[dm-crypt] "not a valid LUKS device" after distro change

John Wells jbwellsiv at gmail.com
Thu Aug 21 16:00:21 CEST 2014


I will try what you say. To add to the weirdness, I came into work this
morning with a unresponsive machine. I hard reset, booted Ubuntu, but at
that point *Ubuntu wouldn't recognize either partition, and both had the
same "GNU Parted Loopback 0" in the output of "head -c 1024 /volume | hd".
Neither partition was recognized by luksDump. I panicked.

Rebooted, and guess what? /dev/MORE_VG/MORE_LV was back to normal and I
could mount it. /dev/FINALFRONTIER_VG/HOME_LV was still corrupted with the
"GNU Parted Loopback 0" output.

This makes no sense to me. How could the leading bits be different each
time I booted up? Could datamapper be assigning the wrong device to the
logical volume in some way? It just makes no sense.


On Wed, Aug 20, 2014 at 5:15 PM, Arno Wagner <arno at wagner.name> wrote:

> Hi John,
>
> while I have no idea how HOME_LV got in this state, the
> hexdump shows what is wrong. I suspect some LVM or Parted
> "Magic" on installation caused this.
> As the salts in the header are critical for decryption, unless
> the LUKS header is somewhere else and the offsets are
> wrong (i.e. you are not looking at the place you are think
> you are looking at, e.g. due to some LVM problem) the data is
> gone.
>
> As to MORE_LV, this should work. I suspect you did the dump
> below on Ubuntu, correct? I think Ubuntu may have screwed
> up the partitioning so that Fedora 20 does not find MORE_LV
> anymore, but Ubuntu finds it.
>
> One more test would show this:
>
> Copy the first 10MB of MORE_LV on *Ubuntu*
>
>   head -c 10M /dev/MORE_VG/MORE_LV >> header.dump
>
> do a loopback mount of it  it on  *Fedora 20*
>
>   losetup /dev/loop0 header.dump
>
> and then try to luksOpen /dev/loop0. If that works
> on Fedora 20 but MORE_LV does not work on FEDORA 20,
> then this is a problem with Fedora 20 having dome issue
> accessing the raw MORE_LV partition.
>
> Note that header.dump will contain the key-slots,
> so make sure you can secure-erase the header.dump-file again!
> (You are still secure, but your passphrase is in there and
> if that becomes compromised, changing it will not be enough.)
>
> Arno
>
>
>
> On Wed, Aug 20, 2014 at 18:18:33 CEST, John Wells wrote:
> > Thanks Arno.
> >
> > Something definitely looks amiss:
> > $ sudo   head -c 1024 /dev/FINALFRONTIER_VG/HOME_LV | hd
> > 00000000  47 4e 55 20 50 61 72 74  65 64 20 4c 6f 6f 70 62  |GNU Parted
> > Loopb|
> > 00000010  61 63 6b 20 30 00 00 00  00 00 00 00 00 00 00 00  |ack
> > 0...........|
> > 00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > *
> > 00000400
> >
> > $ sudo head -c 1024 /dev/MORE_VG/MORE_LV  | hd
> >
> ��ޭ
> > 00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00
> >  |LUKS....aes.....|
> > 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000020  00 00 00 00 00 00 00 00  78 74 73 2d 70 6c 61 69
> >  |........xts-plai|
> > 00000030  6e 36 34 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |n64.............|
> > 00000040  00 00 00 00 00 00 00 00  73 68 61 31 00 00 00 00
> >  |........sha1....|
> > 00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000060  00 00 00 00 00 00 00 00  00 00 10 00 00 00 00 40
> >  |...............@|
> > 00000070  4e 94 98 c0 51 a9 25 bb  74 73 88 a4 a7 6e c7 d3
> >  |N...Q.%.ts...n..|
> > 00000080  6f 18 71 fa 94 9a f4 5e  d1 e8 5b 1a 34 3a 9f 9f
> >  |o.q....^..[.4:..|
> > 00000090  1d 79 1f 61 f5 dd 98 09  e1 d6 2e ed c4 29 af 1a
> >  |.y.a.........)..|
> > 000000a0  23 c9 59 da 00 00 77 a1  36 63 63 31 38 38 64 62
> >  |#.Y...w.6cc188db|
> > 000000b0  2d 63 63 64 62 2d 34 63  38 66 2d 39 37 62 32 2d
> >  |-ccdb-4c8f-97b2-|
> > 000000c0  65 34 31 31 39 38 65 63  36 65 34 34 00 00 00 00
> >  |e41198ec6e44....|
> > 000000d0  00 ac 71 f3 00 01 df d7  79 85 dd f0 29 59 98 63
> >  |..q.....y...)Y.c|
> > 000000e0  0b 69 80 fe 48 61 8c 40  5b 3b 57 0f 82 9c ae 90  |.i..Ha.@
> > [;W.....|
> > 000000f0  36 57 45 e2 03 82 26 c5  00 00 00 08 00 00 0f a0
> >  |6WE...&.........|
> > 00000100  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000120  00 00 00 00 00 00 00 00  00 00 02 00 00 00 0f a0
> >  |................|
> > 00000130  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000150  00 00 00 00 00 00 00 00  00 00 03 f8 00 00 0f a0
> >  |................|
> > 00000160  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000180  00 00 00 00 00 00 00 00  00 00 05 f0 00 00 0f a0
> >  |................|
> > 00000190  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 000001b0  00 00 00 00 00 00 00 00  00 00 07 e8 00 00 0f a0
> >  |................|
> > 000001c0  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 000001e0  00 00 00 00 00 00 00 00  00 00 09 e0 00 00 0f a0
> >  |................|
> > 000001f0  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000210  00 00 00 00 00 00 00 00  00 00 0b d8 00 00 0f a0
> >  |................|
> > 00000220  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000230  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> > 00000240  00 00 00 00 00 00 00 00  00 00 0d d0 00 00 0f a0
> >  |................|
> > 00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> >  |................|
> >
> > Yes, even though Fedora 20 will mount neither volume, Ubuntu 14.04 will
> > mount the /dev/MORE_VG/MORE_LV partition.
> >
> > Thanks,
> > John
> >
> >
> > On Wed, Aug 20, 2014 at 5:09 AM, Arno Wagner <arno at wagner.name> wrote:
> >
> > > On Wed, Aug 20, 2014 at 00:22:29 CEST, John Wells wrote:
> > > > Thanks for your response. This is the result of luksDump on the
> > > container:
> > > >
> > > > # cryptsetup luksDump /dev/FINALFRONTIER_VG/HOME_LV
> > > > Device /dev/FINALFRONTIER_VG/HOME_LV is not a valid LUKS device.
> > >
> > > Ah, sorry. Did not see that access completely failed.
> > > That means the header was at least partially overwritten.
> > >
> > > Can you post or send me a hex-dump of the first 1024 bytes
> > > of this device and the other one?
> > >
> > > Command to do so is, e.g.
> > >
> > >   head -c 1024 /dev/FINALFRONTIER_VG/HOME_LV | hd
> > >
> > > This will not compromise your security.
> > >
> > > > I will try to find the time to recreate the entire scenario. Do you
> think
> > > > the current container I'm able to open is at risk of corruption as
> well?
> > >
> > > Yes. Something seems to be running amok.
> > >
> > > Another queston: After Fedora 20 told you both were not
> > > valid LUKS devices, could you still open the one in Ubuntu
> > > that you could open before?
> > >
> > > Arno
> > >
> > > --
> > > Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email:
> arno at wagner.name
> > > GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D
> 9718
> > > ----
> > > A good decision is based on knowledge and not on numbers. -  Plato
> > > _______________________________________________
> > > dm-crypt mailing list
> > > dm-crypt at saout.de
> > > http://www.saout.de/mailman/listinfo/dm-crypt
> > >
>
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt at saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
>
>
> --
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -  Plato
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20140821/3e0358ff/attachment.html>


More information about the dm-crypt mailing list