[dm-crypt] Open raid1 with luks encryption after a raid re-create
l-alexandre at sapo.pt
Sun Nov 22 16:05:23 CET 2015
On 22-11-2015 12:52, Arno Wagner wrote:
> CC'ing to the list, as it serves as a sort-of archive of
> how to solve problems as well and there are several clueful
> and helpful people in it that may spot more things than I do.
> On Sun, Nov 22, 2015 at 13:15:11 CET, Luis Alexandre wrote:
>>> It can sync in the wrong direction. And second, unfortunately,
>>> superblock format 1.2 is a dirty hack designed by incompetents.
>>> It places the RAID header 4k from the start of the device. For
>>> LUKS, this kills the first keyslow of misaligned. Unfortunately,
>>> this is also the default. No, that has not happened here or you
>>> would get the header.
>> Since the original raid was already 1.2 format, the location would
>> already be the 4k from the start of the device. So where was LUKS
>> info placed in terms of distance from the start of the device?
> Right at the start. That is why using superblock 0.90 or 1.0
> with LUKS is a good diea as it becomes exceptionally unlikely
> that the MD-header damages the LUKS header.
>>>> Thanks for any help you can provide.
>>> Ok, first stop writing to the disks. Second, make a full, binary backup
>>> of each disk. And third, try whether either disk works individually
>>> as degraded array.
>> 2-Done. Dumped the first 2MB of each disk.
> Make that 1GB at least to be sure to capture the LUKS header
> in it if it is still anywhere.
>> 3-They appear as raid disks but again I cannot open the encryption.
>>> If neither gives you a LUKS header, you can still search on the raw
>>> disks by looking for the LUKS signature. If that also fails, you are
>>> out of luck and all your data is gone.
>> The LUKS signature is simply 'LUKS'?
> Not quite. FAQ Item 6.12
> gives you a brief version, the LUKS on-disk spec gives everything.
>> I grepped like this:
>> grep LUKS header_sdb_backup.dmp
>> is it the correct way to do it?
>> Did not find any match...
> Ok, lets repeat that with the full disks and including the full signature
> hd /dev/sdx | grep "0 4c 55 4b 53 ba be 00 01"
> with x one of your RAID disks. Do this for both. May take a while.
> This gives you the alignment as well. The "hd" start of a good
> luks header and container (header starts at offset 0) looks like
> 00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|
> Only the first 6 bytes are fixed. Bytes 6 and 7 are the version
> of which there currently is onlyy "0001". This will always be
> aligned to a 512 byte boundary. Doing it this way has the
> advantage that you get the offset as well.
found it in one of the disks:
08100000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00
Can you tell me how should I proceed now?
(the other is still being searched: the first one took a few seconds,
this one is now over 1 hour search)
More information about the dm-crypt