From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TETFISOiS9TB for ; Fri, 5 Aug 2011 01:18:52 +0200 (CEST) Received: from mail-fx0-f50.google.com (mail-fx0-f50.google.com [209.85.161.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Fri, 5 Aug 2011 01:18:51 +0200 (CEST) Received: by fxh2 with SMTP id 2so1874250fxh.37 for ; Thu, 04 Aug 2011 16:18:51 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: Date: Fri, 5 Aug 2011 01:18:51 +0200 Message-ID: From: Paul Menzel Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [dm-crypt] How can a passphrase be incorrect even after `luksHeaderBackup` and `luksHeaderRestore`? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de 2011/8/4 Paul Menzel : > trying to save my data [1][2][3] I do not understand the following. > > The partitions of two drives `/dev/sd{a,b}2` start at exactly the same po= int. > > ------- 8< --- partition table --- >8 ------- > # partition table of /dev/sda > unit: sectors > > /dev/sda1 : start=3D =C2=A0 =C2=A0 =C2=A0 63, size=3D =C2=A0 995967, Id= =3Dfd, bootable > /dev/sda2 : start=3D =C2=A0 996030, size=3D3906028035, Id=3Dfd > /dev/sda3 : start=3D =C2=A0 =C2=A0 =C2=A0 =C2=A00, size=3D =C2=A0 =C2=A0 = =C2=A0 =C2=A00, Id=3D 0 > /dev/sda4 : start=3D =C2=A0 =C2=A0 =C2=A0 =C2=A00, size=3D =C2=A0 =C2=A0 = =C2=A0 =C2=A00, Id=3D 0 > > # partition table of /dev/sdb > unit: sectors > > /dev/sdb1 : start=3D =C2=A0 =C2=A0 =C2=A0 63, size=3D =C2=A0 995967, Id= =3Dfd, bootable > /dev/sdb2 : start=3D =C2=A0 996030, size=3D975772035, Id=3Dfd > /dev/sdb3 : start=3D =C2=A0 =C2=A0 =C2=A0 =C2=A00, size=3D =C2=A0 =C2=A0 = =C2=A0 =C2=A00, Id=3D 0 > /dev/sdb4 : start=3D =C2=A0 =C2=A0 =C2=A0 =C2=A00, size=3D =C2=A0 =C2=A0 = =C2=A0 =C2=A00, Id=3D 0 > ------- 8< --- partition table --- >8 ------- > > Doing `cryptsetup luksHeaderRestore /dev/sda2 --header-backup-file > sdb.luksHeaderBackup` with `sdb.luksHeaderBackup` obtained from > `/dev/sdb2` the passphrase, which works on sdb, should definitely work > on sda although the data might be read as garbage. It looks like `luksBackupRestore` is not working for me correctly. Please take a look at the following results. `/dev/sdb` is the old drive with the working LUKS setup, that means my passphrase gets accepted. I am sorry for that Google Mail will probably line wrap everything. ------- 8< --- entered commands --- >8 ------- % sudo cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file /tmp/sda.header % sudo cryptsetup luksHeaderBackup /dev/sdb2 --header-backup-file /tmp/sdb.header % sudo md5sum /tmp/sd* 7b897c620776f549324810a8aeb9921e /tmp/sda.header ce314509007b2c76eb85e7b89ee25da5 /tmp/sdb.header % sudo cryptsetup --verbose --debug luksHeaderRestore /dev/sda2 --header-backup-file /tmp/sdb.header # cryptsetup 1.3.0 processing "cryptsetup --verbose --debug luksHeaderRestore /dev/sda2 --header-backup-file /tmp/sdb.header" # Running command luksHeaderRestore. # Locking memory. # Allocating crypt device /dev/sda2 context. # Trying to open and read device /dev/sda2. # Initialising device-mapper backend, UDEV is enabled. # Detected dm-crypt version 1.10.0, dm-ioctl version 4.19.1. # Initialising gcrypt crypto backend. # Requested header restore to device /dev/sda2 (LUKS1) from file /tmp/sdb.header. # Reading LUKS header of size 1024 from backup file /tmp/sdb.header # Reading LUKS header of size 1024 from device /dev/sda2 # Device /dev/sda2 already contains LUKS header, checking UUID and offset. WARNING! =3D=3D=3D=3D=3D=3D=3D=3D Device /dev/sda2 already contains LUKS header. Replacing header will destroy existing keyslots. Are you sure? (Type uppercase yes): YES # Storing backup of header (1024 bytes) and keyslot area (1048576 bytes) to device /dev/sda2. # Reading LUKS header of size 1024 from device /dev/sda2 # Releasing crypt device /dev/sda2 context. # Releasing device-mapper backend. # Unlocking memory. Command successful. % sudo cryptsetup --verbose --debug luksHeaderBackup /dev/sda2 --header-backup-file /tmp/sda2.header # cryptsetup 1.3.0 processing "cryptsetup --verbose --debug luksHeaderBackup /dev/sda2 --header-backup-file /tmp/sda2.header" # Running command luksHeaderBackup. # Locking memory. # Allocating crypt device /dev/sda2 context. # Trying to open and read device /dev/sda2. # Initialising device-mapper backend, UDEV is enabled. # Detected dm-crypt version 1.10.0, dm-ioctl version 4.19.1. # Initialising gcrypt crypto backend. # Requested header backup of device /dev/sda2 (LUKS1) to file /tmp/sda2.hea= der. # Reading LUKS header of size 1024 from device /dev/sda2 # Storing backup of header (1024 bytes) and keyslot area (1048576 bytes). # Releasing crypt device /dev/sda2 context. # Releasing device-mapper backend. # Unlocking memory. Command successful. % sudo md5sum /tmp/*header 7b897c620776f549324810a8aeb9921e /tmp/sda2.header 7b897c620776f549324810a8aeb9921e /tmp/sda.header ce314509007b2c76eb85e7b89ee25da5 /tmp/sdb.header ------- 8< --- entered commands --- >8 ------- I would have assumed that all files are identical, i. e. they have the same hash. Thanks, Paul > [1] http://www.saout.de/pipermail/dm-crypt/2011-August/001858.html > [2] http://www.saout.de/pipermail/dm-crypt/2011-August/001858.html > [3] http://marc.info/?l=3Dlinux-raid&m=3D131248606026407&w=3D2