* [dm-crypt] unlock luks volume using valid keyslot
@ 2016-06-28 5:47 Oko Hid
2016-06-28 10:11 ` Milan Broz
2016-06-28 13:55 ` Arno Wagner
0 siblings, 2 replies; 5+ messages in thread
From: Oko Hid @ 2016-06-28 5:47 UTC (permalink / raw)
To: dm-crypt; +Cc: randomwalker0201
Dear dm-crypt members,
Please teach me how to unlock the luks partition using valid keyslot.
My /dev/sda is crypto_LUKS partition volume, and xfs partition (/home)
is contained.
I got "Luks keyslot 4 is invald." message just after following operation.
(I use only keyslot 0, and I know the valid passphrase of course.)
My workstation is HP's Z820 with 2CPUs works gentoo linux.
Recently a fan seems having trouble, so I tried HP's Diagnostic CD,
booted from the CD
and executed diag tool.
The tool tried to write the result log "C:" drive, that triggered a tragedy.
The luks header must be corrupted at that time.
I do not have the backup of luks header, so I cannot unlock this
partition for now.
I found the site FAQ
(https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
So I would like to request the clue to access the partition and data,
here this mailing list.
The debug output of unlocking operation is following...
---
zucchini ~ # cryptsetup -v --debug --key-slot=0 luksDump /dev/sda
# cryptsetup 1.6.5 processing "cryptsetup -v --debug --key-slot=0
luksDump /dev/sda"
# Running command luksDump.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/sda context.
# Trying to open and read device /dev/sda.
# Initialising device-mapper backend library.
# Trying to load LUKS1 crypt type from device /dev/sda.
# Crypto backend (gcrypt 1.6.5) initialized.
# Reading LUKS header of size 1024 from device /dev/sda
# Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
LUKS keyslot 4 is invalid.
# Releasing crypt device /dev/sda context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 22: LUKS keyslot 4 is invalid.
---
The command blkid seems to be OK.
---
zucchini ~ # blkid -p /dev/sda
/dev/sda: UUID="30016d75-****-4c68-898a-************" VERSION="1"
TYPE="crypto_LUKS" USAGE="crypto"
---
The head of /dev/sda is following.
---
zucchini ~ # hexdump -C -n 112 /dev/sda
00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 78 74 73 2d 70 6c 61 69 |........xts-plai|
00000030 6e 36 34 00 00 00 00 00 00 00 00 00 00 00 00 00 |n64.............|
00000040 00 00 00 00 00 00 00 00 73 68 61 31 00 00 00 00 |........sha1....|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 20 |............... |
00000070
---
I also tried Arno's chk_luks_keyslots.
(http://www.saout.de/pipermail/dm-crypt/attachments/20120909/39ee1325/attachment.c)
The output was...
---
zucchini keyslotchecker # ./chk_luks_keyslots /dev/sda
Sectors with entropy below threshold (0.850000):
Keyslot 0: start: 0x1000
Keyslot 1: start: 0x21000
keyslot not in use
Keyslot 2: start: 0x41000
keyslot not in use
Keyslot 3: start: 0x61000
keyslot not in use
Keyslot 4: start: 0x2d672c00
keyslot not in use
Keyslot 5: start: 0xa1000
keyslot not in use
Keyslot 6: start: 0xc1000
keyslot not in use
Keyslot 7: start: 0xe1000
keyslot not in use
---
The output message shows the addresses of keyslots, and
of keyslot 4 may be invalid.
(However, 0 seems ok ... I wish.)
So, how can I do for this situation?
Is it possible to access the partition and data using Keyslot 0 ?
Thanks, in advance.
Hide
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] unlock luks volume using valid keyslot
2016-06-28 5:47 [dm-crypt] unlock luks volume using valid keyslot Oko Hid
@ 2016-06-28 10:11 ` Milan Broz
2016-06-28 10:27 ` Oko Hid
2016-06-28 13:55 ` Arno Wagner
1 sibling, 1 reply; 5+ messages in thread
From: Milan Broz @ 2016-06-28 10:11 UTC (permalink / raw)
To: Oko Hid, dm-crypt
On 06/28/2016 07:47 AM, Oko Hid wrote:
> Dear dm-crypt members,
>
> Please teach me how to unlock the luks partition using valid keyslot.
...
> # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
> LUKS keyslot 4 is invalid.
...
> The output message shows the addresses of keyslots, and
> of keyslot 4 may be invalid.
> (However, 0 seems ok ... I wish.)
>
> So, how can I do for this situation?
> Is it possible to access the partition and data using Keyslot 0 ?
Backup you header manually (just dd 4MB of the device).
dd if=<device> of=backupfile.img bs=1M count=4
(Do not skip this step, really :)
Then run "cryptsetup repair <device>". It should fix slot offsets
and you should be able to access it again.
Milan
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] unlock luks volume using valid keyslot
2016-06-28 10:11 ` Milan Broz
@ 2016-06-28 10:27 ` Oko Hid
0 siblings, 0 replies; 5+ messages in thread
From: Oko Hid @ 2016-06-28 10:27 UTC (permalink / raw)
To: Milan Broz; +Cc: dm-crypt
Dear Milan,
and dm-crypt members
Thank you for your quick response.
From now, I try to repair my hdd referring your advice, carefully.
Later, I will report the result.
Thank you, again.
2016-06-28 19:11 GMT+09:00 Milan Broz <gmazyland@gmail.com>:
> On 06/28/2016 07:47 AM, Oko Hid wrote:
>> Dear dm-crypt members,
>>
>> Please teach me how to unlock the luks partition using valid keyslot.
>
> ...
>
>
>> # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
>> LUKS keyslot 4 is invalid.
> ...
>
>> The output message shows the addresses of keyslots, and
>> of keyslot 4 may be invalid.
>> (However, 0 seems ok ... I wish.)
>>
>> So, how can I do for this situation?
>> Is it possible to access the partition and data using Keyslot 0 ?
>
> Backup you header manually (just dd 4MB of the device).
> dd if=<device> of=backupfile.img bs=1M count=4
> (Do not skip this step, really :)
>
> Then run "cryptsetup repair <device>". It should fix slot offsets
> and you should be able to access it again.
>
> Milan
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] unlock luks volume using valid keyslot
2016-06-28 5:47 [dm-crypt] unlock luks volume using valid keyslot Oko Hid
2016-06-28 10:11 ` Milan Broz
@ 2016-06-28 13:55 ` Arno Wagner
2016-06-28 14:13 ` Arno Wagner
1 sibling, 1 reply; 5+ messages in thread
From: Arno Wagner @ 2016-06-28 13:55 UTC (permalink / raw)
To: dm-crypt
The thing here is that not your keyslot is invalid, but
rather its descriptor, which is part of the header.
One thing you can immediately do (after a header backup!)
is to just put the right offset into the header descriptor.
Addresses are in FAQ Item 6.12. As Keyslot 4 is inactive,
you can basically copy the one before or after, I think.
If conventional header backup does not work, do a manual
one (see FAQ Item 6.2).
That should get you one step further. But only if the
salts in the header and keyslot are fine.
Regards,
Arno
On Tue, Jun 28, 2016 at 07:47:55 CEST, Oko Hid wrote:
> Dear dm-crypt members,
>
> Please teach me how to unlock the luks partition using valid keyslot.
>
> My /dev/sda is crypto_LUKS partition volume, and xfs partition (/home)
> is contained.
> I got "Luks keyslot 4 is invald." message just after following operation.
> (I use only keyslot 0, and I know the valid passphrase of course.)
>
> My workstation is HP's Z820 with 2CPUs works gentoo linux.
> Recently a fan seems having trouble, so I tried HP's Diagnostic CD,
> booted from the CD
> and executed diag tool.
> The tool tried to write the result log "C:" drive, that triggered a tragedy.
> The luks header must be corrupted at that time.
>
> I do not have the backup of luks header, so I cannot unlock this
> partition for now.
>
> I found the site FAQ
> (https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
> So I would like to request the clue to access the partition and data,
> here this mailing list.
>
> The debug output of unlocking operation is following...
> ---
> zucchini ~ # cryptsetup -v --debug --key-slot=0 luksDump /dev/sda
> # cryptsetup 1.6.5 processing "cryptsetup -v --debug --key-slot=0
> luksDump /dev/sda"
> # Running command luksDump.
> # Locking memory.
> # Installing SIGINT/SIGTERM handler.
> # Unblocking interruption on signal.
> # Allocating crypt device /dev/sda context.
> # Trying to open and read device /dev/sda.
> # Initialising device-mapper backend library.
> # Trying to load LUKS1 crypt type from device /dev/sda.
> # Crypto backend (gcrypt 1.6.5) initialized.
> # Reading LUKS header of size 1024 from device /dev/sda
> # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
> LUKS keyslot 4 is invalid.
> # Releasing crypt device /dev/sda context.
> # Releasing device-mapper backend.
> # Unlocking memory.
> Command failed with code 22: LUKS keyslot 4 is invalid.
> ---
>
> The command blkid seems to be OK.
> ---
> zucchini ~ # blkid -p /dev/sda
> /dev/sda: UUID="30016d75-****-4c68-898a-************" VERSION="1"
> TYPE="crypto_LUKS" USAGE="crypto"
> ---
>
> The head of /dev/sda is following.
> ---
> zucchini ~ # hexdump -C -n 112 /dev/sda
> 00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|
> 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
> 00000020 00 00 00 00 00 00 00 00 78 74 73 2d 70 6c 61 69 |........xts-plai|
> 00000030 6e 36 34 00 00 00 00 00 00 00 00 00 00 00 00 00 |n64.............|
> 00000040 00 00 00 00 00 00 00 00 73 68 61 31 00 00 00 00 |........sha1....|
> 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
> 00000060 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 20 |............... |
> 00000070
> ---
>
> I also tried Arno's chk_luks_keyslots.
> (http://www.saout.de/pipermail/dm-crypt/attachments/20120909/39ee1325/attachment.c)
> The output was...
> ---
> zucchini keyslotchecker # ./chk_luks_keyslots /dev/sda
>
> Sectors with entropy below threshold (0.850000):
>
> Keyslot 0: start: 0x1000
>
> Keyslot 1: start: 0x21000
> keyslot not in use
>
> Keyslot 2: start: 0x41000
> keyslot not in use
>
> Keyslot 3: start: 0x61000
> keyslot not in use
>
> Keyslot 4: start: 0x2d672c00
> keyslot not in use
>
> Keyslot 5: start: 0xa1000
> keyslot not in use
>
> Keyslot 6: start: 0xc1000
> keyslot not in use
>
> Keyslot 7: start: 0xe1000
> keyslot not in use
> ---
> The output message shows the addresses of keyslots, and
> of keyslot 4 may be invalid.
> (However, 0 seems ok ... I wish.)
>
> So, how can I do for this situation?
> Is it possible to access the partition and data using Keyslot 0 ?
>
> Thanks, in advance.
>
> Hide
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] unlock luks volume using valid keyslot
2016-06-28 13:55 ` Arno Wagner
@ 2016-06-28 14:13 ` Arno Wagner
0 siblings, 0 replies; 5+ messages in thread
From: Arno Wagner @ 2016-06-28 14:13 UTC (permalink / raw)
To: dm-crypt
Oops, just saw that Milan already replied.
Use his instructions, they are better.
Regards,
Arno
On Tue, Jun 28, 2016 at 15:55:55 CEST, Arno Wagner wrote:
> The thing here is that not your keyslot is invalid, but
> rather its descriptor, which is part of the header.
>
> One thing you can immediately do (after a header backup!)
> is to just put the right offset into the header descriptor.
> Addresses are in FAQ Item 6.12. As Keyslot 4 is inactive,
> you can basically copy the one before or after, I think.
>
> If conventional header backup does not work, do a manual
> one (see FAQ Item 6.2).
>
> That should get you one step further. But only if the
> salts in the header and keyslot are fine.
>
> Regards,
> Arno
>
>
>
> On Tue, Jun 28, 2016 at 07:47:55 CEST, Oko Hid wrote:
> > Dear dm-crypt members,
> >
> > Please teach me how to unlock the luks partition using valid keyslot.
> >
> > My /dev/sda is crypto_LUKS partition volume, and xfs partition (/home)
> > is contained.
> > I got "Luks keyslot 4 is invald." message just after following operation.
> > (I use only keyslot 0, and I know the valid passphrase of course.)
> >
> > My workstation is HP's Z820 with 2CPUs works gentoo linux.
> > Recently a fan seems having trouble, so I tried HP's Diagnostic CD,
> > booted from the CD
> > and executed diag tool.
> > The tool tried to write the result log "C:" drive, that triggered a tragedy.
> > The luks header must be corrupted at that time.
> >
> > I do not have the backup of luks header, so I cannot unlock this
> > partition for now.
> >
> > I found the site FAQ
> > (https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
> > So I would like to request the clue to access the partition and data,
> > here this mailing list.
> >
> > The debug output of unlocking operation is following...
> > ---
> > zucchini ~ # cryptsetup -v --debug --key-slot=0 luksDump /dev/sda
> > # cryptsetup 1.6.5 processing "cryptsetup -v --debug --key-slot=0
> > luksDump /dev/sda"
> > # Running command luksDump.
> > # Locking memory.
> > # Installing SIGINT/SIGTERM handler.
> > # Unblocking interruption on signal.
> > # Allocating crypt device /dev/sda context.
> > # Trying to open and read device /dev/sda.
> > # Initialising device-mapper backend library.
> > # Trying to load LUKS1 crypt type from device /dev/sda.
> > # Crypto backend (gcrypt 1.6.5) initialized.
> > # Reading LUKS header of size 1024 from device /dev/sda
> > # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
> > LUKS keyslot 4 is invalid.
> > # Releasing crypt device /dev/sda context.
> > # Releasing device-mapper backend.
> > # Unlocking memory.
> > Command failed with code 22: LUKS keyslot 4 is invalid.
> > ---
> >
> > The command blkid seems to be OK.
> > ---
> > zucchini ~ # blkid -p /dev/sda
> > /dev/sda: UUID="30016d75-****-4c68-898a-************" VERSION="1"
> > TYPE="crypto_LUKS" USAGE="crypto"
> > ---
> >
> > The head of /dev/sda is following.
> > ---
> > zucchini ~ # hexdump -C -n 112 /dev/sda
> > 00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|
> > 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
> > 00000020 00 00 00 00 00 00 00 00 78 74 73 2d 70 6c 61 69 |........xts-plai|
> > 00000030 6e 36 34 00 00 00 00 00 00 00 00 00 00 00 00 00 |n64.............|
> > 00000040 00 00 00 00 00 00 00 00 73 68 61 31 00 00 00 00 |........sha1....|
> > 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
> > 00000060 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 20 |............... |
> > 00000070
> > ---
> >
> > I also tried Arno's chk_luks_keyslots.
> > (http://www.saout.de/pipermail/dm-crypt/attachments/20120909/39ee1325/attachment.c)
> > The output was...
> > ---
> > zucchini keyslotchecker # ./chk_luks_keyslots /dev/sda
> >
> > Sectors with entropy below threshold (0.850000):
> >
> > Keyslot 0: start: 0x1000
> >
> > Keyslot 1: start: 0x21000
> > keyslot not in use
> >
> > Keyslot 2: start: 0x41000
> > keyslot not in use
> >
> > Keyslot 3: start: 0x61000
> > keyslot not in use
> >
> > Keyslot 4: start: 0x2d672c00
> > keyslot not in use
> >
> > Keyslot 5: start: 0xa1000
> > keyslot not in use
> >
> > Keyslot 6: start: 0xc1000
> > keyslot not in use
> >
> > Keyslot 7: start: 0xe1000
> > keyslot not in use
> > ---
> > The output message shows the addresses of keyslots, and
> > of keyslot 4 may be invalid.
> > (However, 0 seems ok ... I wish.)
> >
> > So, how can I do for this situation?
> > Is it possible to access the partition and data using Keyslot 0 ?
> >
> > Thanks, in advance.
> >
> > Hide
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
>
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
> GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>
> If it's in the news, don't worry about it. The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-06-28 14:13 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-28 5:47 [dm-crypt] unlock luks volume using valid keyslot Oko Hid
2016-06-28 10:11 ` Milan Broz
2016-06-28 10:27 ` Oko Hid
2016-06-28 13:55 ` Arno Wagner
2016-06-28 14:13 ` Arno Wagner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.