[dm-crypt] recovering forgotten passwords for 2 LVs

ken gebser at mousecar.com
Tue Aug 23 00:33:30 CEST 2011

On 08/22/2011 12:19 PM Yves-Alexis Perez wrote:
> On lun., 2011-08-22 at 10:48 -0400, ken wrote:
>> echo -n "$PASS PHRASE" |/sbin/cryptsetup luksOpen /dev/sdb5 name1
>> is cryptsetup going to be talking to one or the other encrypted LVs...?
>> and if so, which one? 
> /dev/sdb5 doesn't look like a logical volume. Are you sure you activated
> the volume groups before.

Yves, thanks for replying.

This setup worked fine for years without changing anything on it.  I'm
fairly certain that there are two logical volumes on /dev/sda5, both
encrypted.  As said, when I booted the system up, I was prompted for two
passphrases (one for each filesystem).

Does this tell us anything?

# cryptsetup luksDump /dev/sda5
LUKS header information for /dev/sda5

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 1032
MK bits:        128
MK digest:      a6 74 e6 0d 12 60 aa ae 29 fc 19 74 7c b2 8f 88 23 fd 52 75
MK salt:        b2 5d f0 62 f8 f0 3c b9 de 5a a5 a8 75 31 91 71
                7a 72 2c 4d e0 a5 38 b2 eb 46 ae ec 1c 47 2b 39
MK iterations:  10
UUID:           074c3369-bd66-4afa-97ad-973769aeb208

Key Slot 0: ENABLED
        Iterations:             104644
        Salt:                   0e bf a9 bf eb 10 b6 02 52 5c f4 08 fc
02 b4 2a
                                85 f6 eb 16 fc ac 59 a9 1f b5 93 9c 6b
c3 11 b2
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

> I don't have a clue what your setup is, 

I have to admit that I don't know how it was set up either.  It was all
part of an install routine (started after booting an install DVD) which
I ran two years ago.  The install routine didn't explain how the
filesystem encryption was being set up.  I probably just clicked on a
couple checkboxes to encrypt the two filesystems/LVs/(?).

> but it might just be that you
> need to run
> vgchange -ay <vgname>

On the other hand, if I do a "vgdisplay /dev/sda5", I get a series of
lines saying "Input/output error" along with the locations of those
errors, ending with the statement 'Volume group "sda5" not found'.

I'd think that if vgdisplay can't locate the volume group, then vgchange
isn't going to function properly.  And, as said in an earlier post, the
PV/VG/LV/LUKS configuration all booted and mounted just fine.  It's just
that I recently forgot the two passphrases needed to mount the two LVs.

In addition, this happens if I try to mount /dev/sda5:

# mount /dev/sda5 /mnt/sda5
mount: unknown filesystem type 'crypt_LUKS'

> which would make your two lvs appear in /dev/mapper/<vg>-<lv> or
> something like that.

There is another partition which I can mount, /dev/sda3, which
ultimately (if I knew the passphrases so everything would be properly
mounted) is mounted on /boot.  As such it contains kernels, system maps,
etc., and of course /boot/grub/menu.lst; this last lists an entry (one
of the items which appears in the grub boot menu):

title CentOS (2.6.18-238.12.1.el5)
        root (hd0,2)
        kernel /vmlinuz-2.6.18-238.12.1.el5 ro
root=/dev/mapper/luks-3d723b4f-0184-438d-9cb9-9ebff16e683a rhgb quiet
        initrd /initrd-2.6.18-238.12.1.el5.img

(The line beginning "kernel" wraps... everything through "quiet" is on
one line.)  Could this be the "/dev/mapper/<vg>-<lv>" you referred to?

My uneducated guess (newbie + 5 days) is that /dev/sda5 is a LUKS
container, inside of which are the two logical volumes (each of which is
separately encrypted) and that something in the /boot partition
(/dev/sda3, which I can mount) says to read /dev/sda5-- *how* to read
it, or what to read it with, I don't know.

More information about the dm-crypt mailing list