[dm-crypt] Avoiding fsck.ext4 destruction of crypto_luks data

Sven Eschenberg sven at whgl.uni-frankfurt.de
Sun Dec 30 09:42:03 CET 2012


Hi Milan,

What happens though, if signatures are not accessible during luksFormat?
(Or alternatively, are not found, because they are misaligned from the
current setup's perspective?)

Scenario, create a md volume with 1.0 metadata (end of device), start md
device, do luks format.

Now, in intial unused state, the luks header and md metadata is visible.
While cryptsetup might be able to realize that the md device should first
be started, this might not be true for all tools (unfortunately). Possible
similiar scenarions with leftover superblocks etc. can surely be created.

I am aware this is a specific case due to the end of device policy of the
md metada v1.0. What I am trying to say is, not all cases can
automagically be resolved, sometimes the knowledge and interaction of an
admin might really be required. And for educated guessing, the admin needs
to be educated beforehand ;-).


Regards

-Sven


On Fri, December 28, 2012 20:22, Milan Broz wrote:
> On 12/28/2012 04:04 PM, Arno Wagner wrote:
>> I am thinking about a "basic LUKS setup" section for the FAQ
>> that is more in the nature of a mini-howto. Things like blanking
>> a previously used partition before a LUKS install seem to be
>> not obvious to many people. Step-by-step instructions may help.
>
> Wiping (whole) device (with some crypt random way) is still on TODO list.
>
> But I believe that common signatures are wiped during LUKS format already
> (we had several bugs related to this already) so it should never
> happen that device contains ext4/swap/whatever signature parallel with
> LUKS. (If so, please let me know, it is a bug.)
>
> fsck can possibly use blkid and warn user
> "Warning: device seems to contain xyz signature, do you really want...."
> but this is feature for fsck (util-linux), not for cryptsetup.
> (Anyway, I can ask util-linux maintainer later next year:)
>
> Milan
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>




More information about the dm-crypt mailing list