From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v1.tansi.org (mail.tansi.org [84.19.178.47]) by mail.server123.net (Postfix) with ESMTP for ; Sat, 29 Apr 2017 20:30:38 +0200 (CEST) Received: from gatewagner.dyndns.org (77-56-144-126.dclient.hispeed.ch [77.56.144.126]) by v1.tansi.org (Postfix) with ESMTPA id 8B7F6140170 for ; Sat, 29 Apr 2017 20:30:32 +0200 (CEST) Date: Sat, 29 Apr 2017 20:30:37 +0200 From: Arno Wagner Message-ID: <20170429183037.GA22169@tansi.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [dm-crypt] (no subject) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Hi Hammad, sounds like your one key-slot might have been damaged. Please run the keyslot-checker found in misc/keyslot_checker of the source package and report the results. Regards, Arno On Sat, Apr 29, 2017 at 19:48:15 CEST, Hammad Siddiqi wrote: > Hi,No key available with this passphrase. > one of our host, running centos 7.1, crashed today with a kernel panic > on qemu-kvm process. the VM disks were stored on encrypted volume, > which became locked after reboot. the cryptseup luksOpen command > throws "No Key available with this passphrase". The encrypted volume > has a 512 bit key without any password. we also backup our key and both > backup and key residing on server are same. We have tried to by pass > current OS by booting up using live CD of Centos 7.1, Linux Mint 17, > Ubuntu 17.04 with different versions of kernel and crypt setup. this > did not succeed. we believe the key is correct but the Encrypted volume > is not accepting it. Can you please help us on this. Please let me know > if you need something else as well > * command used: cryptsetup luksOpen --key-file /etc/luks.key > /dev/disk/by-uuid/92de4358-d815-496a-8a58-60e55346161d > raid10-2hs-island > * Host Kernel Version: 3.10.0-229.el7.x86_64 > * Host Cryptsetup version: 1.6.6 > **output of cryptsetup luksOpen** > **cryptsetup luksOpen --key-file /etc/luks.key > /dev/disk/by-uuid/92de4358-d815-496a-8a58-60e55346161d > raid10-2hs-island --verbose --debug** > ``` > # cryptsetup 1.7.2 processing "cryptsetup luksOpen --key-file > /etc/luks.key /dev/disk/by-uuid/92de4358-d815-496a-8a58-60e55346161d > raid10-2hs-island --verbose --debug" > # Running command open. > # Locking memory. > # Installing SIGINT/SIGTERM handler. > # Unblocking interruption on signal. > # Allocating crypt device > /dev/disk/by-uuid/92de4358-d815-496a-8a58-60e55346161d context. > # Trying to open and read device > /dev/disk/by-uuid/92de4358-d815-496a-8a58-60e55346161d with direct-io. > # Initialising device-mapper backend library. > # Trying to load LUKS1 crypt type from device > /dev/disk/by-uuid/92de4358-d815-496a-8a58-60e55346161d. > # Crypto backend (gcrypt 1.5.3) initialized in cryptsetup library > version 1.7.2. > # Detected kernel Linux 3.10.0-229.el7.x86_64 x86_64. > # Reading LUKS header of size 1024 from device > /dev/disk/by-uuid/92de4358-d815-496a-8a58-60e55346161d > # Key length 64, device size 15622799360 sectors, header size 4036 > sectors. > # Timeout set to 0 miliseconds. > # Password retry count set to 3. > # Password verification disabled. > # Iteration time set to 2000 miliseconds. > # Password retry count set to 1. > # Activating volume raid10-2hs-island [keyslot -1] using keyfile > /etc/luks.key. > # dm version [ opencount flush ] [16384] (*1) > # dm versions [ opencount flush ] [16384] (*1) > # Detected dm-crypt version 1.13.0, dm-ioctl version 4.29.0. > # Device-mapper backend running with UDEV support enabled. > # dm status raid10-2hs-island [ opencount flush ] [16384] (*1) > # File descriptor passphrase entry requested. > # Trying to open key slot 0 [ACTIVE_LAST]. > # Reading key slot 0 area. > # Using userspace crypto wrapper to access keyslot area. > # Trying to open key slot 1 [INACTIVE]. > # Trying to open key slot 2 [INACTIVE]. > # Trying to open key slot 3 [INACTIVE]. > # Trying to open key slot 4 [INACTIVE]. > # Trying to open key slot 5 [INACTIVE]. > # Trying to open key slot 6 [INACTIVE]. > # Trying to open key slot 7 [INACTIVE]. > No key available with this passphrase. > # Releasing crypt device > /dev/disk/by-uuid/92de4358-d815-496a-8a58-60e55346161d context. > # Releasing device-mapper backend. > # Unlocking memory. > Command failed with code 1: Operation not permitted > ``` > **cryptsetup luksDump:** > ``` > cryptsetup -v luksDump /dev/sdb > LUKS header information for /dev/sdb > Version: 1 > Cipher name: aes > Cipher mode: xts-plain64 > Hash spec: sha1 > Payload offset: 4096 > MK bits: 512 > MK digest: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > MK salt: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > MK iterations: 36750 > UUID: ############################# > Key Slot 0: ENABLED > Iterations: 141435 > Salt: > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > Key material offset: 8 > AF stripes: 4000 > Key Slot 1: DISABLED > Key Slot 2: DISABLED > Key Slot 3: DISABLED > Key Slot 4: DISABLED > Key Slot 5: DISABLED > Key Slot 6: DISABLED > Key Slot 7: DISABLED > Command successful. > ``` > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier