First a side-note: Do you know that text can be formatted and that it is still the norm to have no text after around the 72 column-mark or so? Second question: It seems that you assemble first and then de-/encrypt the RAID5. Is this correct? If so, does the raid assemble and is it clean? Arno On Tue, Jan 08, 2008 at 08:16:54PM +0000, Da Powah wrote: > Hi, > after Dirk Heinrichs advice to write in english to an english speaking mailing list i am convinced that it is necessary to translate my post. Thanks for advice, Dirk. > I spent several nights to rescue my broken encrypted softraid - but i faild. > I`ll make a last try with this mailing list. > ##################################################################### > Info:I used my encrypted Softraid RAID5 in my server over several months sucessfully. > I used a script, that decrypts the RAID at boot time with a keyfile from a mounted USB stick. I`ll tried then to get a USB WLAN stick working (rt2500usb) in master mode - which was the beginning of the end of my raid. > While trying the USB stick to get working i`ll had to reset the system several times, because it hang. The RAID shouldn`t be decrypted while these tries, because i`ve got problems to get the stick mounted while boottime (i have to rrmod usb_storage and the ehci module to get the stick accepting an address). I would disconnect the raid the next time.... promise. > I`ll had to install and deinstall some packages while trying the stick to get working. Those packages should affect the wlan part only. After i realized that i need a new kernel version to get the master mode working i stopped the wlan project. I`ll rebooted the server an tried to get the raid decrypted - but i failed: > And that is the current state: after executing the following - prior working - command: > "cryptsetup luksOpen -d /mnt/key/key.md0.orig /dev/mapper/vg-crypted_raid raid" > I achieve an undertermined answer:"Command failed." > And the raid did not decrypt. > ##################################################################### > My System:Debian Distribution (c`t server 2 (german pc magazine distri))(Linux server 2.6.18-4-xen-686 #1 SMP Thu May 10 03:24:35 UTC 2007 i686GNU/Linux) > Raid in volume Group VG:ASRock CrossfireSATA2 MoBo, 3GB, Core2Duo@2,13GHz4 500GB HDDs SATA DevicesSoftraid5lvm2 LVM version: 2.02.07 (2006-07-17) Library version: 1.02.08(2006-07-17) Driver version: 4.7.0dm_cryptcryptsetup-luks 1.0.5 > #####################################################################i`ll created my raid with following commands (in an older system):cryptsetup -c aes-cbc-essiv:sha256 -s 256 luksFormat/dev/mapper/lvm2\|vg\|crypted_raid /mnt/usb/key.md0.orig > root@homeserver:~# cryptsetup luksOpen/dev/mapper/lvm2\|vg\|crypted_raid crypted_raid -d /mnt/usb/key.md0.origkey slot 0 unlocked.Command successful. > root@homeserver:/dev/mapper# lscontrol hda1 hda5 lvm2|vg|crypted_raid raid sde1 > root@homeserver:/dev/mapper# mke2fs -b 4096 -j /dev/mapper/raidmke2fs 1.38 (30-Jun-2005)Filesystem label=OS type: LinuxBlock size=4096 (log=2)Fragment size=4096 (log=2)178257920 inodes, 356515583 blocks17825779 blocks (5.00%) reserved for the super userFirst data block=010880 block groups32768 blocks per group, 32768 fragments per group16384 inodes per groupSuperblock backups stored on blocks:32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632,2654208,4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,102400000, 214990848 > Writing inode tables: doneCreating journal (32768 blocks): doneWriting superblocks and filesystem accounting information: done > This filesystem will be automatically checked every 37 mounts or180 days, whichever comes first. Use tune2fs -c or -i to override. > #####################################################################My Analyses for now: > #####################################################################loaded Modules:Module Size Used bysha256 11872 0aes 28928 2nls_cp437 6688 1sg 32060 0sr_mod 16644 0cdrom 33312 1 sr_modusb_storage 72736 1vfat 12640 1fat 47452 1 vfattun 11104 1xt_physdev 3792 5iptable_filter 3872 1ip_tables 13892 1 iptable_filterx_tables 14084 2 xt_physdev,ip_tablesnfs 203660 0nfsd 198704 17exportfs 6368 1 nfsdlockd 55208 3 nfs,nfsdnfs_acl 4352 2 nfs,nfsdsunrpc 139580 13 nfs,nfsd,lockd,nfs_aclppdev 9444 0lp 11780 0cpufreq_powersave 2688 0button 7440 0ac 5956 0battery 10404 0ipv6 229088 55bridge 50268 1 xt_physdevnls_iso8859_1 5024 2ntfs 195252 1dm_crypt 11656 1cpufreq_stats 6272 0cpufreq_ondemand 7404 2speedstep_centrino 9440 1freq_table 5440 2 cpufreq_stats,speedstep_centrinosbp2 22920 0loop 15944 0i2c_i801 8236 0rt2570 161472 0psmouse 35880 0parport_pc 33092 1parport 34120 3 ppdev,lp,parport_pc8250_pnp 9600 08250 28164 1 8250_pnpserial_core 20288 1 8250i2c_core 20480 1 i2c_i801pcspkr 3840 0serio_raw 7428 0intel_agp 22780 1agpgart 32264 1 intel_agpeth1394 18916 0evdev 9856 0ext3 120072 2jbd 53224 1 ext3mbcache 9124 1 ext3dm_snapshot 16320 0raid456 116496 1md_mod 71316 2 raid456xor 15144 1 raid456ide_generic 2176 0 [permanent]dm_mirror 20048 0dm_mod 51000 27 dm_crypt,dm_snapshot,dm_mirrorsd_mod 19808 6ide_disk 15712 5ohci1394 31792 03c59x 42824 0mii 6112 1 3c59xe1000 110432 0ieee1394 88152 3 sbp2,eth1394,ohci1394ahci 18244 4ehci_hcd 29288 0uhci_hcd 22188 0libata 90868 1 ahciscsi_mod 125160 7sg,sr_mod,usb_storage,sbp2,sd_mod,ahci,libatapiix 10212 0 [permanent]generic 6244 0 [permanent]ide_core 112392 5usb_storage,ide_generic,ide_disk,piix,genericr8169 30056 0usbcore 114372 5 usb_storage,rt2570,ehci_hcd,uhci_hcdthermal 14376 0processor 29608 2 speedstep_centrino,thermalfan 5572 0 > ####################################################### > Raid state OK:cat /proc/mdstatPersonalities : [raid6] [raid5] [raid4]md0 : active raid5 sda[0] sdd[3] sdc[2] sdb[1]1465159296 blocks level 5, 128k chunk, algorithm 2 [4/4] [UUUU] > #######################################################LVM state OK:server:/etc/lvm# lvscanACTIVE '/dev/server/root' [7,81 GB] inheritACTIVE '/dev/server/swap_1' [2,59 GB] inheritACTIVE '/dev/server/extern_lv_root' [1,95 GB] inheritACTIVE '/dev/server/extern_lv_swap' [128,00 MB] inheritACTIVE '/dev/server/win' [10,00 GB] inheritACTIVE '/dev/server/intern_lv_root' [9,77 GB] inheritACTIVE '/dev/server/intern_lv_swap' [256,00 MB] inheritACTIVE '/dev/server/endianlv_root' [512,00 MB] inheritACTIVE '/dev/server/endianlv_swap' [132,00 MB] inheritACTIVE '/dev/server/endianlv_var' [4,00 GB] inheritACTIVE '/dev/server/endianlv_boot' [36,00 MB] inheritACTIVE '/dev/server/test_volume' [100,00 MB] inheritACTIVE '/dev/vg/crypted_raid' [1,33 TB] inherit > lvdisplay:--- Logical volume ---LV Name /dev/vg/crypted_raidVG Name vgLV UUID TPSlvK-X4PG-lClU-VCAr-sjFm-VM85-xxxxxxLV Write Access read/writeLV Status available# open 0LV Size 1,33 TBCurrent LE 348160Segments 1Allocation inheritRead ahead sectors 0Block device 254:15 > ####################################################### > dmsetup state OK:server:/etc/lvm# dmsetup info /dev/mapper/vg-crypted_raidName: vg-crypted_raidState: ACTIVETables present: LIVEOpen count: 0Event number: 0Major, minor: 254, 15Number of targets: 1UUID: LVM-UwYNfZQKuyZ5AIJVFDNbJSCrLUF568YmTPSlvKX4PGlClUVCArsjFmVM85xxxxxx > ####################################################### > LUKS state OK:cryptsetup luksDump /dev/mapper/vg-crypted_raidLUKS header information for /dev/mapper/vg-crypted_raid > Version: 1Cipher name: aesCipher mode: cbc-essiv:sha256Hash spec: sha1Payload offset: 2056MK bits: 256MK digest: f2 48 52 aa 27 1c 44 2f 8b 75 e7 f6 97 8a fd b1 e9 ca eb ebMK salt: 5b df c6 92 30 f4 4f 60 13 79 7d f2 13 xx xx xx33 e5 71 f1 48 a7 ce 82 d2 5d 30 70 ac 23 84 0cMK iterations: 10UUID: f4ede5a1-cbbd-493a-ab7b-27371cxxxxxx > Key Slot 0: ENABLEDIterations: 170750Salt: 15 de 36 21 58 43 24 88 d8 a3 35 cd c966 91 e55c de 5c 75 81 0b 0f 2e db 55 xx xx xx65 96 01Key material offset: 8AF stripes: 4000Key Slot 1: DISABLEDKey Slot 2: DISABLEDKey Slot 3: DISABLEDKey Slot 4: DISABLEDKey Slot 5: DISABLEDKey Slot 6: DISABLEDKey Slot 7: DISABLED > ####################################################### > cryptsetup decryption: NOT OK:cryptsetup luksOpen -d /mnt/key/key.md0.orig /dev/mapper/vg-crypted_raid raidCammand failed. > ####################################################### > cryptsetup decryption: i`ll tried a test encryption with my keyfile and it worked (not on my softraid but on my local HD in a lvm volume):cryptsetup luksOpen -d /mnt/key/key.md0.orig?/dev/mapper/server-test_volume raidkey slot 0 unlocked.Command successful.THAT is very alarming ...... but the logical volume is NOT on my raid....############################################################################# > I would be VERY thankful if somebody could help me with further analysation methods (wiki ?, web ? IRC). I tried everything i could find via google about analyzing my prob (see above).And cryptsetup does`nt give a hint, because dmsetup did not set any stderr failure (see source code): > cryptsetup.c:fprintf(stderr, _("Command failed"));if (*error)fprintf(stderr, ": %s\n", error);elsefputs(".\n", stderr); > ############################################################################# > I know from my log messages, that the raid resynced one time (after i reinstalled mdadm and cryptsetup). But 3 out of 4 volumes were always CLEAN and the resync worked. So the raid should be ok - as the command mdadm -E /dev/sda to sdd confirms: all superblocks are clean. > The keyfile is ok, too, because i verified it against a copy (1024 Byte created with a urandom device)############################################################################# > conlusion / assumptions:#1 softraid could be damagedeven if all superblocks are clean an /dev/md0 is up and /proc/mdstat is ok.But why gives cryptsetup luksDump /dev/mapper/... a correct answer ? > #2 USB Stick gives a permanent error while reading the keyfile from the stick > #3 My system got hacked and the key was exchanged against another (i use an endian firewall in a virtual achinem - so i don`t think so) > #4 A configuration is wrongBios ? Systemsetup ? Linux ? > It seems #1 is the answer but i wish it is #4 or anything which gets it back working.... > ############################################################################# > I tried some Linux LiveCD Versiona (Ubuntu 7.10 and Fedora 8) to get the raid mounted. With thoese newer versions i got the answer after executing "cryptsetup luksOpen -d.....": didn`t find masterkey with that passphrase.all necessary modules should be loaded before trying to decrypt the raid partition (aes, dm-crypt, crypt-mod). > I`ll tried a reoinstall of the distribution which i used for several months - but i had to get with "apt-get install" the missing cryptsetup and dmsetup packages (in actual version for debian etch stable). Nothing helped - same error: command failed. > Who could help ? > > DP > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ -- Arno Wagner, Dipl. Inform., CISSP --- CSG, ETH Zurich, arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx