A new container with an old header

A new container with an old header

[Darek Hisc]

Hi

I have a 100MB LUKS2 "file1" file-container with detached "header1".
I now need to create a new 200MB container "file2", but still use the old header "header1" for it.
I haven't found an option for luksFormat that allows you to use "header1".

I tried FAQ 6.10, but:
- the script https://gitlab.com/cryptsetup/cryptsetup/blob/main/misc/luks-header-from-active returns "Incompatible device"
- manual execution of the procedure returns different Salt and Digest

Is there a way to create a second file-container served by the old header?

Alternatively, a way to increase the size of "file1" to 200MB. All the information I've found is about resizing a partition or LVM. But I don't know how to increase LUKS2 file-container.

Please help...

Re: A new container with an old header

[Michael Kjörling]

On 12 Jul 2023 15:59 +0000, from darek.hisc@aleeas.com (Darek Hisc):
> Alternatively, a way to increase the size of "file1" to 200MB. All
> the information I've found is about resizing a partition or LVM. But
> I don't know how to increase LUKS2 file-container.

There should be nothing special about the LUKS container being within
a file.

Of course DO make a backup of your container (and header, if separate)
before you do this, and I'd triple-check to ensure the container isn't
open at the time just to avoid the risk of something getting confused
by the change in size, but something adapted from the following should
work.

$ dd if=/dev/urandom of=luks-container bs=1048576 count=100
$ stat luks-container
  File: luks-container
  Size: 104857600 ...
$ md5sum -b luks-container
<something>
$ truncate -s 200M luks-container
$ dd if=luks-container bs=1048576 count=100 | md5sum -b
<same something, proves that the first half is unaltered>
$ stat luks-container
  File: luks-container
  Size: 209715200 ...
$

Then enlarge the file system within the container normally. Exactly
how you do that will of course depend on exactly what the contents of
the container is.

The key here is using "truncate -s" to set the new size of the file
without otherwise altering its contents.

-- 
Michael Kjörling                     🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Re: A new container with an old header

[Darek Hisc]

Thank you Michael for your suggestions!
Particularly valuable for me is the ability to check the checksum of a fragment of a file (I did not know this before):
$ dd if=luks-container bs=1048576 count=100 | md5sum -b

Instead of `truncate -s 200M` I found a better solution for my use case:
`head -c 200M /dev/urandom >> my-container`
It creates "real data" instead of "sparse file" (whatever that means) and is supposedly more secure.
Then I used `cryptsetup resize` and later `resize2fs /dev/mapper/xxx` and everything looks fine now :)

Cheers!

Re: A new container with an old header

[Michael Kjörling]

On 13 Jul 2023 15:30 +0000, from darek.hisc@aleeas.com (Darek Hisc):
> Thank you Michael for your suggestions!
> Particularly valuable for me is the ability to check the checksum of a fragment of a file (I did not know this before):
> $ dd if=luks-container bs=1048576 count=100 | md5sum -b

You can also use skip= and/or different values for bs= and count= to
get a checksum for any arbitrary portion of a file (of known offset
and length); or really, pass the data to any arbitrary program. I used
md5sum for illustrative purposes and because any non-malicious change
is likely to have a significant impact on even a MD5 hash, making
obvious any corruption from the enlargement. I strongly advise against
using MD5 for anything where cryptographic strength matters.


> Instead of `truncate -s 200M` I found a better solution for my use case:
> `head -c 200M /dev/urandom >> my-container`

Yes, something like that should work just as well (though of course
with that particular command and starting with a 100 MB container
you'd get a 300 MB container instead of 200 MB). There are other ways
as well, like using dd to graft data from one file into another; I
picked one method, not really to the exclusion of others but to keep
things reasonably straight-forward in my example.

**In short**, there are multiple ways to enlarge the container file,
and once that has been done, there should be nothing special about
your setup compared to having a LUKS container backed by a partition
or a portion of LVM-managed storage.

-- 
Michael Kjörling                     🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Re: A new container with an old header

[Darek Hisc]

> I strongly advise against using MD5 for anything where cryptographic strength matters.
In my action I descended MD5 via sha256sum :)

> There are other ways
> as well, like using dd to graft data from one file into another; I
> picked one method, not really to the exclusion of others but to keep
> things reasonably straight-forward in my example.
I like to learn (when I have a bit of free time) and I came up with this alternative on my own:
dd if=/dev/random count=100M iflag=count_bytes oflag=append conv=notrunc of=/my-container
It seems to be working properly.
What do you think?