[dm-crypt] cryptsetup & decrypt-derived

Arno Wagner arno at wagner.name
Mon Jun 27 03:46:04 CEST 2011

Hash: SHA1

On Sat, Jun 25, 2011 at 08:47:26PM +0200, Mahashakti89 wrote:
> Hi,
> I am running Debian Sid, two partions are encrypted with
> cryptsetup : /home on /dev/sda and /backup on /dev/sdd.
> For /home I used the luks option and I type a password on boot
> fot /backup I used /lib/crypsetup/scripts/decrypt_derived  and the
> keyfile option in order to type only the password for /home.
> Last week I had to format /home , I created a new encrypted volume
> with the same luks option and the same password, /backup was untouched
> but now I cannot more open the backup volume despite the fact I used
> the same decrypt_derivated and keyfile options.
> How do I make this work, I mean , access to /backup ?? What did I
> miss ??
> Hope my explanations are clear ....

If I understand this right, then decrypt_derived uses the 
master key of an already mapped device to be used as input 
into something else, here yout backup device's passphrase.

Is so, then the problem is clear: LUKS does not derive
the master key form you password. Rather the password
is used as one of 8 encrypted versions of the master
key and the master key gets generated randomly on 
luksFormat. (The encrypted master key is also expanded
into anti-forensic stripes, but that is not relevant 
for your problem.)

Now, when you dit the formatting of /home, you also
generated a dnew master key and decrypt_derived reports 
that new key now. Unless you have a header backup or
a master key backup of the old /home, then /backup
is gone permanently, i.e. nothing can be done.

If you have a header backup, restore that header to 
a luks partition that you do not care about (the FAQ 
explains how to do this with a loopback-file, which 
should work), map the partition with you password 
and call decryot_derived on it. That gives you the 
password for /backup. The luks partition used here 
will never even be accessed, do not mount it. You 
just have to put the header somwehere in order to be 
able to map the device and get the master key from 
it. Dont't use a luks partition with data for this!

- -- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
- ----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 
Version: GnuPG v1.4.10 (GNU/Linux)


More information about the dm-crypt mailing list