[dm-crypt] how an attempt to obstruct the proverbial "evil maid" resulted in "LUKS keyslot 5 is invalid" message.

Jan Rhebergen jan at rhebergen.net
Mon Nov 17 22:34:12 CET 2014

In my (feeble) effort to construct an obstacle for the proverbial
"evil maid" I messed up my system causing a

LUKS keyslot 5 is invalid


My system is a recent Ubuntu installation with full disk encryption
(except for the boot partition of course). In my attempt to thwart
potential "evil maids" I decided to move the boot filesystem and
bootloader to a USB thumbdrive.

After I deleted the boot partition from the laptop hard-drive
partition table and after trying the USB thumbdrive (which worked) I
decided to reverse it again (can't remember why anymore).

To recover the correct place and size I decided use testdisk (you'll
find out why later). This duly detected the original boot partition
boundaries. However it did not correctly detect the LUKS partition
(which I did not notice at the time). It detected a partition of 2MB
instead. So I (regretfully) accepted the found partitions and ended up
with a correct boot partition but with a much too small LUKS
device/partition which was not number /dev/sda5 but
/dev/sda2. Needless to say opening it upon boot did not work.

Disk /dev/sda: 256 GB, 256052966400 bytes
255 heads, 63 sectors/track, 31130 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

    Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          32      257008   83  Linux
Warning: Partition 1 does not end on cylinder boundary.
/dev/sda2              32          32           0   83  Linux
Warning: Partition 2 does not end on cylinder boundary.
Command (m for help):

I had backed up the first 512 bytes of the drive and the text output
of fdisk. Only trouble was that I had backed it up on the partition
that I was trying to reach! (kicking myself here). To my defence I
have to say I was tired and it was already late evening. This was the
(lazy) reason for using testdisk.

At this stage I did what is explicitly stated in the FAQ not to
do,.. I panicked!

I used cfdisk to resize the too small LUKS partition to fill the rest
of the disk (as it should). This worked fine and I was able to open
the LUKS device (yeah!) Although I could activate the volume group and
see/detect the logical volumes on it (lvscan/lvdisplay) I could not
mount them (don't remember the error).

At this stage I should have used dd to make a complete image of the
partition hard drive. Plus I should have made a backup of the LUKS
header (probably would have worked). I just didn't think straight I
guess from sheer panic.

Not being able to mount the logical volumes on the LUKS partition I
figured it must have something to do with the fact that the LUKS
partition was on /dev/sda2 instead of /dev/sda5. So I though I'd be
smart and did the following. I created a small temporary (buffer)
partition replacing the empty unallocated space between the boot
partition and the LUKS partition. I subsequently deleted the LUKS
partition, created an extended partition and a new logical partition
spanning the whole drive. Finally deleting the small buffer
partition. So I ended up with what I thought should be the original
partition table. Tried booting and opening it,... alas to no avail. I
suspect that creating this small buffer partition in the 1.05MB
'empty' space caused the trouble and in fact wrote over a few bytes of
the LUKS partition.

So finally I started to do the smart thing although probably too late
and copy the entire drive image over to another drive.

I was able to locate the start of the LUKS partition:

root at goofy:~# hexdump -C /dev/sda | grep LUKS
08073590  73 73 20 64 65 6e 69 65  64 00 4c 55 4b 53 ba be  |ss 
08844d90  73 73 20 64 65 6e 69 65  64 00 4c 55 4b 53 ba be  |ss 
08e3c190  73 73 20 64 65 6e 69 65  64 00 4c 55 4b 53 ba be  |ss 
0f500000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00 

I mounted the image file (not /dev/sda) at the appropriate offset and
tried to open it.

losetup -o 0xf500000 -r -f sda.img

cryptsetup luksOpen /dev/loop0 mycrypt

LUKS keyslot 5 is invalid

Now it so happens I don't use this slot but only the default one. So
is there any hope for recovery? If so how do I go about it (now that I
have calmed down).

Any help and advice naturally much appreciated.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dm-crypt mailing list