[dm-crypt] `cryptsetup luksFormat` fails: "Cannot wipe header on device"

[dm-crypt] `cryptsetup luksFormat` fails: "Cannot wipe header on device"

[Tom Roche]

summary: LUKS newbie wants to LUKS/LVM2 on a dualboot, but several attempts to `cryptsetup luksFormat` the target partition have failed.

details:

(Apologies if this is a FAQ, but I'm not seeing answers from "the FAQ"

http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions

or DDGing or googling the Subject above, as well as differing combinations of its terms.)

I have a laptop that came with Windows, which I previously dualbooted with a Debian Linux (LMDE), and on which I previously experimented with LUKS. It currently has

$ sudo fdisk -l /dev/sda
> Warning: invalid flag 0x0000 of partition table 5 will be corrected by w(rite)

> Disk /dev/sda: 500.1 GB, 500107862016 bytes
> 255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
> Units = sectors of 1 * 512 = 512 bytes
> Sector size (logical/physical): 512 bytes / 512 bytes
> I/O size (minimum/optimal): 512 bytes / 512 bytes
> Disk identifier: 0xce0b2a49

>    Device Boot      Start         End      Blocks   Id  System
> /dev/sda1            2048    34818047    17408000   27  Hidden NTFS WinRE
> /dev/sda2   *    34818048   239618047   102400000    7  HPFS/NTFS/exFAT
> /dev/sda3       239618048   240642047      512000   83  Linux
> /dev/sda4       240642048   976773119   368065536    5  Extended

I'd like to keep the first 2 partitions (i.e., their current contents should be kept as-is):

- /dev/sda1 = OEM diagnostics
- /dev/sda2 = OEM Windows

and redo the latter partitions (i.e., their current contents can be lost):

+ /dev/sda3 = Linux boot
+ /dev/sda4 = to be LVM2-manageable, LUKS-encrypted

I'm now experimenting with PePa's script for installing LMDE with LUKS and LVM2

http://j.mp/makelmdescript

which I've copied to a git repo

https://bitbucket.org/tlroche/install_resizable_encrypted_lmde

to facilitate better collaboration, extension, etc. I've added the script

https://bitbucket.org/tlroche/install_resizable_encrypted_lmde/raw/HEAD/install_LMDE_plus_LUKS_LVM2.sh

to a LiveUSB installer of LMDE-201403 (the latest), which boots and installs correctly: i.e., I have used that LiveUSB for another install (which appears good), and it boots the box on which I want to install the LMDE/LUKS/LVM2 combination. Once booted, I can

1. open a terminal (to bash)
2. run `cryptsetup benchmark`
3. open the script in an editor
4. `sudo -i` to become root
5. start running lines from the script (to learn more about it)

My problem is when I first start try to encrypt /dev/sda4:

# cryptsetup isLuks /dev/sda4 # null response
# echo -e "cryptsetup isLuks==$?"
> cryptsetup isLuks==1
# cryptsetup luksFormat --cipher=serpent-xts-plain64 --key-size=256 --hash=sha256 /dev/sda4
>
> WARNING!
> ========
> This will overwrite data on /dev/sda4 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> Enter passphrase:
> Verify passphrase:
> Cannot wipe header on device /dev/sda4.

How to fix? Some things I've tried (knowing almost nothing about LUKS or dm-crypt):

1. different cipher=aes-xts-plain64 (though `cryptsetup benchmark` shows serpent running much faster on my hardware): no change (wasn't expecting one :-)

2. `wipefs -a /dev/sda4`, then rerun `cryptsetup luksFormat ...`: no change.

3. `dd if=/dev/zero of=/dev/sda4`, then rerun `cryptsetup luksFormat ...`: no change.

In addition to the general question (how to fix?) I'd also like to know more about the cause: is this problem related to

* the warning above?

> Warning: invalid flag 0x0000 of partition table 5 will be corrected by w(rite)

* the fact that I'm attempting to install to an extended partition. E.g., do I need to create a logical partition=/dev/sda5 inside the extended partition=/dev/sda4 ?

Your assistance is appreciated, Tom Roche <Tom_Roche@pobox.com>

Re: [dm-crypt] `cryptsetup luksFormat` fails: "Cannot wipe header on device"

[Arno Wagner]

Well, I cannot tell you anything about LVM2 (I think it complicates 
things without need or benefit), but as far as I can see, it is
not yet involved.

Now, your problem is not in the FAQ because it is not a LUKS 
problem. The thing is that an extended partition (sda4) is not 
a (data-)partition! What it is is a "partition container" where 
you can put logical partitions in. It really is not a surprise 
cryptsetup (or anything else) cannot read or write it. 

You have 2 choices: 
1. Make sda4 a primary partition (thereby making yourself unable
   to create any additonal partitions, as there is only space for
   4 primary ones)
2. Create a logical partition of desired size in sda4 and
   put LUKS on that.

Arno

On Fri, Mar 21, 2014 at 01:59:27 CET, Tom Roche wrote:
> 
> summary: LUKS newbie wants to LUKS/LVM2 on a dualboot, but several attempts to `cryptsetup luksFormat` the target partition have failed.
> 
> details:
> 
> (Apologies if this is a FAQ, but I'm not seeing answers from "the FAQ"
> 
> http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
> 
> or DDGing or googling the Subject above, as well as differing combinations of its terms.)
> 
> I have a laptop that came with Windows, which I previously dualbooted with a Debian Linux (LMDE), and on which I previously experimented with LUKS. It currently has
> 
> $ sudo fdisk -l /dev/sda
> > Warning: invalid flag 0x0000 of partition table 5 will be corrected by w(rite)
> 
> > Disk /dev/sda: 500.1 GB, 500107862016 bytes
> > 255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
> > Units = sectors of 1 * 512 = 512 bytes
> > Sector size (logical/physical): 512 bytes / 512 bytes
> > I/O size (minimum/optimal): 512 bytes / 512 bytes
> > Disk identifier: 0xce0b2a49
> 
> >    Device Boot      Start         End      Blocks   Id  System
> > /dev/sda1            2048    34818047    17408000   27  Hidden NTFS WinRE
> > /dev/sda2   *    34818048   239618047   102400000    7  HPFS/NTFS/exFAT
> > /dev/sda3       239618048   240642047      512000   83  Linux
> > /dev/sda4       240642048   976773119   368065536    5  Extended
> 
> I'd like to keep the first 2 partitions (i.e., their current contents should be kept as-is):
> 
> - /dev/sda1 = OEM diagnostics
> - /dev/sda2 = OEM Windows
> 
> and redo the latter partitions (i.e., their current contents can be lost):
> 
> + /dev/sda3 = Linux boot
> + /dev/sda4 = to be LVM2-manageable, LUKS-encrypted
> 
> I'm now experimenting with PePa's script for installing LMDE with LUKS and
> LVM2
> 
> http://j.mp/makelmdescript
> 
> which I've copied to a git repo
> 
> https://bitbucket.org/tlroche/install_resizable_encrypted_lmde
> 
> to facilitate better collaboration, extension, etc. I've added the script
> 
> https://bitbucket.org/tlroche/install_resizable_encrypted_lmde/raw/HEAD/install_LMDE_plus_LUKS_LVM2.sh
> 
> to a LiveUSB installer of LMDE-201403 (the latest), which boots and installs correctly: i.e., I have used that LiveUSB for another install (which appears good), and it boots the box on which I want to install the LMDE/LUKS/LVM2 combination. Once booted, I can
> 
> 1. open a terminal (to bash)
> 2. run `cryptsetup benchmark`
> 3. open the script in an editor
> 4. `sudo -i` to become root
> 5. start running lines from the script (to learn more about it)
> 
> My problem is when I first start try to encrypt /dev/sda4:
> 
> # cryptsetup isLuks /dev/sda4 # null response
> # echo -e "cryptsetup isLuks==$?"
> > cryptsetup isLuks==1
> # cryptsetup luksFormat --cipher=serpent-xts-plain64 --key-size=256 --hash=sha256 /dev/sda4
> >
> > WARNING!
> > ========
> > This will overwrite data on /dev/sda4 irrevocably.
> >
> > Are you sure? (Type uppercase yes): YES
> > Enter passphrase:
> > Verify passphrase:
> > Cannot wipe header on device /dev/sda4.
> 
> How to fix? Some things I've tried (knowing almost nothing about LUKS or dm-crypt):
> 
> 1. different cipher=aes-xts-plain64 (though `cryptsetup benchmark` shows serpent running much faster on my hardware): no change (wasn't expecting one :-)
> 
> 2. `wipefs -a /dev/sda4`, then rerun `cryptsetup luksFormat ...`: no change.
> 
> 3. `dd if=/dev/zero of=/dev/sda4`, then rerun `cryptsetup luksFormat ...`: no change.
> 
> In addition to the general question (how to fix?) I'd also like to know more about the cause: is this problem related to
> 
> * the warning above?
> 
> > Warning: invalid flag 0x0000 of partition table 5 will be corrected by w(rite)
> 
> * the fact that I'm attempting to install to an extended partition. E.g., do I need to create a logical partition=/dev/sda5 inside the extended partition=/dev/sda4 ?
> 
> Your assistance is appreciated, Tom Roche <Tom_Roche@pobox.com>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato

Re: [dm-crypt] `cryptsetup luksFormat` fails: "Cannot wipe header on device"

[Tom Roche]

http://www.saout.de/pipermail/dm-crypt/2014-March/004050.html
[Tom Roche Thu, 20 Mar 2014 20:59:27 -0400]
>> [...] I'm attempting to install to an extended partition. E.g., do I need to
>> create a logical partition=/dev/sda5 inside the extended partition=/dev/sda4 ?

http://www.saout.de/pipermail/dm-crypt/2014-March/004051.html
[Arno Wagner Fri, 21 Mar 2014 06:07:26 +0100]
> [either that or] Make sda4 a primary partition (thereby making yourself
> unable to create any [additional] partitions

Yep, logical partition fixed, thanks.

While I'm here, a `cryptsetup luksFormat` feature request: if possible, It Would Be Nice to implement a test of the target partition that gave the user more useful feedback than is currently provided. Extra credit for failing before passphrase typing :-)

thanks again, Tom Roche <Tom_Roche@pobox.com>