[dm-crypt] Unable to dump header with --dump-master-key

Waqar Khan waqark3389temp at gmail.com
Wed Mar 29 15:30:42 CEST 2017


Hi,

Apologies I jumped the gun on asking here. I re-read the question and
it says type yes capitalised. Please ignore.

Regards

On Wed, Mar 29, 2017 at 2:23 PM, Waqar Khan <waqark3389temp at gmail.com> wrote:
> I am playing around and learning about LUKS encryption on Centos, so I
> installed Centos 7 with the /home partition encrypted.
>
> I am trying to dump the header with the master key for safe keeping in
> case I forget the passphrase or the header becomes corrupt (More to
> learn about how it works and how the header looks like)
>
> Here is the command I am using which I got from
> https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery:
>
> [root at testmachine1 ~]#  cryptsetup --dump-master-key luksDump /dev/dm-2
>
> WARNING!
> ========
> Header dump with volume key is sensitive information
> which allows access to encrypted partition without passphrase.
> This dump should be always stored encrypted on safe place.
>
> Are you sure? (Type uppercase yes): yes
> [root at testmachine1 ~]#
>
> As you can see I can not get any output. If I remove the
> --dump-master-key I can see the header, here is the output without
> --dump-master-key:
>
> [root at testmachine1 ~]#  cryptsetup luksDump /dev/dm-2
> LUKS header information for /dev/dm-2
>
> Version:       1
> Cipher name:   aes
> Cipher mode:   xts-plain64
> Hash spec:     sha1
> Payload offset: 4096
> MK bits:       512
> MK digest:     <removed by me :) >
> MK salt:       <removed by me>
> MK iterations: 40500
> UUID:           3d499ed2-0c01-463a-ba3e-2cd306b22f7d
>
> Key Slot 0: ENABLED
> Iterations:         163264
> Salt:               <removed by me>
> Key material offset: 8
> AF stripes:             4000
> Key Slot 1: DISABLED
> Key Slot 2: DISABLED
> Key Slot 3: DISABLED
> Key Slot 4: DISABLED
> Key Slot 5: DISABLED
> Key Slot 6: DISABLED
> Key Slot 7: DISABLED
>
> I can get the unencrypted key using this command:
>
> [root at testmachine1 ~]# dmsetup table --target crypt --showkey
> /dev/mapper/luks-3d499ed2-0c01-463a-ba3e-2cd306b22f7d
> 0 409595904 crypt aes-xts-plain64 <I can see the key here> 0 253:2 4096
>
> Regards


More information about the dm-crypt mailing list