How to gather LUKS parameters from active device (if LUKS header lost)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 08/02/2010 11:58 AM, Milan Broz wrote:
> If you see dm-crypt mapping there mapped to proper drive, you can still recreate
> LUKS header with some some magic.

Well, here is the idea how to reconstruct LUKS header from active mapping
if header is lost but mapping is still active.
(Note: if device is not active, recovery is impossible).

- it will change LUKS UUID!
- no passphrase needed, it asks for new one (root access required of course)
- cryptsetup 1.1.x required.

Do not save master key file (second param) to unencrypted filesystem!

I'll add something similar to cryptsetup distro into DOC install,
for now take this as an idea - see attached script (it will not touch device,
only saves master key to file and print required parameters for cryptsetup).

BEWARE: NO GUARANTEES AT ALL. NOT PROPERLY TESTED.

Example:
  If you have mapped device named "luks_sdb", script will produce this:

  # <script> luks_sdb /mnt/safedisk/sdb_master_key

  Generating master key to file /mnt/safedisk/sdb_master_key.
  You can now try to reformat LUKS device using:
  cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 --align-payload=2056 --master-key-file=/mnt/safedisk/sdb_master_key /dev/sdb

Milan

[---cut here---]
#!/bin/bash

# Try to get LUKS info and master key from active mapping and prepare parameters for cryptsetup"
# (C) 2010 Milan Broz <asi@xxxxxx>


fail() { echo -e $1 ; exit 1 ; }
field() { echo $(dmsetup table --target crypt --showkeys $DEVICE | cut -d' ' -f$1) ; }
field_cryptsetup() { echo $(cryptsetup status $DEVICE | grep $1 | sed "s/.*$1:\s*//;s/\ .*//") ; }

which xxd >/dev/null || fail "You need xxd (part of vim package) installed to convert key."

[ -z "$2" ] && fail "LUKS header from active mapping, use:\n $0 crypt_mapped_device mk_file_name";

DEVICE=$1
MK_FILE=$2

[ -z "$(field 4)" ] && fail "Mapping $1 not active or it is not crypt target."

CIPHER=$(field_cryptsetup cipher)
OFFSET=$(field_cryptsetup offset)
REAL_DEVICE=$(field_cryptsetup device)
KEY_SIZE=$(field_cryptsetup keysize)
KEY=$(field 5)

[ -z "$CIPHER" -o -z "$OFFSET" -o "$OFFSET" -le 383 -o -z "$KEY" ] && fail "Incompatible device, sorry."

echo "Generating master key to file $MK_FILE."
echo -E -n $KEY| xxd -r -p >$MK_FILE

echo "You can now try to reformat LUKS device using:"
echo "  cryptsetup luksFormat -c $CIPHER -s $KEY_SIZE --align-payload=$OFFSET --master-key-file=$MK_FILE $REAL_DEVICE"


_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux