Hmm, this was still mounted? Ah, I see. Another thing to add to
my list to things not to do when tired: Giving advice in critical
situations. Sorry.
One thing you can do before trying Milan's instructions is to
make an image backup (with dd/dd_rescue) of the decrypted device,
i.e. the device in /dev/mapper/<something>.
That will fix the current state in case something goes wrong
and you can do conventional recovery on the image.
Arno
On Mon, Aug 02, 2010 at 03:43:01PM +0200, Milan Broz wrote:
>
>
> On 08/02/2010 11:58 AM, Milan Broz wrote:
> > If you see dm-crypt mapping there mapped to proper drive, you can still recreate
> > LUKS header with some some magic.
>
> Well, here is the idea how to reconstruct LUKS header from active mapping
> if header is lost but mapping is still active.
> (Note: if device is not active, recovery is impossible).
>
> - it will change LUKS UUID!
> - no passphrase needed, it asks for new one (root access required of course)
> - cryptsetup 1.1.x required.
>
> Do not save master key file (second param) to unencrypted filesystem!
>
> I'll add something similar to cryptsetup distro into DOC install,
> for now take this as an idea - see attached script (it will not touch device,
> only saves master key to file and print required parameters for cryptsetup).
>
> BEWARE: NO GUARANTEES AT ALL. NOT PROPERLY TESTED.
>
> Example:
> If you have mapped device named "luks_sdb", script will produce this:
>
> # <script> luks_sdb /mnt/safedisk/sdb_master_key
>
> Generating master key to file /mnt/safedisk/sdb_master_key.
> You can now try to reformat LUKS device using:
> cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 --align-payload=2056 --master-key-file=/mnt/safedisk/sdb_master_key /dev/sdb
>
> Milan
>
> [---cut here---]
> #!/bin/bash
>
> # Try to get LUKS info and master key from active mapping and prepare parameters for cryptsetup"
> # (C) 2010 Milan Broz <asi@xxxxxx>
>
>
> fail() { echo -e $1 ; exit 1 ; }
> field() { echo $(dmsetup table --target crypt --showkeys $DEVICE | cut -d' ' -f$1) ; }
> field_cryptsetup() { echo $(cryptsetup status $DEVICE | grep $1 | sed "s/.*$1:\s*//;s/\ .*//") ; }
>
> which xxd >/dev/null || fail "You need xxd (part of vim package) installed to convert key."
>
> [ -z "$2" ] && fail "LUKS header from active mapping, use:\n $0 crypt_mapped_device mk_file_name";
>
> DEVICE=$1
> MK_FILE=$2
>
> [ -z "$(field 4)" ] && fail "Mapping $1 not active or it is not crypt target."
>
> CIPHER=$(field_cryptsetup cipher)
> OFFSET=$(field_cryptsetup offset)
> REAL_DEVICE=$(field_cryptsetup device)
> KEY_SIZE=$(field_cryptsetup keysize)
> KEY=$(field 5)
>
> [ -z "$CIPHER" -o -z "$OFFSET" -o "$OFFSET" -le 383 -o -z "$KEY" ] && fail "Incompatible device, sorry."
>
> echo "Generating master key to file $MK_FILE."
> echo -E -n $KEY| xxd -r -p >$MK_FILE
>
> echo "You can now try to reformat LUKS device using:"
> echo " cryptsetup luksFormat -c $CIPHER -s $KEY_SIZE --align-payload=$OFFSET --master-key-file=$MK_FILE $REAL_DEVICE"
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> http://www.saout.de/mailman/listinfo/dm-crypt
>
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
