trying to load LUKS1 crypt type from device /dev/MYLUKSDEVICE.
# Crypto backend (gcrypt 1.7.6-beta) initialized in cryptsetup library version 1.7.3.
# Detected kernel Linux 4.9.0-3-amd64 x86_64.
# Reading LUKS header of size 1024 from device /dev/MYLUKSDEVICE
# Key length 64, device size 33050624 sectors, header size 4036 sectors.
Key slot 7 selected for deletion.
# STDIN descriptor passphrase entry requested.
# Nothing read on input.
# Releasing crypt device /dev/MYLUKSDEVICE context.
# Releasing device-mapper backend.
# Unlocking memory.
Output 1.7.3 when called from interactive bash:
[...]
Key slot 7 selected for deletion.
# Destroying keyslot 7.
# Reading LUKS header of size 1024 from device /dev/MYLUKSDEVICE
# Key length 64, device size 33050624 sectors, header size 4036 sectors.
# Key slot 7 was disabled in LUKS header.
# Rotational device, using normal wipe mode.
# Updating LUKS header of size 1024 on device /dev/MYLUKSDEVICE
# Key length 64, device size 33050624 sectors, header size 4036 sectors.
# Reading LUKS header of size 1024 from device /dev/MYLUKSDEVICE
# Key length 64, device size 33050624 sectors, header size 4036 sectors.
# Releasing crypt device /dev/MYLUKSDEVICE context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.
Diff between both:
16,24c16,17
< # Destroying keyslot 7.
< # Reading LUKS header of size 1024 from device /dev/MYLUKSDEVICE
< # Key length 64, device size 33050624 sectors, header size 4036 sectors.
< # Key slot 7 was disabled in LUKS header.
< # Rotational device, using normal wipe mode.
< # Updating LUKS header of size 1024 on device /dev/MYLUKSDEVICE
< # Key length 64, device size 33050624 sectors, header size 4036 sectors.
< # Reading LUKS header of size 1024 from device /dev/MYLUKSDEVICE
< # Key length 64, device size 33050624 sectors, header size 4036 sectors.
---
> # STDIN descriptor passphrase entry requested.
> # Nothing read on input.
28d20
< Command successful.
I don't have output for v=1.6.6
right now, but is as long as I remember it is the same as my CLI output in v=1.7.3
. I can hand in the output later if necessary. Also if requested, I can try verifying with latest master branch, but I think the issue is caused by a change introduced in 1.7.1:
- The luksKillSlot command now does not suppress provided password in batch mode (if password is wrong slot is not destroyed). Note that not providing password in batch mode means that keyslot is destroyed unconditionally.
Any feedback regarding how to resolve this issue is welcome.
Thank you.