[dm-crypt] unlock luks volume using valid keyslot

Arno Wagner arno at wagner.name
Tue Jun 28 16:13:30 CEST 2016


Oops, just saw that Milan already replied.
Use his instructions, they are better.

Regards,
Arno

On Tue, Jun 28, 2016 at 15:55:55 CEST, Arno Wagner wrote:
> The thing here is that not your keyslot is invalid, but 
> rather its descriptor, which is part of the header.
> 
> One thing you can immediately do (after a header backup!)
> is to just put the right offset into the header descriptor.
> Addresses are in FAQ Item 6.12. As Keyslot 4 is inactive,
> you can basically copy the one before or after, I think.
> 
> If conventional header backup does not work, do a manual
> one (see FAQ Item 6.2).
> 
> That should get you one step further. But only if the 
> salts in the header and keyslot are fine.
> 
> Regards,
> Arno
> 
> 
> 
> On Tue, Jun 28, 2016 at 07:47:55 CEST, Oko Hid wrote:
> > Dear dm-crypt members,
> > 
> > Please teach me how to unlock the luks partition using valid keyslot.
> > 
> > My /dev/sda is crypto_LUKS partition volume, and xfs partition (/home)
> > is contained.
> > I got "Luks keyslot 4 is invald." message just after following operation.
> > (I use only keyslot 0, and I know the valid passphrase of course.)
> > 
> > My workstation is HP's Z820 with 2CPUs works gentoo linux.
> > Recently a fan seems having trouble, so I tried HP's Diagnostic CD,
> > booted from the CD
> > and executed diag tool.
> > The tool tried to write the result log "C:" drive, that triggered a tragedy.
> > The luks header must be corrupted at that time.
> > 
> > I do not have the backup of luks header, so I cannot unlock this
> > partition for now.
> > 
> > I found the site FAQ
> > (https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
> > So I would like to request the clue to access the partition and data,
> > here this mailing list.
> > 
> > The debug output of unlocking operation is following...
> > ---
> > zucchini ~ # cryptsetup -v --debug --key-slot=0 luksDump /dev/sda
> > # cryptsetup 1.6.5 processing "cryptsetup -v --debug --key-slot=0
> > luksDump /dev/sda"
> > # Running command luksDump.
> > # Locking memory.
> > # Installing SIGINT/SIGTERM handler.
> > # Unblocking interruption on signal.
> > # Allocating crypt device /dev/sda context.
> > # Trying to open and read device /dev/sda.
> > # Initialising device-mapper backend library.
> > # Trying to load LUKS1 crypt type from device /dev/sda.
> > # Crypto backend (gcrypt 1.6.5) initialized.
> > # Reading LUKS header of size 1024 from device /dev/sda
> > # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
> > LUKS keyslot 4 is invalid.
> > # Releasing crypt device /dev/sda context.
> > # Releasing device-mapper backend.
> > # Unlocking memory.
> > Command failed with code 22: LUKS keyslot 4 is invalid.
> > ---
> > 
> > The command blkid seems to be OK.
> > ---
> > zucchini ~ # blkid -p /dev/sda
> > /dev/sda: UUID="30016d75-****-4c68-898a-************" VERSION="1"
> > TYPE="crypto_LUKS" USAGE="crypto"
> > ---
> > 
> > The head of /dev/sda is following.
> > ---
> > zucchini ~ # hexdump -C -n 112 /dev/sda
> > 00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
> > 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> > 00000020  00 00 00 00 00 00 00 00  78 74 73 2d 70 6c 61 69  |........xts-plai|
> > 00000030  6e 36 34 00 00 00 00 00  00 00 00 00 00 00 00 00  |n64.............|
> > 00000040  00 00 00 00 00 00 00 00  73 68 61 31 00 00 00 00  |........sha1....|
> > 00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> > 00000060  00 00 00 00 00 00 00 00  00 00 10 00 00 00 00 20  |............... |
> > 00000070
> > ---
> > 
> > I also tried Arno's chk_luks_keyslots.
> > (http://www.saout.de/pipermail/dm-crypt/attachments/20120909/39ee1325/attachment.c)
> > The output was...
> > ---
> > zucchini keyslotchecker # ./chk_luks_keyslots /dev/sda
> > 
> > Sectors with entropy below threshold (0.850000):
> > 
> > Keyslot 0: start:   0x1000
> > 
> > Keyslot 1: start:  0x21000
> >   keyslot not in use
> > 
> > Keyslot 2: start:  0x41000
> >   keyslot not in use
> > 
> > Keyslot 3: start:  0x61000
> >   keyslot not in use
> > 
> > Keyslot 4: start: 0x2d672c00
> >   keyslot not in use
> > 
> > Keyslot 5: start:  0xa1000
> >   keyslot not in use
> > 
> > Keyslot 6: start:  0xc1000
> >   keyslot not in use
> > 
> > Keyslot 7: start:  0xe1000
> >   keyslot not in use
> > ---
> > The output message shows the addresses of keyslots, and
> > of keyslot 4 may be invalid.
> > (However, 0 seems ok ... I wish.)
> > 
> > So, how can I do for this situation?
> > Is it possible to access the partition and data using Keyslot 0 ?
> > 
> > Thanks, in advance.
> > 
> > Hide
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt at saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> -- 
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
> 
> If it's in the news, don't worry about it.  The very definition of 
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list