Re: LUKS - lost token?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/28/23 08:49, lejeczek via users wrote:

Hi guys.

I know this is most likely not best suited question for this list, but I'm hoping some experts might be able to help.

I have a LUKS device which had keyslot with pass-phrase removed and token for TPM keyslot removed too - I think this is the case, for none of my passphrase works and device is as below:

I hope there is a way to save & bring it back to live - device is open right now and I've access to filesystem, obviously goal would be to avoid re-format/crypt.

Is it possible to restore/recreate that lost token and/or add new Keyslot somehow? I have no header backup for this device.

-> $ cryptsetup luksDump /dev/nvme0n1p3

...

Yes, as long as the device is currently unlocked you can recover the master key from the kernel. You will need the name of the /dev/mapper entry for the unlocked device. If you don't know it, you can use "lsblk" to find it. For example (since I conveniently happen to have an encrypted nvme0n1p3):

    # lsblk /dev/nvme0n1p3
    nvme0n1p3            259:3    0   568G  0 part
    |...
    └─rl_omega3x-home    253:4    0    50G  0 lvm
      └─home-luks        253:7    0    50G  0 crypt /home

Then use "dmsetup" to display the encryption key:
    # dmsetup table home-luks --showkeys

That should yield a line that includes a long string of hex digits. That is the master key. Save that temporarily in a safe place since the key will be lost forever you reboot or the LUKS container is closed. Here is a one-liner that will use the 5th field in that dmsetup output directly to create a new key:

    # cryptsetup luksAddKey /dev/nvme0n1p3 --master-key-file <(dmsetup table home-luks --showkeys | awk '{print $5}' | xxd -r -p)

Once you've got that recovered, do use "cryptsetup luksHeaderBackup" to save that LUKS header somewhere so that you don't get into this position again. And do destroy that saved master key.

--
Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux