Re: recent kernels can't access my encrypted disk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At Tue, 14 Oct 2008 20:32:35 -0400,
James R. Van Zandt wrote:

> I have an encrypted disk which I've accessed with kernels 2.6.18
> through 2.6.24.  However, I have not been able to get 2.6.25 or 2.6.26
> kernels to boot.
> 
> The disk was configured by a Debian installation CDROM, with an ext3
> filesystem and swap in an LVM volume, encrypted with dmcrypt and LUKS.
> An attempt to boot with 2.6.26 fails like this (hand transcribed):
> 
>   hda: max request size: 512KiB
>   hda: 195371568 sectors (100030 MB), CHS=16383/255/63
>   hda: cache flushes supported
>    hda: hda1 hda2 < hda5 >
>   hdb: ATAPI 24X DVD-ROM DVD-R-RAM CD-R/RW drive, 2048kB Cache
>   uniform CD-ROM driver Revision: 3.20
>   ...
>   Volume group "ista" not found
>   Enter passphrase to unlock the disk /dev/hda5 (hda5_crypt):
>   key slot 0 unlocked.
>   Command successful.

This usually indicates that cryptsetup has correctly set up the
volume. Unless things are really broken at kernel level with 2.6.26,
you should see the same disk as with 2.6.25. What also rules out a
broken kernel primitive is that cryptsetup itself uses kernel crypto
to decrypt a volume's master key. A PBKDF2 hash of that master key is
store in the header for key checking, and only when the decrypted
candidate master key's hash matches with the hash found in the header,
the master key is considered valid. In any other case, cryptsetup will
refuse to set up the volume.

In my opinion, that points to the LVM2 tools doing something
odd. Probably compare version numbers of vgchange, but I doubt that
LVM introduced a bug. Rather check /etc/lvm/lvm.conf in the
initramfs. It should contain something like

devices { 
  scan = [ "/dev/" ]
  filter = [ "a|^/dev/mapper/|", "a|^/dev/sd|", "a|^/dev/loop|", "r/.*/" ]
  ..
}

The scan line is most likely there, but filters is sometimes fiddled
with. A string starting with 'a' means accept, 'r' means reject. You
want the path "a|^/dev/mapper|" to be scanned and not
rejected. (^/dev/mapper is a regexp). filter = ["a/.*/"] is also ok.

If everything fails, copy strace into the initramfs and have a look at
what's going on when running vgchange.
-- 
Fruhwirth Clemens - http://clemens.endorphin.org 

---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx


[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux