[dm-crypt] How can a passphrase be incorrect even after `luksHeaderBackup` and `luksHeaderRestore`?

Paul Menzel pm.debian at googlemail.com
Fri Aug 5 01:18:51 CEST 2011


2011/8/4 Paul Menzel <pm.debian at googlemail.com>:

> trying to save my data [1][2][3] I do not understand the following.
>
> The partitions of two drives `/dev/sd{a,b}2` start at exactly the same point.
>
> ------- 8< --- partition table --- >8 -------
> # partition table of /dev/sda
> unit: sectors
>
> /dev/sda1 : start=       63, size=   995967, Id=fd, bootable
> /dev/sda2 : start=   996030, size=3906028035, Id=fd
> /dev/sda3 : start=        0, size=        0, Id= 0
> /dev/sda4 : start=        0, size=        0, Id= 0
>
> # partition table of /dev/sdb
> unit: sectors
>
> /dev/sdb1 : start=       63, size=   995967, Id=fd, bootable
> /dev/sdb2 : start=   996030, size=975772035, Id=fd
> /dev/sdb3 : start=        0, size=        0, Id= 0
> /dev/sdb4 : start=        0, size=        0, Id= 0
> ------- 8< --- partition table --- >8 -------
>
> Doing `cryptsetup luksHeaderRestore /dev/sda2 --header-backup-file
> sdb.luksHeaderBackup` with `sdb.luksHeaderBackup` obtained from
> `/dev/sdb2` the passphrase, which works on sdb, should definitely work
> on sda although the data might be read as garbage.

It looks like `luksBackupRestore` is not working for me correctly.
Please take a look at the following results. `/dev/sdb` is the old
drive with the working LUKS setup, that means my passphrase gets
accepted. I am sorry for that Google Mail will probably line wrap
everything.

------- 8< --- entered commands --- >8 -------
% sudo cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file
/tmp/sda.header
% sudo cryptsetup luksHeaderBackup /dev/sdb2 --header-backup-file
/tmp/sdb.header


% sudo md5sum /tmp/sd*
7b897c620776f549324810a8aeb9921e  /tmp/sda.header
ce314509007b2c76eb85e7b89ee25da5  /tmp/sdb.header

% sudo cryptsetup --verbose --debug luksHeaderRestore /dev/sda2
--header-backup-file /tmp/sdb.header
# cryptsetup 1.3.0 processing "cryptsetup --verbose --debug
luksHeaderRestore /dev/sda2 --header-backup-file /tmp/sdb.header"
# Running command luksHeaderRestore.
# Locking memory.
# Allocating crypt device /dev/sda2 context.
# Trying to open and read device /dev/sda2.
# Initialising device-mapper backend, UDEV is enabled.
# Detected dm-crypt version 1.10.0, dm-ioctl version 4.19.1.
# Initialising gcrypt crypto backend.
# Requested header restore to device /dev/sda2 (LUKS1) from file
/tmp/sdb.header.
# Reading LUKS header of size 1024 from backup file /tmp/sdb.header
# Reading LUKS header of size 1024 from device /dev/sda2
# Device /dev/sda2 already contains LUKS header, checking UUID and offset.

WARNING!
========
Device /dev/sda2 already contains LUKS header. Replacing header will
destroy existing keyslots.

Are you sure? (Type uppercase yes): YES
# Storing backup of header (1024 bytes) and keyslot area (1048576
bytes) to device /dev/sda2.
# Reading LUKS header of size 1024 from device /dev/sda2
# Releasing crypt device /dev/sda2 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.

% sudo cryptsetup --verbose --debug luksHeaderBackup /dev/sda2
--header-backup-file /tmp/sda2.header
# cryptsetup 1.3.0 processing "cryptsetup --verbose --debug
luksHeaderBackup /dev/sda2 --header-backup-file /tmp/sda2.header"
# Running command luksHeaderBackup.
# Locking memory.
# Allocating crypt device /dev/sda2 context.
# Trying to open and read device /dev/sda2.
# Initialising device-mapper backend, UDEV is enabled.
# Detected dm-crypt version 1.10.0, dm-ioctl version 4.19.1.
# Initialising gcrypt crypto backend.
# Requested header backup of device /dev/sda2 (LUKS1) to file /tmp/sda2.header.
# Reading LUKS header of size 1024 from device /dev/sda2
# Storing backup of header (1024 bytes) and keyslot area (1048576 bytes).
# Releasing crypt device /dev/sda2 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.

% sudo md5sum /tmp/*header
7b897c620776f549324810a8aeb9921e  /tmp/sda2.header
7b897c620776f549324810a8aeb9921e  /tmp/sda.header
ce314509007b2c76eb85e7b89ee25da5  /tmp/sdb.header
------- 8< --- entered commands --- >8 -------

I would have assumed that all files are identical, i. e. they have the
same hash.


Thanks,

Paul


> [1] http://www.saout.de/pipermail/dm-crypt/2011-August/001858.html
> [2] http://www.saout.de/pipermail/dm-crypt/2011-August/001858.html
> [3] http://marc.info/?l=linux-raid&m=131248606026407&w=2


More information about the dm-crypt mailing list