[dm-crypt] unlock luks volume using valid keyslot

[dm-crypt] unlock luks volume using valid keyslot

[Oko Hid]

Dear dm-crypt members,

Please teach me how to unlock the luks partition using valid keyslot.

My /dev/sda is crypto_LUKS partition volume, and xfs partition (/home)
is contained.
I got "Luks keyslot 4 is invald." message just after following operation.
(I use only keyslot 0, and I know the valid passphrase of course.)

My workstation is HP's Z820 with 2CPUs works gentoo linux.
Recently a fan seems having trouble, so I tried HP's Diagnostic CD,
booted from the CD
and executed diag tool.
The tool tried to write the result log "C:" drive, that triggered a tragedy.
The luks header must be corrupted at that time.

I do not have the backup of luks header, so I cannot unlock this
partition for now.

I found the site FAQ
(https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
So I would like to request the clue to access the partition and data,
here this mailing list.

The debug output of unlocking operation is following...
---
zucchini ~ # cryptsetup -v --debug --key-slot=0 luksDump /dev/sda
# cryptsetup 1.6.5 processing "cryptsetup -v --debug --key-slot=0
luksDump /dev/sda"
# Running command luksDump.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/sda context.
# Trying to open and read device /dev/sda.
# Initialising device-mapper backend library.
# Trying to load LUKS1 crypt type from device /dev/sda.
# Crypto backend (gcrypt 1.6.5) initialized.
# Reading LUKS header of size 1024 from device /dev/sda
# Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
LUKS keyslot 4 is invalid.
# Releasing crypt device /dev/sda context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 22: LUKS keyslot 4 is invalid.
---

The command blkid seems to be OK.
---
zucchini ~ # blkid -p /dev/sda
/dev/sda: UUID="30016d75-****-4c68-898a-************" VERSION="1"
TYPE="crypto_LUKS" USAGE="crypto"
---

The head of /dev/sda is following.
---
zucchini ~ # hexdump -C -n 112 /dev/sda
00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  78 74 73 2d 70 6c 61 69  |........xts-plai|
00000030  6e 36 34 00 00 00 00 00  00 00 00 00 00 00 00 00  |n64.............|
00000040  00 00 00 00 00 00 00 00  73 68 61 31 00 00 00 00  |........sha1....|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 10 00 00 00 00 20  |............... |
00000070
---

I also tried Arno's chk_luks_keyslots.
(http://www.saout.de/pipermail/dm-crypt/attachments/20120909/39ee1325/attachment.c)
The output was...
---
zucchini keyslotchecker # ./chk_luks_keyslots /dev/sda

Sectors with entropy below threshold (0.850000):

Keyslot 0: start:   0x1000

Keyslot 1: start:  0x21000
  keyslot not in use

Keyslot 2: start:  0x41000
  keyslot not in use

Keyslot 3: start:  0x61000
  keyslot not in use

Keyslot 4: start: 0x2d672c00
  keyslot not in use

Keyslot 5: start:  0xa1000
  keyslot not in use

Keyslot 6: start:  0xc1000
  keyslot not in use

Keyslot 7: start:  0xe1000
  keyslot not in use
---
The output message shows the addresses of keyslots, and
of keyslot 4 may be invalid.
(However, 0 seems ok ... I wish.)

So, how can I do for this situation?
Is it possible to access the partition and data using Keyslot 0 ?

Thanks, in advance.

Hide

Re: [dm-crypt] unlock luks volume using valid keyslot

[Milan Broz]

On 06/28/2016 07:47 AM, Oko Hid wrote:
> Dear dm-crypt members,
> 
> Please teach me how to unlock the luks partition using valid keyslot.

...


> # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
> LUKS keyslot 4 is invalid.
...

> The output message shows the addresses of keyslots, and
> of keyslot 4 may be invalid.
> (However, 0 seems ok ... I wish.)
> 
> So, how can I do for this situation?
> Is it possible to access the partition and data using Keyslot 0 ?

Backup you header manually (just dd 4MB of the device).
dd if=<device> of=backupfile.img bs=1M count=4
(Do not skip this step, really :)

Then run "cryptsetup repair <device>". It should fix slot offsets
and you should be able to access it again.

Milan

Re: [dm-crypt] unlock luks volume using valid keyslot

[Oko Hid]

Dear Milan,
and dm-crypt members

Thank you for your quick response.
From now, I try to repair my hdd referring your advice, carefully.

Later, I will report the result.

Thank you, again.


2016-06-28 19:11 GMT+09:00 Milan Broz <gmazyland@gmail.com>:
> On 06/28/2016 07:47 AM, Oko Hid wrote:
>> Dear dm-crypt members,
>>
>> Please teach me how to unlock the luks partition using valid keyslot.
>
> ...
>
>
>> # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
>> LUKS keyslot 4 is invalid.
> ...
>
>> The output message shows the addresses of keyslots, and
>> of keyslot 4 may be invalid.
>> (However, 0 seems ok ... I wish.)
>>
>> So, how can I do for this situation?
>> Is it possible to access the partition and data using Keyslot 0 ?
>
> Backup you header manually (just dd 4MB of the device).
> dd if=<device> of=backupfile.img bs=1M count=4
> (Do not skip this step, really :)
>
> Then run "cryptsetup repair <device>". It should fix slot offsets
> and you should be able to access it again.
>
> Milan
>

Re: [dm-crypt] unlock luks volume using valid keyslot

[Arno Wagner]

The thing here is that not your keyslot is invalid, but 
rather its descriptor, which is part of the header.

One thing you can immediately do (after a header backup!)
is to just put the right offset into the header descriptor.
Addresses are in FAQ Item 6.12. As Keyslot 4 is inactive,
you can basically copy the one before or after, I think.

If conventional header backup does not work, do a manual
one (see FAQ Item 6.2).

That should get you one step further. But only if the 
salts in the header and keyslot are fine.

Regards,
Arno



On Tue, Jun 28, 2016 at 07:47:55 CEST, Oko Hid wrote:
> Dear dm-crypt members,
> 
> Please teach me how to unlock the luks partition using valid keyslot.
> 
> My /dev/sda is crypto_LUKS partition volume, and xfs partition (/home)
> is contained.
> I got "Luks keyslot 4 is invald." message just after following operation.
> (I use only keyslot 0, and I know the valid passphrase of course.)
> 
> My workstation is HP's Z820 with 2CPUs works gentoo linux.
> Recently a fan seems having trouble, so I tried HP's Diagnostic CD,
> booted from the CD
> and executed diag tool.
> The tool tried to write the result log "C:" drive, that triggered a tragedy.
> The luks header must be corrupted at that time.
> 
> I do not have the backup of luks header, so I cannot unlock this
> partition for now.
> 
> I found the site FAQ
> (https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
> So I would like to request the clue to access the partition and data,
> here this mailing list.
> 
> The debug output of unlocking operation is following...
> ---
> zucchini ~ # cryptsetup -v --debug --key-slot=0 luksDump /dev/sda
> # cryptsetup 1.6.5 processing "cryptsetup -v --debug --key-slot=0
> luksDump /dev/sda"
> # Running command luksDump.
> # Locking memory.
> # Installing SIGINT/SIGTERM handler.
> # Unblocking interruption on signal.
> # Allocating crypt device /dev/sda context.
> # Trying to open and read device /dev/sda.
> # Initialising device-mapper backend library.
> # Trying to load LUKS1 crypt type from device /dev/sda.
> # Crypto backend (gcrypt 1.6.5) initialized.
> # Reading LUKS header of size 1024 from device /dev/sda
> # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
> LUKS keyslot 4 is invalid.
> # Releasing crypt device /dev/sda context.
> # Releasing device-mapper backend.
> # Unlocking memory.
> Command failed with code 22: LUKS keyslot 4 is invalid.
> ---
> 
> The command blkid seems to be OK.
> ---
> zucchini ~ # blkid -p /dev/sda
> /dev/sda: UUID="30016d75-****-4c68-898a-************" VERSION="1"
> TYPE="crypto_LUKS" USAGE="crypto"
> ---
> 
> The head of /dev/sda is following.
> ---
> zucchini ~ # hexdump -C -n 112 /dev/sda
> 00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
> 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 00000020  00 00 00 00 00 00 00 00  78 74 73 2d 70 6c 61 69  |........xts-plai|
> 00000030  6e 36 34 00 00 00 00 00  00 00 00 00 00 00 00 00  |n64.............|
> 00000040  00 00 00 00 00 00 00 00  73 68 61 31 00 00 00 00  |........sha1....|
> 00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 00000060  00 00 00 00 00 00 00 00  00 00 10 00 00 00 00 20  |............... |
> 00000070
> ---
> 
> I also tried Arno's chk_luks_keyslots.
> (http://www.saout.de/pipermail/dm-crypt/attachments/20120909/39ee1325/attachment.c)
> The output was...
> ---
> zucchini keyslotchecker # ./chk_luks_keyslots /dev/sda
> 
> Sectors with entropy below threshold (0.850000):
> 
> Keyslot 0: start:   0x1000
> 
> Keyslot 1: start:  0x21000
>   keyslot not in use
> 
> Keyslot 2: start:  0x41000
>   keyslot not in use
> 
> Keyslot 3: start:  0x61000
>   keyslot not in use
> 
> Keyslot 4: start: 0x2d672c00
>   keyslot not in use
> 
> Keyslot 5: start:  0xa1000
>   keyslot not in use
> 
> Keyslot 6: start:  0xc1000
>   keyslot not in use
> 
> Keyslot 7: start:  0xe1000
>   keyslot not in use
> ---
> The output message shows the addresses of keyslots, and
> of keyslot 4 may be invalid.
> (However, 0 seems ok ... I wish.)
> 
> So, how can I do for this situation?
> Is it possible to access the partition and data using Keyslot 0 ?
> 
> Thanks, in advance.
> 
> Hide
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] unlock luks volume using valid keyslot

[Arno Wagner]

Oops, just saw that Milan already replied.
Use his instructions, they are better.

Regards,
Arno

On Tue, Jun 28, 2016 at 15:55:55 CEST, Arno Wagner wrote:
> The thing here is that not your keyslot is invalid, but 
> rather its descriptor, which is part of the header.
> 
> One thing you can immediately do (after a header backup!)
> is to just put the right offset into the header descriptor.
> Addresses are in FAQ Item 6.12. As Keyslot 4 is inactive,
> you can basically copy the one before or after, I think.
> 
> If conventional header backup does not work, do a manual
> one (see FAQ Item 6.2).
> 
> That should get you one step further. But only if the 
> salts in the header and keyslot are fine.
> 
> Regards,
> Arno
> 
> 
> 
> On Tue, Jun 28, 2016 at 07:47:55 CEST, Oko Hid wrote:
> > Dear dm-crypt members,
> > 
> > Please teach me how to unlock the luks partition using valid keyslot.
> > 
> > My /dev/sda is crypto_LUKS partition volume, and xfs partition (/home)
> > is contained.
> > I got "Luks keyslot 4 is invald." message just after following operation.
> > (I use only keyslot 0, and I know the valid passphrase of course.)
> > 
> > My workstation is HP's Z820 with 2CPUs works gentoo linux.
> > Recently a fan seems having trouble, so I tried HP's Diagnostic CD,
> > booted from the CD
> > and executed diag tool.
> > The tool tried to write the result log "C:" drive, that triggered a tragedy.
> > The luks header must be corrupted at that time.
> > 
> > I do not have the backup of luks header, so I cannot unlock this
> > partition for now.
> > 
> > I found the site FAQ
> > (https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions),
> > So I would like to request the clue to access the partition and data,
> > here this mailing list.
> > 
> > The debug output of unlocking operation is following...
> > ---
> > zucchini ~ # cryptsetup -v --debug --key-slot=0 luksDump /dev/sda
> > # cryptsetup 1.6.5 processing "cryptsetup -v --debug --key-slot=0
> > luksDump /dev/sda"
> > # Running command luksDump.
> > # Locking memory.
> > # Installing SIGINT/SIGTERM handler.
> > # Unblocking interruption on signal.
> > # Allocating crypt device /dev/sda context.
> > # Trying to open and read device /dev/sda.
> > # Initialising device-mapper backend library.
> > # Trying to load LUKS1 crypt type from device /dev/sda.
> > # Crypto backend (gcrypt 1.6.5) initialized.
> > # Reading LUKS header of size 1024 from device /dev/sda
> > # Invalid offset 3012998038 in keyslot 4 (beyond data area offset 4096).
> > LUKS keyslot 4 is invalid.
> > # Releasing crypt device /dev/sda context.
> > # Releasing device-mapper backend.
> > # Unlocking memory.
> > Command failed with code 22: LUKS keyslot 4 is invalid.
> > ---
> > 
> > The command blkid seems to be OK.
> > ---
> > zucchini ~ # blkid -p /dev/sda
> > /dev/sda: UUID="30016d75-****-4c68-898a-************" VERSION="1"
> > TYPE="crypto_LUKS" USAGE="crypto"
> > ---
> > 
> > The head of /dev/sda is following.
> > ---
> > zucchini ~ # hexdump -C -n 112 /dev/sda
> > 00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
> > 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> > 00000020  00 00 00 00 00 00 00 00  78 74 73 2d 70 6c 61 69  |........xts-plai|
> > 00000030  6e 36 34 00 00 00 00 00  00 00 00 00 00 00 00 00  |n64.............|
> > 00000040  00 00 00 00 00 00 00 00  73 68 61 31 00 00 00 00  |........sha1....|
> > 00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> > 00000060  00 00 00 00 00 00 00 00  00 00 10 00 00 00 00 20  |............... |
> > 00000070
> > ---
> > 
> > I also tried Arno's chk_luks_keyslots.
> > (http://www.saout.de/pipermail/dm-crypt/attachments/20120909/39ee1325/attachment.c)
> > The output was...
> > ---
> > zucchini keyslotchecker # ./chk_luks_keyslots /dev/sda
> > 
> > Sectors with entropy below threshold (0.850000):
> > 
> > Keyslot 0: start:   0x1000
> > 
> > Keyslot 1: start:  0x21000
> >   keyslot not in use
> > 
> > Keyslot 2: start:  0x41000
> >   keyslot not in use
> > 
> > Keyslot 3: start:  0x61000
> >   keyslot not in use
> > 
> > Keyslot 4: start: 0x2d672c00
> >   keyslot not in use
> > 
> > Keyslot 5: start:  0xa1000
> >   keyslot not in use
> > 
> > Keyslot 6: start:  0xc1000
> >   keyslot not in use
> > 
> > Keyslot 7: start:  0xe1000
> >   keyslot not in use
> > ---
> > The output message shows the addresses of keyslots, and
> > of keyslot 4 may be invalid.
> > (However, 0 seems ok ... I wish.)
> > 
> > So, how can I do for this situation?
> > Is it possible to access the partition and data using Keyslot 0 ?
> > 
> > Thanks, in advance.
> > 
> > Hide
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> -- 
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
> 
> If it's in the news, don't worry about it.  The very definition of 
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier