Ubuntu: 20.04.3 LTS
LUKS Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
I noticed some weird behaviour when using luksAddKey, when the password is exactly 64 characters long. I can't believe that is a bug, so i would like to know, what i'm missing.
The first input of the new password has a length of 64 characters. The second input (=verification) is the first password without its last character, so it has a length of 63 characters. Example:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
# cryptsetup --pbkdf-force-iterations 1000 luksAddKey $DEVICE
Enter any existing passphrase:
Enter new passphrase for key slot: <- 64 characters
Verify passphrase: <- 63 characters
#
Despite the inputs being different, a new slot has been configured. I can clear the slot with any of the 2 inputs, as if they were the same. Instead i would expect an error message for one of the passwords.
# cryptsetup luksRemoveKey $DEVICE
Enter passphrase to be deleted:
#
The character count limit shouldn't cause this, because this is much higher (512):
# cryptsetup --help | tail -n14
Default compiled-in metadata format is LUKS2 (for luksFormat action).
Default compiled-in key and passphrase parameters:
Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2: argon2i
Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4
Default compiled-in device cipher parameters:
loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
LUKS: Default keysize with XTS mode (two internal keys) will be doubled.
Can anyone else confirm this behaviour?
