Ubuntu
cryptsetup package

Why luksHeaderBackup and luksHeaderRestore break tradition of using "-" as stdin/stdout?

Asked by Josef Wolf

Trying to make off-site encrypted backup of luks header by

   cryptsetup luksHeaderBackup --header-backup-file - | gpg | ssh some.host dd of=luks-header-backup

but cryptsetup writes to an ordinary file named '-'

another try:

   cryptsetup luksHeaderBackup --header-backup-file /dev/stdout | gpg | ssh some.host dd of=luks-header-backup

with this, cryptsetup complains: "Requested header backup file /dev/stdout already exists."

About every other tool (tar, dd, gz, whatever) can use stdin/stdout. Only luksHeaderBaclup/luksHeaderRestore refuses to use stdin/stdout and insists on an ordinary file freshly created.

Please elaborate: what is the point of this behavior?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu cryptsetup Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

The manpages https://manpages.ubuntu.com/manpages/lunar/en/man8/cryptsetup-luksHeaderBackup.8.html clearly state:

NOTE: Using '-' as filename writes the header backup to a file named '-'.

If you want that this is changed, then you have to request that change "upstream", see https://gitlab.com/cryptsetup/cryptsetup/

Revision history for this message
Josef Wolf (jw-raven) said : 		#2

Yes, I see that his is documented in the manpage.

If it would not have been stated in the manpage, I would have assumed this to be a bug and/or missing feature.

Since this is EXPLICITLY stated in the manpage, I assume that this decision was made conciously and not by accident. Therefore, this is not a bug and not a missing feature.

Requesting a change about things I don't really understand would not be a good habit..

So please explain why '-' was EXPLICITLY chosen to be an ordinary file.

Revision history for this message
Best Manfred Hampl (m-hampl) said (last edit ): 		#3

"why '-' was EXPLICITLY chosen to be an ordinary file."
This question can only be answered by the developers who wrote that program, see https://gitlab.com/cryptsetup/cryptsetup/

Just a remark from my side:
It is a bit the other way round.
Whatever name you enter at the position where a file name is expected, is taken as a file name. To change the behaviour in case that a minus character '-' is entered for the file name, requires additional coding. Apparently that was not done here.

Revision history for this message
Josef Wolf (jw-raven) said : 		#4

While it is true that hadling '-' as stdin/stdout requires additional code, using /dev/stdout and /dev/stdin does not require any additional code. And this has been explicitly shut down by requiring that the file has to be freshly created (as you can see in the second example of my original question).

Anyway, I'll go ask on the cryptsetup tracker.

Thanks!

Revision history for this message
Josef Wolf (jw-raven) said : 		#5

Thanks Manfred Hampl, that solved my question.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#6

https://gitlab.com/cryptsetup/cryptsetup/-/issues/845