On Fri, Nov 07, 2008 at 03:25:36PM -0800, Kevin Bowen wrote: > Hi, > I seem to have corrupted the luks header of my encrypted partition, > such that it's not recognized as a valid luks device. I'm not sure > exactly how, but I think an erroneous grub-install managed to write > something to the device.... my grub got broken somehow by a kernel > upgrade, Interesting. I never had that happen to me and I change my kenel quite often (currently running 2.6.27.4). > and I booted to a rescue disk and did a manual > grub-install... I wasn't really sure what I was doing, so there was > some trial and error involved, but I can't imagine how anything I did > could have caused grub-install to write anything to /dev/sda6 (my > crypt partition), I cannot quite see that happening either without some serious misconfiguration. > yet that's what seems to have happened: grepping > through the beginning of /dev/sda6, I see the string "GRUB > ^@Geom^@Hard Disk^@Read^@ Error^"..... I also see "cbc-essiv:sha256", > so I know there's at least some luks-related stuff in there... Hmm. From the PDF on http://luks.endorphin.org/spec, Figure 1, I conclude the LUKS header is 592 bytes and the only places a cipher name is there is in positions 8, 40 and 72. The grub MBR block is the standard 512 bytes and would have overwritten any such string reliably. So you did not put an MBR on sda6. Note: I am not sure whether this documentation is current. It does look good though. I think the Grub second stage is more flexible in size and could have damaged only the beginning of the LUKS header without overwriting it completely. "cbc-essiv:sha256" looks like a cipher mode spec to me that should be at offset 40. In that case, at maximum the fields before could be damaged, i.e. magic, version and cipher. These should be possible to fill in without to much trouble using a hex editor and possibly an experimental LUKS partition as template. > Is there any way to try to recover a corrupted luks header? If not, > does anyone have any ideas of what my options are as far as getting my > data back? You absolutely need the keys in the LUKS header. Without them you data is gone. Best option is finding out first whether the header is actually damaged, i.e. look for the magic number at the beginning. If it is there, chances are the header is intact an you have a different problem. If not, start to check the individual fields until you find the first that looks good. Then try to fill in the missing values. Before you do anything, make a backup of the header! It is very easy to do additional, possibly irrevocable, damage. My guess would be that copying the first 2048 bytes should be enough. Make sure you go something like 1024 Bytes past the "cbc-essiv:sha256" field. More is no problem, as long as you do not write to the disk before a restore of the header. There is a boot sector before the lUKS header in your setup it seems. Maybe that is the problem in the first place. I think the LUKS header should be the first thing on the disk. Maybe you are just missuing a mapping step, that presents the device without that bootsector to LIKS? However I could be completely wrong on this, as I have very little experience with LUKS. Arno > > -- > Kevin Bowen > kevin@xxxxxxxx > > --------------------------------------------------------------------- > dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ > To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx > For additional commands, e-mail: dm-crypt-help@xxxxxxxx > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
