[dm-crypt] No key available for this passphrase

Arno Wagner arno at wagner.name
Sun Sep 9 15:42:19 CEST 2012


On Sun, Sep 09, 2012 at 10:45:18AM +0200, Milan Broz wrote:
> On 09/09/2012 12:45 AM, Matthias Schniedermeyer wrote:
> > On 08.09.2012 22:02, Arno Wagner wrote:
> >>
> >> You can have up to 8 with LUKS. Each gets it own key-slot.
> >> Unfortunately, the key-slot with the highest risk to get
> >> damaged is the first one and that is where a single passphrase
> >> ends up in if you do not override the placement default.
> 
> If most of installation it uses only the first slot, you can hardly
> notice that other (unused) were corrupted as well :)
> 
> Most of programs formatting data today (mkfs, mkswap, lvm, mdadm...)
> wipes more data, usually at least the first 4KB.
> 
> (mkswap should warn if it detects other signature, it is already
> using libblkid. In fact I thought it was fixed years ago...)

I think the OP sees a old swap signature that was not
wiped by a very old cryptsetup. 

Hmm. Come to think of it, could that signature have served
to make some broken script auto-detect the LUKS container
as swap? If the Ubuntu life-CD though here was some nice
space to use as swap, it could have mangled the keyslot.
 
> > If that happens so often, why not change the default and place the first 
> > key in slot 8?
> > (Assuming that can be done without significant compatibility issues)
> 
> No, this is just hiding problem.
> So it will be corrupted after first swap use (in this case)...

Indeed. Makes things even harder to diagnose. The proper way
is for others to check for possible signatures and warn. 
Unfortunately we have no way of ensuring that.

Arno
-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 


More information about the dm-crypt mailing list