[dm-crypt] Missing keyslot or broken header or still some hope?

zero.tonin at web.de zero.tonin at web.de
Sat Nov 5 08:56:16 CET 2016


Hi all, Arno and Michael,
thanks again for your continued help and advise - a great experience and yet another time I love the linux community (and pity I can't contribute myself much).


> It says your key-slots have no larger areas overwritten with other data.
> That is by far the most common thing that happens. Not here, it seems.

Thanks for the clarification, I think I do understand.

> In principle, yes, but if you have a problem with bit-errors on
> reading or the like, then you would at least need to also 
> do an md5sum or the like of copy and original to make
> sure there are no errors. A single bit-error in a 
> keyslot makes it unusable.

Ok, that might explain why - at the moment - it is not working. I create a ddrescue (thanks, Michael, for reminding me of this!) clone but failed to realise the destination disk was 100GB short (I am looking to do it with a NAS drive now...).
With this "clone" (which might be insufficient) I tried unlocking the disk on a virtual machine running pureOS (on VM Fusion on a macOS Sierra iMac), but I as well cant decrypt the disk with the "No key available with this passphrase" message.
I hope this is due to the insufficient size on the drive.


>My first assumption would not be that the disk is physically broken
>yet still manages to read data in any meaningful way, but silent data
>corruption is a real thing, despite HDD manufacturers' attempts at
>correcting or at least detecting any failed reads. That said, though,
>your LUKS header looks _sane_; I would expect silent corruption to
>yield essentially random data for the full sector.

That, at least, gives some hope to continue working on the drive. Also a great reminder for _regular_ rsyncs (I have another disk which had been encrypted with truecrypt. A firmware update for the drive itself corrupted the truecrypt header. I did have a RAID backup, also encrypted with truecrypt. Smart as I am, the password for it is stored on the unusable disk  and I did not yet pgp -email it to someone I trust... different story, though, but maybe  it contributes to your amusement)


>A binary copy as made by e.g. dd should absolutely be sufficient. In
>fact, it's probably a good idea to make such a copy in any case;
>having that copy will allow you to experiment.

>If you can spare the disk space, make one copy, and then duplicate it,
>then work on one of those copies while making sure to not touch the
>other; that way, no matter what you do and no matter what happens to
>the physical media from that point onwards, you can always go back to
>the original copy and make a new working copy.

Very good plan of action, I wil lsee can I get ddrescue to work onto a NAS drive, which should at least gve me enough storage...

>I _strongly_ recommend ddrescue over dd; ddrescue is far better suited
>for this use case. It also gives you a nice progress indication while
>it is working.

Very true, not sure why I had "dd" saved in my head...

Again, thanks so much, folks, this is really great and I appreciate your words and time a lot!
Mark

> 
> > Mark
> > 
> > user at debian:~/.bin/cryptsetup/misc/keyslot_checker$ sudo ./chk_luks_keyslots -v /dev/sda5
> > 
> > parameters (commandline and LUKS header):
> >   sector size: 512
> >   threshold:   0.900000
> > 
> > - processing keyslot 0:  start: 0x001000   end: 0x03f800 
> > - processing keyslot 1:  keyslot not in use
> > - processing keyslot 2:  keyslot not in use
> > - processing keyslot 3:  keyslot not in use
> > - processing keyslot 4:  keyslot not in use
> > - processing keyslot 5:  keyslot not in use
> > - processing keyslot 6:  keyslot not in use
> > - processing keyslot 7:  keyslot not in use
> > 
> > 
> > > Gesendet: Freitag, 04. November 2016 um 11:32 Uhr
> > > Von: "Arno Wagner" <arno at wagner.name>
> > > An: dm-crypt at saout.de
> > > Betreff: Re: [dm-crypt] Missing keyslot or broken header or still some hope?
> > >
> > > Hi,
> > > 
> > > first, please do not post HTML-'emails' to this list.
> > > It cuts you off from most people here.
> > > 
> > > Second, from the 'acting up' I would deduce that you
> > > have some kind of severe hardware problem. It may be that
> > > this prevents the unlock. Can you try this disk in a 
> > > different computer?
> > > 
> > > There is also the keyslot-checker in misc/keyslot_checker/
> > > of the cryptsetup source distribution, that may tell
> > > you more.
> > > 
> > > Regards,
> > > Arno
> > > 
> > > 
> > > On Thu, Nov 03, 2016 at 21:58:30 CET, Zero Tonin wrote:
> > > >    Hi Michael,
> > > > 
> > > >    thank you very much for your response, I appreciate your time and
> > > >    willingnes to help a stranger!
> > > > 
> > > > 
> > > >     Below I will paste the output of --debug a well as, in case it
> > > >    provides usefull information, the output of sfdisk -l for the
> > > >    partitions on the drive.
> > > > 
> > > > 
> > > >     Again, thank you ever so much, please do let me know if there is any
> > > >    further detail or informaion I could provide to hopefulyl be bale  to
> > > >    recover this.
> > > > 
> > > > 
> > > >     Kind rgeards,
> > > > 
> > > >     Mark
> > > > 
> > > >    (I was unaware this mailing list is a "clear name" environemt, sorry
> > > >    for the anonymity in my first mail)
> > > > 
> > > > 
> > > > 
> > > > 
> > > >    user at debian:~$ sudo /sbin/sfdisk -l
> > > > 
> > > >    Disk /dev/sda: 77825 cylinders, 255 heads, 63 sectors/track
> > > > 
> > > >    sfdisk: Warning: extended partition does not start at a cylinder
> > > >    boundary.
> > > > 
> > > >    DOS and Linux will interpret the contents differently.
> > > > 
> > > >    Units: cylinders of 8225280 bytes, blocks of 1024 bytes, counting from
> > > >    0
> > > > 
> > > >       Device Boot Start     End   #cyls    #blocks   Id  System
> > > > 
> > > >    /dev/sda1   *      0+     31-     31-    248832   83  Linux
> > > > 
> > > >    /dev/sda2         31+  77825-  77795- 624880641    5  Extended
> > > > 
> > > >    /dev/sda3          0       -       0          0    0  Empty
> > > > 
> > > >    /dev/sda4          0       -       0          0    0  Empty
> > > > 
> > > >    /dev/sda5         31+  77825-  77795- 624880640   83  Linux
> > > > 
> > > >    user at debian:~$ sudo cryptsetup --debug luksOpen /dev/sda5 crypt1
> > > > 
> > > >    # cryptsetup 1.6.6 processing "cryptsetup --debug luksOpen /dev/sda5
> > > >    crypt1"
> > > > 
> > > >    # Running command open.
> > > > 
> > > >    # Locking memory.
> > > > 
> > > >    # Installing SIGINT/SIGTERM handler.
> > > > 
> > > >    # Unblocking interruption on signal.
> > > > 
> > > >    # Allocating crypt device /dev/sda5 context.
> > > > 
> > > >    # Trying to open and read device /dev/sda5.
> > > > 
> > > >    # Initialising device-mapper backend library.
> > > > 
> > > >    # Trying to load LUKS1 crypt type from device /dev/sda5.
> > > > 
> > > >    # Crypto backend (gcrypt 1.6.3) initialized.
> > > > 
> > > >    # Detected kernel Linux 3.16.0-4-amd64 x86_64.
> > > > 
> > > >    # Reading LUKS header of size 1024 from device /dev/sda5
> > > > 
> > > >    # Key length 64, device size 1249761280 sectors, header size 4036
> > > >    sectors.
> > > > 
> > > >    # Timeout set to 0 miliseconds.
> > > > 
> > > >    # Password retry count set to 3.
> > > > 
> > > >    # Password verification disabled.
> > > > 
> > > >    # Iteration time set to 1000 miliseconds.
> > > > 
> > > >    # Activating volume crypt1 [keyslot -1] using [none] passphrase.
> > > > 
> > > >    # dm version   OF   [16384] (*1)
> > > > 
> > > >    # dm versions   OF   [16384] (*1)
> > > > 
> > > >    # Detected dm-crypt version 1.13.0, dm-ioctl version 4.27.0.
> > > > 
> > > >    # Device-mapper backend running with UDEV support enabled.
> > > > 
> > > >    # dm status crypt1  OF   [16384] (*1)
> > > > 
> > > >    # Interactive passphrase entry requested.
> > > > 
> > > >    Enter passphrase for /dev/sda5:
> > > > 
> > > >    # Trying to open key slot 0 [ACTIVE_LAST].
> > > > 
> > > >    # Reading key slot 0 area.
> > > > 
> > > >    # Using userspace crypto wrapper to access keyslot area.
> > > > 
> > > >    # Trying to open key slot 1 [INACTIVE].
> > > > 
> > > >    # Trying to open key slot 2 [INACTIVE].
> > > > 
> > > >    # Trying to open key slot 3 [INACTIVE].
> > > > 
> > > >    # Trying to open key slot 4 [INACTIVE].
> > > > 
> > > >    # Trying to open key slot 5 [INACTIVE].
> > > > 
> > > >    # Trying to open key slot 6 [INACTIVE].
> > > > 
> > > >    # Trying to open key slot 7 [INACTIVE].
> > > > 
> > > >    No key available with this passphrase.
> > > > 
> > > >    On 3 Nov 2016, at 19:04, Michael Kjörling <[1]michael at kjorling.se>
> > > >    wrote:
> > > > 
> > > >    On 3 Nov 2016 18:30 +0000, from [2]zero.tonin at web.de (Zero Tonin):
> > > > 
> > > >      user at debian:~$ sudo cryptsetup luksOpen /dev/sda5 crypt1
> > > > 
> > > >      Enter passphrase for /dev/sda5:
> > > > 
> > > >      No key available with this passphrase.
> > > > 
> > > >    Could you try running this again, but add the `--debug` option to
> > > >    cryptsetup, then post the resulting log?
> > > >    Make sure to sanitize the passphrase itself from the log if it's there
> > > >    (I don't know), but leave everything else intact.
> > > >    --
> > > >    Michael Kjörling • [3]https://michael.kjorling.se> > > >    [4]michael at kjorling.se
> > > >                    “People who think they know everything really annoy
> > > >                    those of us who know we don’t.” (Bjarne Stroustrup)
> > > >    _______________________________________________
> > > >    dm-crypt mailing list
> > > >    [5]dm-crypt at saout.de
> > > >    [6]http://www.saout.de/mailman/listinfo/dm-crypt
> > > > 
> > > > References
> > > > 
> > > >    1. mailto:michael at kjorling.se
> > > >    2. mailto:zero.tonin at web.de
> > > >    3. https://michael.kjorling.se/
> > > >    4. mailto:michael at kjorling.se
> > > >    5. mailto:dm-crypt at saout.de
> > > >    6. http://www.saout.de/mailman/listinfo/dm-crypt
> > > 
> > > > _______________________________________________
> > > > dm-crypt mailing list
> > > > dm-crypt at saout.de
> > > > http://www.saout.de/mailman/listinfo/dm-crypt
> > > 
> > > 
> > > -- 
> > > Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> > > GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> > > ----
> > > A good decision is based on knowledge and not on numbers. -- Plato
> > > 
> > > If it's in the news, don't worry about it.  The very definition of 
> > > "news" is "something that hardly ever happens." -- Bruce Schneier
> > > _______________________________________________
> > > dm-crypt mailing list
> > > dm-crypt at saout.de
> > > http://www.saout.de/mailman/listinfo/dm-crypt
> > >
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt at saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> -- 
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
> 
> If it's in the news, don't worry about it.  The very definition of 
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>


More information about the dm-crypt mailing list