From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v1.tansi.org (mail.tansi.org [84.19.178.47]) by mail.server123.net (Postfix) with ESMTP for ; Tue, 28 Jun 2016 15:55:56 +0200 (CEST) Received: from gatewagner.dyndns.org (77-56-144-126.dclient.hispeed.ch [77.56.144.126]) by v1.tansi.org (Postfix) with ESMTPA id AA4551403A2 for ; Tue, 28 Jun 2016 15:55:54 +0200 (CEST) Date: Tue, 28 Jun 2016 15:55:55 +0200 From: Arno Wagner Message-ID: <20160628135554.GB24798@tansi.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [dm-crypt] unlock luks volume using valid keyslot List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de The thing here is that not your keyslot is invalid, but rather its descriptor, which is part of the header. One thing you can immediately do (after a header backup!) is to just put the right offset into the header descriptor. Addresses are in FAQ Item 6.12. As Keyslot 4 is inactive, you can basically copy the one before or after, I think. If conventional header backup does not work, do a manual one (see FAQ Item 6.2). That should get you one step further. But only if the salts in the header and keyslot are fine. Regards, Arno On Tue, Jun 28, 2016 at 07:47:55 CEST, Oko Hid wrote: > Dear dm-crypt members, > > Please teach me how to unlock the luks partition using valid keyslot. > > My /dev/sda is crypto_LUKS partition volume, and xfs partition (/home) > is contained. > I got "Luks keyslot 4 is invald." message just after following operation. > (I use only keyslot 0, and I know the valid passphrase of course.) > > My workstation is HP's Z820 with 2CPUs works gentoo linux. > Recently a fan seems having trouble, so I tried HP's Diagnostic CD, > booted from the CD > and executed diag tool. > The tool tried to write the result log "C:" drive, that triggered a tragedy. > The luks header must be corrupted at that time. > > I do not have the backup of luks header, so I cannot unlock this > partition for now. > > I found the site FAQ > (https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions), > So I would like to request the clue to access the partition and data, > here this mailing list. > > The debug output of unlocking operation is following... > --- > zucchini ~ # cryptsetup -v --debug --key-slot=0 luksDump /dev/sda > # cryptsetup 1.6.5 processing "cryptsetup -v --debug --key-slot=0 > luksDump /dev/sda" > # Running command luksDump. > # Locking memory. > # Installing SIGINT/SIGTERM handler. > # Unblocking interruption on signal. > # Allocating crypt device /dev/sda context. > # Trying to open and read device /dev/sda. > # Initialising device-mapper backend library. > # Trying to load LUKS1 crypt type from device /dev/sda. > # Crypto backend (gcrypt 1.6.5) initialized. > # Reading LUKS header of size 1024 from device /dev/sda > # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096). > LUKS keyslot 4 is invalid. > # Releasing crypt device /dev/sda context. > # Releasing device-mapper backend. > # Unlocking memory. > Command failed with code 22: LUKS keyslot 4 is invalid. > --- > > The command blkid seems to be OK. > --- > zucchini ~ # blkid -p /dev/sda > /dev/sda: UUID="30016d75-****-4c68-898a-************" VERSION="1" > TYPE="crypto_LUKS" USAGE="crypto" > --- > > The head of /dev/sda is following. > --- > zucchini ~ # hexdump -C -n 112 /dev/sda > 00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....| > 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > 00000020 00 00 00 00 00 00 00 00 78 74 73 2d 70 6c 61 69 |........xts-plai| > 00000030 6e 36 34 00 00 00 00 00 00 00 00 00 00 00 00 00 |n64.............| > 00000040 00 00 00 00 00 00 00 00 73 68 61 31 00 00 00 00 |........sha1....| > 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| > 00000060 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 20 |............... | > 00000070 > --- > > I also tried Arno's chk_luks_keyslots. > (http://www.saout.de/pipermail/dm-crypt/attachments/20120909/39ee1325/attachment.c) > The output was... > --- > zucchini keyslotchecker # ./chk_luks_keyslots /dev/sda > > Sectors with entropy below threshold (0.850000): > > Keyslot 0: start: 0x1000 > > Keyslot 1: start: 0x21000 > keyslot not in use > > Keyslot 2: start: 0x41000 > keyslot not in use > > Keyslot 3: start: 0x61000 > keyslot not in use > > Keyslot 4: start: 0x2d672c00 > keyslot not in use > > Keyslot 5: start: 0xa1000 > keyslot not in use > > Keyslot 6: start: 0xc1000 > keyslot not in use > > Keyslot 7: start: 0xe1000 > keyslot not in use > --- > The output message shows the addresses of keyslots, and > of keyslot 4 may be invalid. > (However, 0 seems ok ... I wish.) > > So, how can I do for this situation? > Is it possible to access the partition and data using Keyslot 0 ? > > Thanks, in advance. > > Hide > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier