[dm-crypt] "not a valid LUKS device" after distro change

Arno Wagner arno at wagner.name
Wed Aug 20 23:15:28 CEST 2014


Hi John,

while I have no idea how HOME_LV got in this state, the
hexdump shows what is wrong. I suspect some LVM or Parted 
"Magic" on installation caused this. 
As the salts in the header are critical for decryption, unless
the LUKS header is somewhere else and the offsets are
wrong (i.e. you are not looking at the place you are think
you are looking at, e.g. due to some LVM problem) the data is
gone. 

As to MORE_LV, this should work. I suspect you did the dump
below on Ubuntu, correct? I think Ubuntu may have screwed 
up the partitioning so that Fedora 20 does not find MORE_LV 
anymore, but Ubuntu finds it. 

One more test would show this:

Copy the first 10MB of MORE_LV on *Ubuntu* 

  head -c 10M /dev/MORE_VG/MORE_LV >> header.dump

do a loopback mount of it  it on  *Fedora 20*

  losetup /dev/loop0 header.dump

and then try to luksOpen /dev/loop0. If that works
on Fedora 20 but MORE_LV does not work on FEDORA 20,
then this is a problem with Fedora 20 having dome issue
accessing the raw MORE_LV partition.

Note that header.dump will contain the key-slots, 
so make sure you can secure-erase the header.dump-file again!
(You are still secure, but your passphrase is in there and
if that becomes compromised, changing it will not be enough.)

Arno



On Wed, Aug 20, 2014 at 18:18:33 CEST, John Wells wrote:
> Thanks Arno.
> 
> Something definitely looks amiss:
> $ sudo   head -c 1024 /dev/FINALFRONTIER_VG/HOME_LV | hd
> 00000000  47 4e 55 20 50 61 72 74  65 64 20 4c 6f 6f 70 62  |GNU Parted
> Loopb|
> 00000010  61 63 6b 20 30 00 00 00  00 00 00 00 00 00 00 00  |ack
> 0...........|
> 00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> *
> 00000400
> 
> $ sudo head -c 1024 /dev/MORE_VG/MORE_LV  | hd
>                                                                          ��ޭ
> 00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00
>  |LUKS....aes.....|
> 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000020  00 00 00 00 00 00 00 00  78 74 73 2d 70 6c 61 69
>  |........xts-plai|
> 00000030  6e 36 34 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |n64.............|
> 00000040  00 00 00 00 00 00 00 00  73 68 61 31 00 00 00 00
>  |........sha1....|
> 00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000060  00 00 00 00 00 00 00 00  00 00 10 00 00 00 00 40
>  |...............@|
> 00000070  4e 94 98 c0 51 a9 25 bb  74 73 88 a4 a7 6e c7 d3
>  |N...Q.%.ts...n..|
> 00000080  6f 18 71 fa 94 9a f4 5e  d1 e8 5b 1a 34 3a 9f 9f
>  |o.q....^..[.4:..|
> 00000090  1d 79 1f 61 f5 dd 98 09  e1 d6 2e ed c4 29 af 1a
>  |.y.a.........)..|
> 000000a0  23 c9 59 da 00 00 77 a1  36 63 63 31 38 38 64 62
>  |#.Y...w.6cc188db|
> 000000b0  2d 63 63 64 62 2d 34 63  38 66 2d 39 37 62 32 2d
>  |-ccdb-4c8f-97b2-|
> 000000c0  65 34 31 31 39 38 65 63  36 65 34 34 00 00 00 00
>  |e41198ec6e44....|
> 000000d0  00 ac 71 f3 00 01 df d7  79 85 dd f0 29 59 98 63
>  |..q.....y...)Y.c|
> 000000e0  0b 69 80 fe 48 61 8c 40  5b 3b 57 0f 82 9c ae 90  |.i..Ha.@
> [;W.....|
> 000000f0  36 57 45 e2 03 82 26 c5  00 00 00 08 00 00 0f a0
>  |6WE...&.........|
> 00000100  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000120  00 00 00 00 00 00 00 00  00 00 02 00 00 00 0f a0
>  |................|
> 00000130  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000150  00 00 00 00 00 00 00 00  00 00 03 f8 00 00 0f a0
>  |................|
> 00000160  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000180  00 00 00 00 00 00 00 00  00 00 05 f0 00 00 0f a0
>  |................|
> 00000190  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 000001b0  00 00 00 00 00 00 00 00  00 00 07 e8 00 00 0f a0
>  |................|
> 000001c0  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 000001e0  00 00 00 00 00 00 00 00  00 00 09 e0 00 00 0f a0
>  |................|
> 000001f0  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000210  00 00 00 00 00 00 00 00  00 00 0b d8 00 00 0f a0
>  |................|
> 00000220  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000230  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 00000240  00 00 00 00 00 00 00 00  00 00 0d d0 00 00 0f a0
>  |................|
> 00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
> 
> Yes, even though Fedora 20 will mount neither volume, Ubuntu 14.04 will
> mount the /dev/MORE_VG/MORE_LV partition.
> 
> Thanks,
> John
> 
> 
> On Wed, Aug 20, 2014 at 5:09 AM, Arno Wagner <arno at wagner.name> wrote:
> 
> > On Wed, Aug 20, 2014 at 00:22:29 CEST, John Wells wrote:
> > > Thanks for your response. This is the result of luksDump on the
> > container:
> > >
> > > # cryptsetup luksDump /dev/FINALFRONTIER_VG/HOME_LV
> > > Device /dev/FINALFRONTIER_VG/HOME_LV is not a valid LUKS device.
> >
> > Ah, sorry. Did not see that access completely failed.
> > That means the header was at least partially overwritten.
> >
> > Can you post or send me a hex-dump of the first 1024 bytes
> > of this device and the other one?
> >
> > Command to do so is, e.g.
> >
> >   head -c 1024 /dev/FINALFRONTIER_VG/HOME_LV | hd
> >
> > This will not compromise your security.
> >
> > > I will try to find the time to recreate the entire scenario. Do you think
> > > the current container I'm able to open is at risk of corruption as well?
> >
> > Yes. Something seems to be running amok.
> >
> > Another queston: After Fedora 20 told you both were not
> > valid LUKS devices, could you still open the one in Ubuntu
> > that you could open before?
> >
> > Arno
> >
> > --
> > Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> > GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> > ----
> > A good decision is based on knowledge and not on numbers. -  Plato
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt at saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >

> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato


More information about the dm-crypt mailing list