[dm-crypt] Unable to dump header with --dump-master-key

Waqar Khan waqark3389temp at gmail.com
Wed Mar 29 15:23:27 CEST 2017


I am playing around and learning about LUKS encryption on Centos, so I
installed Centos 7 with the /home partition encrypted.

I am trying to dump the header with the master key for safe keeping in
case I forget the passphrase or the header becomes corrupt (More to
learn about how it works and how the header looks like)

Here is the command I am using which I got from
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery:

[root at testmachine1 ~]#  cryptsetup --dump-master-key luksDump /dev/dm-2

WARNING!
========
Header dump with volume key is sensitive information
which allows access to encrypted partition without passphrase.
This dump should be always stored encrypted on safe place.

Are you sure? (Type uppercase yes): yes
[root at testmachine1 ~]#

As you can see I can not get any output. If I remove the
--dump-master-key I can see the header, here is the output without
--dump-master-key:

[root at testmachine1 ~]#  cryptsetup luksDump /dev/dm-2
LUKS header information for /dev/dm-2

Version:       1
Cipher name:   aes
Cipher mode:   xts-plain64
Hash spec:     sha1
Payload offset: 4096
MK bits:       512
MK digest:     <removed by me :) >
MK salt:       <removed by me>
MK iterations: 40500
UUID:           3d499ed2-0c01-463a-ba3e-2cd306b22f7d

Key Slot 0: ENABLED
Iterations:         163264
Salt:               <removed by me>
Key material offset: 8
AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

I can get the unencrypted key using this command:

[root at testmachine1 ~]# dmsetup table --target crypt --showkey
/dev/mapper/luks-3d499ed2-0c01-463a-ba3e-2cd306b22f7d
0 409595904 crypt aes-xts-plain64 <I can see the key here> 0 253:2 4096

Regards


More information about the dm-crypt mailing list