[dm-crypt] After reboot: "Command failed with code 22: Device /dev/md2 is not a valid LUKS device."

Arno Wagner arno at wagner.name
Tue Apr 23 17:52:13 CEST 2013

On Tue, Apr 23, 2013 at 05:13:57PM +0200, Jens-Michael Hoffmann wrote:
> hello,
> the LUKS device in question was setup on top of a raid6 (/dev/md2) consisting 
> of 6 partitions (1.8TB each).
> The LUKS device was created with
> cryptsetup --verbose --cipher=aes-xts-plain64 --key-size=256 --verify-
> passphrase luksFormat /dev/md2


> Then it was opened with (probably, what I could tell from history):
> cryptsetup -v create md2_crypt /dev/md2

That puts a plain dm-crypt mapping on top of the LUKS device.
Open a LUKS device with "luksOpen" not with "create".
> and a XFS filesystem was created on top of it.

That now is in the plain dm-crypt container and likely
did damage the LUKS container created before.

> I put some files on the filesystem which all seemed to work.
> After the first reboot, the array was assembled correctly, but I could not 
> create the crypt mapping anymore:
> root at babylon5:~# LANG=C cryptsetup -v --debug isLuks /dev/md2
> # cryptsetup 1.4.3 processing "cryptsetup -v --debug isLuks /dev/md2"
> # Running command isLuks.
> # Allocating crypt device /dev/md2 context.
> # Trying to open and read device /dev/md2.
> # Initialising device-mapper backend, UDEV is enabled.
> # Detected dm-crypt version 1.12.1, dm-ioctl version 4.23.1.
> # Trying to load LUKS1 crypt type from device /dev/md2.
> # Crypto backend (gcrypt 1.5.0) initialized.
> # Reading LUKS header of size 1024 from device /dev/md2
> # LUKS header not detected.
> Device /dev/md2 is not a valid LUKS device.
> # Releasing crypt device /dev/md2 context.
> # Releasing device-mapper backend.
> Command failed with code 22: Device /dev/md2 is not a valid LUKS device.

Likely something you wrtoe to the plain mapping overwrote
the LUKS header. Open it as plain to access it.

> The data I put there was not overly important, but still it would be 
> nice if it would not be all lost.
> Is there anything I can try? (I did not yet try cryptsetup --repair)

Don't try that. Your data is in a plain dm-crypt container,
not in the LUKS container that was damaged. Just open it
with "create" again. ("create" does not write anything to disk.
IT just creates the plain mapping. No data is written to disk
as a plain mapping does not have metadata.)

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

More information about the dm-crypt mailing list