I'm trying to follow the documentation on how to pass a key to LUKSv2 via the kernel key ring: https://fossies.org/linux/cryptsetup/docs/Keyring.txt
This does not work for me at all:
# dd if=/dev/zero of=xyz bs=1M count=512
512+0 records in
512+0 records out
536870912 bytes (537 MB, 512 MiB) copied, 0,173054 s, 3,1 GB/s
# losetup /dev/loop18 xyz
# cryptsetup luksFormat /dev/loop18
WARNING!
========
This will overwrite data on /dev/loop18 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/loop18: x
Verify passphrase: x
# cryptsetup token add --key-description my:key -S 0 /dev/loop18
# read -s -p "Keyslot passphrase: "; echo -n $REPLY | keyctl padd user my:key @u
Keyslot passphrase: x
164227867
# keyctl show @u
Keyring
235516797 --alswrv 0 65534 keyring: _uid.0
164227867 --alswrv 0 0 \_ user: my:key
# cryptsetup open /dev/loop18 my_unlocked_device --debug
# cryptsetup 2.5.0 processing "cryptsetup open /dev/loop18 my_unlocked_device --debug"
# Verifying parameters for command open.
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/loop18.
# Trying to open and read device /dev/loop18 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/loop18.
# Crypto backend (OpenSSL 3.0.5 5 Jul 2022 [default][legacy]) initialized in cryptsetup library version 2.5.0.
# Detected kernel Linux 5.17.5-051705-generic x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/loop18.
# Opening lock resource file /run/cryptsetup/L_7:18
# Verifying lock handle for /dev/loop18.
# Device /dev/loop18 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/loop18
# Verifying locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:ff9d0a8b8b6605c0179bf0fbc810493dbb0bd539e8845776c718416bb02d3a98 (on-disk)
# Checksum:ff9d0a8b8b6605c0179bf0fbc810493dbb0bd539e8845776c718416bb02d3a98 (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/loop18
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:46cc53aae4d76f2166d1ed1e6ab466f0104893363f10cb140a8e030a640f0870 (on-disk)
# Checksum:46cc53aae4d76f2166d1ed1e6ab466f0104893363f10cb140a8e030a640f0870 (in-memory)
# Device size 536870912, offset 16777216.
# Device /dev/loop18 READ lock released.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Activating volume my_unlocked_device using token (any type) -1.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Detected dm-ioctl version 4.45.0.
# Detected dm-crypt version 1.23.0.
# Device-mapper backend running with UDEV support enabled.
# dm status my_unlocked_device [ opencount noflush ] [16384] (*1)
# Token 0 unusable for segment 0 with desired keyslot priority 2.
# Validating keyring token json
# keyring_get_passphrase failed (error -126)
# Token 0 (luks2-keyring) open failed with -1.
# Interactive passphrase entry requested.
Enter passphrase for /tmp/xyz:
In other words, even though the key is inside the kernel keyring, LUKS rejects it. I have no idea why since I'm following the instructions letter-by-letter. What is going on here?
