Package: partman-crypto
Version: 81
Hi,
Although keyhash is declared in the debconf entries of the package, this
option is never used when calling cryptsetup.
This is a bit of a problem because, even when you select something strong
like SHA512, it is not used and defaults back to SHA-1.
I've attached a patch to fix this.
Thank you
Jérôme
commit 509a0baebf38b665b49eded630280e8e7594cf58 (HEAD, refs/heads/master)
Author: Jérôme Vizcaino <jerome.vizca...@gmail.com>
Date: Tue May 12 16:38:23 2015 +0200
LUKS honors the given keyhash algorithm
diff --git a/lib/crypto-base.sh b/lib/crypto-base.sh
index dbe958a..e4316d3 100644
--- a/lib/crypto-base.sh
+++ b/lib/crypto-base.sh
@@ -210,8 +210,9 @@ setup_luks () {
device=$2
cipher=$3
iv=$4
- size=$5
- pass=$6
+ hash=$5
+ size=$6
+ pass=$7
[ -x /sbin/cryptsetup ] || return 1
@@ -219,7 +220,7 @@ setup_luks () {
[ "${iv%xts-*}" = "${iv}" ] || size="$(($size * 2))"
log-output -t partman-crypto \
- /sbin/cryptsetup -c $cipher-$iv -s $size luksFormat $device $pass
+ /sbin/cryptsetup -c $cipher-$iv -h $hash -s $size luksFormat $device $pass
if [ $? -ne 0 ]; then
log "luksFormat failed"
return 2
@@ -262,7 +263,7 @@ setup_cryptdev () {
fi
fi
if [ $keytype = passphrase ]; then
- setup_luks $cryptdev $realdev $cipher $ivalgorithm $keysize $keyfile || return 1
+ setup_luks $cryptdev $realdev $cipher $ivalgorithm $keyhash $keysize $keyfile || return 1
elif [ $keytype = random ]; then
setup_dmcrypt $cryptdev $realdev $cipher $ivalgorithm plain $keysize /dev/urandom || return 1
else
