[dm-crypt] unlock luks volume using valid keyslot

Arno Wagner arno at wagner.name
Tue Jun 28 15:55:55 CEST 2016


The thing here is that not your keyslot is invalid, but 
rather its descriptor, which is part of the header.

One thing you can immediately do (after a header backup!)
is to just put the right offset into the header descriptor.
Addresses are in FAQ Item 6.12. As Keyslot 4 is inactive,
you can basically copy the one before or after, I think.

If conventional header backup does not work, do a manual
one (see FAQ Item 6.2).

That should get you one step further. But only if the 
salts in the header and keyslot are fine.

Regards,
Arno



On Tue, Jun 28, 2016 at 07:47:55 CEST, Oko Hid wrote:
> Dear dm-crypt members,
> 
> Please teach me how to unlock the luks partition using valid keyslot.
> 
> My /dev/sda is crypto_LUKS partition volume, and xfs partition (/home)
> is contained.
> I got "Luks keyslot 4 is invald." message just after following operation.
> (I use only keyslot 0, and I know the valid passphrase of course.)
> 
> My workstation is HP's Z820 with 2CPUs works gentoo linux.
> Recently a fan seems having trouble, so I tried HP's Diagnostic CD,
> booted from the CD
> and executed diag tool.
> The tool tried to write the result log "C:" drive, that triggered a tragedy.
> The luks header must be corrupted at that time.
> 
> I do not have the backup of luks header, so I cannot unlock this
> partition for now.
> 
> I found the site FAQ
> (https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
> So I would like to request the clue to access the partition and data,
> here this mailing list.
> 
> The debug output of unlocking operation is following...
> ---
> zucchini ~ # cryptsetup -v --debug --key-slot=0 luksDump /dev/sda
> # cryptsetup 1.6.5 processing "cryptsetup -v --debug --key-slot=0
> luksDump /dev/sda"
> # Running command luksDump.
> # Locking memory.
> # Installing SIGINT/SIGTERM handler.
> # Unblocking interruption on signal.
> # Allocating crypt device /dev/sda context.
> # Trying to open and read device /dev/sda.
> # Initialising device-mapper backend library.
> # Trying to load LUKS1 crypt type from device /dev/sda.
> # Crypto backend (gcrypt 1.6.5) initialized.
> # Reading LUKS header of size 1024 from device /dev/sda
> # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
> LUKS keyslot 4 is invalid.
> # Releasing crypt device /dev/sda context.
> # Releasing device-mapper backend.
> # Unlocking memory.
> Command failed with code 22: LUKS keyslot 4 is invalid.
> ---
> 
> The command blkid seems to be OK.
> ---
> zucchini ~ # blkid -p /dev/sda
> /dev/sda: UUID="30016d75-****-4c68-898a-************" VERSION="1"
> TYPE="crypto_LUKS" USAGE="crypto"
> ---
> 
> The head of /dev/sda is following.
> ---
> zucchini ~ # hexdump -C -n 112 /dev/sda
> 00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
> 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 00000020  00 00 00 00 00 00 00 00  78 74 73 2d 70 6c 61 69  |........xts-plai|
> 00000030  6e 36 34 00 00 00 00 00  00 00 00 00 00 00 00 00  |n64.............|
> 00000040  00 00 00 00 00 00 00 00  73 68 61 31 00 00 00 00  |........sha1....|
> 00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 00000060  00 00 00 00 00 00 00 00  00 00 10 00 00 00 00 20  |............... |
> 00000070
> ---
> 
> I also tried Arno's chk_luks_keyslots.
> (http://www.saout.de/pipermail/dm-crypt/attachments/20120909/39ee1325/attachment.c)
> The output was...
> ---
> zucchini keyslotchecker # ./chk_luks_keyslots /dev/sda
> 
> Sectors with entropy below threshold (0.850000):
> 
> Keyslot 0: start:   0x1000
> 
> Keyslot 1: start:  0x21000
>   keyslot not in use
> 
> Keyslot 2: start:  0x41000
>   keyslot not in use
> 
> Keyslot 3: start:  0x61000
>   keyslot not in use
> 
> Keyslot 4: start: 0x2d672c00
>   keyslot not in use
> 
> Keyslot 5: start:  0xa1000
>   keyslot not in use
> 
> Keyslot 6: start:  0xc1000
>   keyslot not in use
> 
> Keyslot 7: start:  0xe1000
>   keyslot not in use
> ---
> The output message shows the addresses of keyslots, and
> of keyslot 4 may be invalid.
> (However, 0 seems ok ... I wish.)
> 
> So, how can I do for this situation?
> Is it possible to access the partition and data using Keyslot 0 ?
> 
> Thanks, in advance.
> 
> Hide
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list