Unable to unlock veracrypt encrypted partition using a keyfile

[emmanuelrosa]

As suggested by #894 I created /etc/udisks2/tcrypt.conf (which is an empty file).

udisksctl info -b /dev/sdb2

/org/freedesktop/UDisks2/block_devices/sdb2:
  org.freedesktop.UDisks2.Block:
    Configuration:              []
    CryptoBackingDevice:        '/'
    Device:                     /dev/sdb2
    DeviceNumber:               2066
    Drive:                      '/org/freedesktop/UDisks2/drives/SSK_SSK_Storage_012345678913'
    HintAuto:                   true
    HintIconName:               
    HintIgnore:                 false
    HintName:                   
    HintPartitionable:          true
    HintSymbolicIconName:       
    HintSystem:                 false
    Id:                         by-id-usb-SSK_SSK_Storage_012345678913-0:0-part2
    IdLabel:                    
    IdType:                     crypto_unknown
    IdUUID:                     
    IdUsage:                    crypto
    IdVersion:                  
    MDRaid:                     '/'
    MDRaidMember:               '/'
    PreferredDevice:            /dev/sdb2
    ReadOnly:                   false
    Size:                       374670188544
    Symlinks:                   /dev/disk/by-diskseq/15-part2
                                /dev/disk/by-id/usb-SSK_SSK_Storage_012345678913-0:0-part2
                                /dev/disk/by-partuuid/a3afac02-02
                                /dev/disk/by-path/pci-0000:05:00.3-usb-0:1:1.0-scsi-0:0:0:0-part2
    UserspaceMountOptions:      
  org.freedesktop.UDisks2.Encrypted:
    ChildConfiguration:         []
    CleartextDevice:            '/'
    HintEncryptionType:         
    MetadataSize:               0
  org.freedesktop.UDisks2.Partition:
    Flags:              0
    IsContained:        false
    IsContainer:        false
    Name:               
    Number:             2
    Offset:             137440002048
    Size:               374670188544
    Table:              '/org/freedesktop/UDisks2/block_devices/sdb'
    Type:               0x83
    UUID:               a3afac02-02

udiskie correctly prompts to unlock the device. When I try to unlock it with either udiskie or udisksctl I get this:

udisksctl unlock -b /dev/sdb2 --key-file /path/to/keyfile
Error unlocking /dev/sdb2: GDBus.Error:org.freedesktop.UDisks2.Error.Failed: No key available to unlock device /dev/sdb2

I can unlock the device on Windows. I've also compared the SHA256 of the keyfile on Windows and Linux and they match.

[emmanuelrosa]

One more thing.

I can unlock the VeraCrypt partition using the TrueCrypt/VeraCrypt support built into cryptsetup.

[UtkarshVerma]

I can also confirm this to be the case. If I try to unlock my drive, udisksctl says that my drive is not encrypted, which is weird since cryptsetup is able to decrypt it.

I'm using a hidden volume and here is what it shows:

/org/freedesktop/UDisks2/block_devices/sdb1:
  org.freedesktop.UDisks2.Block:
    Configuration:              []
    CryptoBackingDevice:        '/'
    Device:                     /dev/sdb1
    DeviceNumber:               2065
    Drive:                      '/org/freedesktop/UDisks2/drives/Generic_Flash_Disk_8C5D5E51'
    HintAuto:                   true
    HintIconName:
    HintIgnore:                 false
    HintName:
    HintPartitionable:          true
    HintSymbolicIconName:
    HintSystem:                 false
    Id:
    IdLabel:
    IdType:
    IdUUID:
    IdUsage:
    IdVersion:
    MDRaid:                     '/'
    MDRaidMember:               '/'
    PreferredDevice:            /dev/sdb1
    ReadOnly:                   false
    Size:                       8176795648
    Symlinks:                   /dev/disk/by-diskseq/3-part1
                                /dev/disk/by-id/usb-Generic_Flash_Disk_8C5D5E51-0:0-part1
                                /dev/disk/by-partuuid/081ce930-01
                                /dev/disk/by-path/pci-0000:05:00.3-usb-0:3:1.0-scsi-0:0:0:0-part1
                                /dev/disk/by-path/pci-0000:05:00.3-usbv2-0:3:1.0-scsi-0:0:0:0-part1
    UserspaceMountOptions:
  org.freedesktop.UDisks2.Partition:
    Flags:              0
    IsContained:        false
    IsContainer:        false
    Name:
    Number:             1
    Offset:             1048576
    Size:               8176795648
    Table:              '/org/freedesktop/UDisks2/block_devices/sdb'
    Type:               0x07
    UUID:               081ce930-01

[emmanuelrosa]

I remember going through the code trying to find the culprit, but I had to stop to attend to other matters. However, I have a hunch about what may be causing this issue:

The use of key files in VeraCrypt differs from how they are used in LUKS. Namely, in LUKS a key file can be used as an alternative to a passphrase, while in VeraCrypt a passphrase is also required when using a key file; Even when the passphrase is empty, it's still considered a passphrase.

I remember seeing code in the DBUS API that handles VeraCrypt in the proper manner, but I could not find the complementary code in the client-side tools.

[vojtechtrefny]

TrueCrypt/VeraCrypt support was never added to udisksctl so right now --key-file options means we read the contents of the file and use it for the keyfile_contents option for the API call which doesn't work, because for TC/VC libcryptsetup expects just a list of file names and not the contents. There are more issues with the code for TC/VC support that need to be addressed, but I am afraid we currently unfortunately don't have capacity to work on improving this. Help is always welcomed.