[dm-crypt] how an attempt to obstruct the proverbial "evil maid" resulted in "LUKS keyslot 5 is invalid" message.

Arno Wagner arno at wagner.name
Fri Nov 21 11:03:36 CET 2014


Excellent. You are welcome.

Now, be aware that something is wrong in your set-up, so keep 
a header backup around. If this happens again, it may be a good
idea to look at this more closely. The header backup will 
also help with that, as it allows comparison of "good" and
"bad" state. 

Arno


On Fri, Nov 21, 2014 at 09:08:43 CET, Jan Rhebergen wrote:
> Tried the repair function of the newest cryptsetup from fedora life.
> Worked like a charm!
> 
> LUKS header repaired and recovered!
> 
> Super!
> 
> Thanks,
> JB
> 
> 
> On 11/17/2014 10:34 PM, Jan Rhebergen wrote:
> >In my (feeble) effort to construct an obstacle for the proverbial
> >"evil maid" I messed up my system causing a
> >
> >LUKS keyslot 5 is invalid
> >
> >error.
> >
> >My system is a recent Ubuntu installation with full disk encryption
> >(except for the boot partition of course). In my attempt to thwart
> >potential "evil maids" I decided to move the boot filesystem and
> >bootloader to a USB thumbdrive.
> >
> >After I deleted the boot partition from the laptop hard-drive
> >partition table and after trying the USB thumbdrive (which worked) I
> >decided to reverse it again (can't remember why anymore).
> >
> >To recover the correct place and size I decided use testdisk (you'll
> >find out why later). This duly detected the original boot partition
> >boundaries. However it did not correctly detect the LUKS partition
> >(which I did not notice at the time). It detected a partition of 2MB
> >instead. So I (regretfully) accepted the found partitions and ended up
> >with a correct boot partition but with a much too small LUKS
> >device/partition which was not number /dev/sda5 but
> >/dev/sda2. Needless to say opening it upon boot did not work.
> >
> >Disk /dev/sda: 256 GB, 256052966400 bytes
> >255 heads, 63 sectors/track, 31130 cylinders
> >Units = cylinders of 16065 * 512 = 8225280 bytes
> >
> >    Device Boot      Start         End      Blocks   Id  System
> >/dev/sda1   *           1          32      257008   83  Linux
> >Warning: Partition 1 does not end on cylinder boundary.
> >/dev/sda2              32          32           0   83  Linux
> >Warning: Partition 2 does not end on cylinder boundary.
> >Command (m for help):
> >
> >I had backed up the first 512 bytes of the drive and the text output
> >of fdisk. Only trouble was that I had backed it up on the partition
> >that I was trying to reach! (kicking myself here). To my defence I
> >have to say I was tired and it was already late evening. This was the
> >(lazy) reason for using testdisk.
> >
> >At this stage I did what is explicitly stated in the FAQ not to
> >do,.. I panicked!
> >
> >I used cfdisk to resize the too small LUKS partition to fill the rest
> >of the disk (as it should). This worked fine and I was able to open
> >the LUKS device (yeah!) Although I could activate the volume group and
> >see/detect the logical volumes on it (lvscan/lvdisplay) I could not
> >mount them (don't remember the error).
> >
> >At this stage I should have used dd to make a complete image of the
> >partition hard drive. Plus I should have made a backup of the LUKS
> >header (probably would have worked). I just didn't think straight I
> >guess from sheer panic.
> >
> >Not being able to mount the logical volumes on the LUKS partition I
> >figured it must have something to do with the fact that the LUKS
> >partition was on /dev/sda2 instead of /dev/sda5. So I though I'd be
> >smart and did the following. I created a small temporary (buffer)
> >partition replacing the empty unallocated space between the boot
> >partition and the LUKS partition. I subsequently deleted the LUKS
> >partition, created an extended partition and a new logical partition
> >spanning the whole drive. Finally deleting the small buffer
> >partition. So I ended up with what I thought should be the original
> >partition table. Tried booting and opening it,... alas to no avail. I
> >suspect that creating this small buffer partition in the 1.05MB
> >'empty' space caused the trouble and in fact wrote over a few bytes of
> >the LUKS partition.
> >
> >So finally I started to do the smart thing although probably too late
> >and copy the entire drive image over to another drive.
> >
> >I was able to locate the start of the LUKS partition:
> >
> >root at goofy:~# hexdump -C /dev/sda | grep LUKS
> >08073590  73 73 20 64 65 6e 69 65  64 00 4c 55 4b 53 ba be  |ss
> >denied.LUKS..|
> >08844d90  73 73 20 64 65 6e 69 65  64 00 4c 55 4b 53 ba be  |ss
> >denied.LUKS..|
> >08e3c190  73 73 20 64 65 6e 69 65  64 00 4c 55 4b 53 ba be  |ss
> >denied.LUKS..|
> >0f500000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00
> >|LUKS....aes.....|
> >
> >I mounted the image file (not /dev/sda) at the appropriate offset and
> >tried to open it.
> >
> >losetup -o 0xf500000 -r -f sda.img
> >
> >cryptsetup luksOpen /dev/loop0 mycrypt
> >
> >LUKS keyslot 5 is invalid
> >
> >Now it so happens I don't use this slot but only the default one. So
> >is there any hope for recovery? If so how do I go about it (now that I
> >have calmed down).
> >
> >Any help and advice naturally much appreciated.
> >
> >regards,
> >JB
> >
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list