On Mon, 02 Aug 2010 15:43 +0200, "Milan Broz" <mbroz@xxxxxxxxxx> wrote:
>
>
> On 08/02/2010 11:58 AM, Milan Broz wrote:
> > If you see dm-crypt mapping there mapped to proper drive, you can still recreate
> > LUKS header with some some magic.
>
> Well, here is the idea how to reconstruct LUKS header from active mapping
> if header is lost but mapping is still active.
> (Note: if device is not active, recovery is impossible).
>
> - it will change LUKS UUID!
> - no passphrase needed, it asks for new one (root access required of
> course)
> - cryptsetup 1.1.x required.
>
> Do not save master key file (second param) to unencrypted filesystem!
>
> I'll add something similar to cryptsetup distro into DOC install,
> for now take this as an idea - see attached script (it will not touch
> device,
> only saves master key to file and print required parameters for
> cryptsetup).
>
> BEWARE: NO GUARANTEES AT ALL. NOT PROPERLY TESTED.
>
> Example:
> If you have mapped device named "luks_sdb", script will produce this:
>
> # <script> luks_sdb /mnt/safedisk/sdb_master_key
>
> Generating master key to file /mnt/safedisk/sdb_master_key.
> You can now try to reformat LUKS device using:
> cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256
> --align-payload=2056 --master-key-file=/mnt/safedisk/sdb_master_key
> /dev/sdb
>
> Milan
>
> [---cut here---]
> #!/bin/bash
>
> # Try to get LUKS info and master key from active mapping and prepare
> parameters for cryptsetup"
> # (C) 2010 Milan Broz <asi@xxxxxx>
>
>
> fail() { echo -e $1 ; exit 1 ; }
> field() { echo $(dmsetup table --target crypt --showkeys $DEVICE | cut
> -d' ' -f$1) ; }
> field_cryptsetup() { echo $(cryptsetup status $DEVICE | grep $1 | sed
> "s/.*$1:\s*//;s/\ .*//") ; }
>
> which xxd >/dev/null || fail "You need xxd (part of vim package)
> installed to convert key."
>
> [ -z "$2" ] && fail "LUKS header from active mapping, use:\n $0
> crypt_mapped_device mk_file_name";
>
> DEVICE=$1
> MK_FILE=$2
>
> [ -z "$(field 4)" ] && fail "Mapping $1 not active or it is not crypt
> target."
>
> CIPHER=$(field_cryptsetup cipher)
> OFFSET=$(field_cryptsetup offset)
> REAL_DEVICE=$(field_cryptsetup device)
> KEY_SIZE=$(field_cryptsetup keysize)
> KEY=$(field 5)
>
> [ -z "$CIPHER" -o -z "$OFFSET" -o "$OFFSET" -le 383 -o -z "$KEY" ] &&
> fail "Incompatible device, sorry."
>
> echo "Generating master key to file $MK_FILE."
> echo -E -n $KEY| xxd -r -p >$MK_FILE
>
> echo "You can now try to reformat LUKS device using:"
> echo " cryptsetup luksFormat -c $CIPHER -s $KEY_SIZE
> --align-payload=$OFFSET --master-key-file=$MK_FILE $REAL_DEVICE"
>
It gets worse and worse: I go to work, come back and my woman has turned
off the computer. Whatever I was seeing earlier today is no longer there
- just the iso image I wrote to the disk.
I think I'm stuffed, but very very grateful for the helpful replies
here.
--
http://www.fastmail.fm - Faster than the air-speed velocity of an
unladen european swallow
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
