[dm-crypt] LUKS keyslot invalid - Please help!

Arno Wagner arno at wagner.name
Thu Jul 18 20:43:48 CEST 2013


Hi Nick,

On Thu, Jul 18, 2013 at 10:33:29AM -0700, Ywellc wrote:
> Hi,
> 
> I recently accessed a LUKS partition from a Windows operating system (on a
> different disk).  I was able to mount it using my passphrase.  After
> turning off the computer, I tried to boot into Ubuntu and received a "evms
> activate is not available message." 

I have no idea what that means.

> I booted into a live CD and tried to
> mount to the drive.  I received an error message from gParted saying the
> partition table did not match the signature.  I ran fsck and it "fixed"
> the problem.

That "recovery attempt" is likely what did the damage.

> I then tried to boot again, and load Ubuntu.  This time, evms activate
> message did not show up.  It brought me to passphrase screen and I entered
> my passphrase.  This time I received "unknown file system or bad password
> options" message."
> 
> I booted again into live CD (GRML) I try to unlock the container with:
> 
> cryptsetup luksOpen /dev/sda5
> 
> I receive an error message stating that LUKS Keyslot 4, 6, and 7 is
> invalid.  I ran the command again with the debug option:
> 
> Invalid keyslot size 8388608 (offset 1032, stripes 0) in keyslot 4 (beyond
> data offset 2056) and similar for 6 and 7.

Ok, some damage to the keyslot descriptors. The critical things may
still be fine. 

> blkid -p shows "/dev/sdb5 UUID="57ei...." TYPE="crypto-LUKS."
> 
> Is there any way for me to open this container now, or is it FUBAR?

Unclear at this time. I think the chances for a full recovery are
reasonable.

Please make a manual header backup (copy the first 
3 MB of the LUKS device) and keep that safe. It will protect you
against any additional damage from experimentation. If the data
is important, make a full binary backup of /dev/sda5, or better two
before _any_ more "recovery attempts". In fact, make a third binary 
copy of the whole drive onto a same-size or larger drive and only work
on that. (Binary copies are best made with dd_rescue.) Make very sure 
you are copying in the right direction. In fact, bying a forensic
write-blocker may be a sensible investment if you are unsure.

> I realize this is my fault, and I was actually trying to access the
> container to backup everything.  I have my whole life on there, school
> work everything.  Any help you could provide would be greatly appreciated. 
> I would be willing to shell out the few bitcoins I have to make it worth
> your while.

No need for that. 

Next step when you have the backups and the copy to work on is to
download the current cryptsetup, compile and install it. Then
run the keyslot-checker in misc/keyslot_checker/. There is
a good chance it will fail, but it should report on the
first keyslot before that, and that is the critical one if
you have just one pasphrase.

If that works, you can try to explicitely specify the key-slot to
cryptsetup, along the lines of 
  
  cryptsetup luksOpen --key-slot 0 /dev/sda5

That may or may not work. If not, then the keyslot info has
to be repaired using a disk-editor. (Lets deal with that if
it becomes necessary.) These are just start and offset info 
and should be defaults. 

And when you find the time, read the FAQ item 1.2  and
everything in FAQ Section 6.

If you are sure your passprase is good, you can also send me the 
first 3 MB of your LUKS partition and I can take a look. May
take a few days until I find the time though.

Arno

> Thanks,
> Nick
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare


More information about the dm-crypt mailing list