[dm-crypt] Is it possible to repair header

Arno Wagner arno at wagner.name
Wed Mar 5 02:54:28 CET 2014


Hi David,

so here is my analysis:

00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  63 62 63 2d 65 73 73 69  |........cbc-essi|
00000030  76 3a 73 68 61 32 35 36  00 00 00 00 00 00 00 00  |v:sha256........|
00000040  00 00 00 00 00 00 00 00  73 68 61 31 00 00 00 00  |........sha1....|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 08 08 00 00 00 20  |............... |
00000070  41 d9 06 3c 4c 10 42 a1  08 08 81 43 40 2f e0 05  |A..<L.B....C@/..|
00000080  45 fd 2c 60 ab e1 12 25  e8 c6 04 20 56 c6 a6 48  |E.,`...%... V..H|
00000090  46 07 68 f9 47 cd 8e 31  02 b0 26 f6 b1 76 fc 82  |F.h.G..1..&..v..|
000000a0  f1 ea d8 f0 00 00 00 0a  34 34 30 34 62 35 61 65  |........4404b5ae|
000000b0  2d 34 33 64 32 2d 34 36  34 31 2d 39 30 64 66 2d  |-43d2-4641-90df-|
000000c0  63 64 39 32 36 31 34 62  66 62 66 33 00 00 00 00  |cd92614bfbf3....|
000000d0  00 ac 71 f3 00 06 de 3d  dc e5 8f 7c 0f f7 84 b4  |..q....=...|....|
000000e0  fb 15 07 a4 bf 79 30 27  3d 43 4e 53 5a 10 60 1c  |.....y0'=CNSZ.`.|
000000f0  e9 a5 58 aa 6b 08 86 d9  00 00 00 08 00 00 0f a0  |..X.k...........|
00000100  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120  00 00 00 00 00 00 00 00  00 00 01 08 00 00 0f a0  |................|
00000130  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 00 00 00 00  00 00 02 08 00 00 0f a0  |................|
00000160  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  00 00 00 00 00 00 00 00  00 00 03 08 00 00 0f a0  |................|
00000190  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001b0  00 00 00 00 00 00 00 00  00 00 04 08 00 00 00 01  |................|
                                                     ^^^^^
                                   Something wrote over this, but it is 
                                   non-critical 

This is key-slot 5, it jas junk init (well, partitioning data)"
000001c0  01 00 83 fe ff ff 3f 00  00 00 82 74 e0 e8 00 00  |......?....t....|
000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

And later we see:
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
                                                     ^^^^^
                                   Boot-sect signature from the paritioning

00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000210  00 00 00 00 00 00 00 00  00 00 06 08 00 00 0f a0  |................|
00000220  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000230  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000240  00 00 00 00 00 00 00 00  00 00 07 08 00 00 0f a0  |................|
00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|


So you have hot an overlay of a partition sector (0x55 0xaa 
is the signature at the end) and a LUKS header. As far as
I can tell, Key-slots 4, 5 and 6 have been mangled. They 
are unused (for 5 that is a guess). For some reason, cryptsetup 
objects to what is in 5, but is fine with the mangling in 5 and 6.

So here is how to fix this:

1. Make a header backup and store it in a safe place.
   As cryptsetup is in a hissy fit, you cannot use the 
   procedure from FAQ 6.2. Instead do this:

      head -c 1052672 /dev/sdi > header_backup.img 

   Use hd on the file to make sure this is a valid header 
   backup, i.e. the start looks like what you posted the 2nd time. 
   Also make sure it is 1052672 bytes long. This is your safety-net.

2. Call

      cryptsetup luksHeaderRepair /dev/sdi

That should fix the corrupted keyslot data and allow
you to unlock keyslot 0. If not, there may be key-slot
corruption, but lets get to that if this does not work.


@Milan: May be a good idea to allow luksHeaderBackup on 
mangled key-slots.


Arno





On Tue, Mar 04, 2014 at 21:35:30 CET, David Kisjuhasz wrote:
> Here my error:
> "
> 
> cryptsetup luksOpen /dev/sdi secret1
> LUKS-Schlüsselfach 5 ist ungültig. (Keyslot) (german)
> "

> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato


More information about the dm-crypt mailing list