On Wed, 18 Feb 2009 16:23:30 +0100 Arno Wagner <arno@xxxxxxxxxxx> wrote: > On Wed, Feb 18, 2009 at 03:15:32PM +0100, orinoco wrote: > [...] > So the header looks good but open fails. Most likely > is a defective key block. No way to repair that. Too bad! I guess dm-crypt did overwrite the luks header with a random key for a swap partition, but I'd like to know what did actually happen, and if there is a chance to brute-force-attack single bytes in case the key in the header were not overwritten completely. > > > There may be other fields you absolutely need, but > > > 32-64 bits or so can be brute-forced today without too > > > much hassle, depending on what actually need to be done > > > for a try. This still costs significant effort and > > > may cause significant cost. > > > > > > The other thing is to think about how much your data is > > > worth. It may be cheaptest to regard this as a lost > > > cause from the beginning. > > I would consider it "nice to have it back" and worth some effort. > > It isn't (or wasn't) vital information. > Good to know. I think you have done all the easy steps. > My advice is to cut your losses and start over with a new > encrypted partition. I guess I will keep it as-is-as as a memorial. And maybe quantum computers in the future will be able to decrypt the information again =:-} > > > Although I would recomment at least > > > one in-detail look at the header. It may basically still > > > be there. > > There is a "complete" header information I get from luksDump (see > > above), but it does not seem to work with luksOpen and the original > > passphrase. > > BTW I noticed that my system keeps mixing the sdXX device order. > > After a reboot it changed again. > That is really bad, expecially with automated swap creation. I turned it off completely although there shouldn't be any partition left to mix with it. I'm fed up with encrypted swap. > What I would advise is that you delegate the swap creation > to a script, that at least checks partition size before > trashing it. You may also want to, e.g., not use the first > kB of the partition and put a magic number in there that you > also check. > Come to think of it, you could also put your swap on an > one-partition RAID1 and then access it by its /dev/md<number> > (set partition type to autodetection). That should be stable > and circumvent your problem. I will consider that. In the sidux form they advised me to label the swap partition. Might be another solution to kick off all /dev/sdXX entries in the fstab and crypttab files and make mounting unique. Thanks for your help. regards Carsten -- Mail Encryption welcome! - Mail Verschlüsselung erwünscht! Ask for public key! - öffentlicher Schlüssel auf Anfrage!
