[dm-crypt] how an attempt to obstruct the proverbial "evil maid" resulted in "LUKS keyslot 5 is invalid" message.

Jan Rhebergen jan at rhebergen.net
Fri Nov 21 09:08:43 CET 2014


Tried the repair function of the newest cryptsetup from fedora life. 
Worked like a charm!

LUKS header repaired and recovered!

Super!

Thanks,
JB


On 11/17/2014 10:34 PM, Jan Rhebergen wrote:
> In my (feeble) effort to construct an obstacle for the proverbial
> "evil maid" I messed up my system causing a
>
> LUKS keyslot 5 is invalid
>
> error.
>
> My system is a recent Ubuntu installation with full disk encryption
> (except for the boot partition of course). In my attempt to thwart
> potential "evil maids" I decided to move the boot filesystem and
> bootloader to a USB thumbdrive.
>
> After I deleted the boot partition from the laptop hard-drive
> partition table and after trying the USB thumbdrive (which worked) I
> decided to reverse it again (can't remember why anymore).
>
> To recover the correct place and size I decided use testdisk (you'll
> find out why later). This duly detected the original boot partition
> boundaries. However it did not correctly detect the LUKS partition
> (which I did not notice at the time). It detected a partition of 2MB
> instead. So I (regretfully) accepted the found partitions and ended up
> with a correct boot partition but with a much too small LUKS
> device/partition which was not number /dev/sda5 but
> /dev/sda2. Needless to say opening it upon boot did not work.
>
> Disk /dev/sda: 256 GB, 256052966400 bytes
> 255 heads, 63 sectors/track, 31130 cylinders
> Units = cylinders of 16065 * 512 = 8225280 bytes
>
>     Device Boot      Start         End      Blocks   Id  System
> /dev/sda1   *           1          32      257008   83  Linux
> Warning: Partition 1 does not end on cylinder boundary.
> /dev/sda2              32          32           0   83  Linux
> Warning: Partition 2 does not end on cylinder boundary.
> Command (m for help):
>
> I had backed up the first 512 bytes of the drive and the text output
> of fdisk. Only trouble was that I had backed it up on the partition
> that I was trying to reach! (kicking myself here). To my defence I
> have to say I was tired and it was already late evening. This was the
> (lazy) reason for using testdisk.
>
> At this stage I did what is explicitly stated in the FAQ not to
> do,.. I panicked!
>
> I used cfdisk to resize the too small LUKS partition to fill the rest
> of the disk (as it should). This worked fine and I was able to open
> the LUKS device (yeah!) Although I could activate the volume group and
> see/detect the logical volumes on it (lvscan/lvdisplay) I could not
> mount them (don't remember the error).
>
> At this stage I should have used dd to make a complete image of the
> partition hard drive. Plus I should have made a backup of the LUKS
> header (probably would have worked). I just didn't think straight I
> guess from sheer panic.
>
> Not being able to mount the logical volumes on the LUKS partition I
> figured it must have something to do with the fact that the LUKS
> partition was on /dev/sda2 instead of /dev/sda5. So I though I'd be
> smart and did the following. I created a small temporary (buffer)
> partition replacing the empty unallocated space between the boot
> partition and the LUKS partition. I subsequently deleted the LUKS
> partition, created an extended partition and a new logical partition
> spanning the whole drive. Finally deleting the small buffer
> partition. So I ended up with what I thought should be the original
> partition table. Tried booting and opening it,... alas to no avail. I
> suspect that creating this small buffer partition in the 1.05MB
> 'empty' space caused the trouble and in fact wrote over a few bytes of
> the LUKS partition.
>
> So finally I started to do the smart thing although probably too late
> and copy the entire drive image over to another drive.
>
> I was able to locate the start of the LUKS partition:
>
> root at goofy:~# hexdump -C /dev/sda | grep LUKS
> 08073590  73 73 20 64 65 6e 69 65  64 00 4c 55 4b 53 ba be  |ss
> denied.LUKS..|
> 08844d90  73 73 20 64 65 6e 69 65  64 00 4c 55 4b 53 ba be  |ss
> denied.LUKS..|
> 08e3c190  73 73 20 64 65 6e 69 65  64 00 4c 55 4b 53 ba be  |ss
> denied.LUKS..|
> 0f500000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00
> |LUKS....aes.....|
>
> I mounted the image file (not /dev/sda) at the appropriate offset and
> tried to open it.
>
> losetup -o 0xf500000 -r -f sda.img
>
> cryptsetup luksOpen /dev/loop0 mycrypt
>
> LUKS keyslot 5 is invalid
>
> Now it so happens I don't use this slot but only the default one. So
> is there any hope for recovery? If so how do I go about it (now that I
> have calmed down).
>
> Any help and advice naturally much appreciated.
>
> regards,
> JB
>

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the dm-crypt mailing list