Re: How to gather LUKS parameters from active device (if LUKS header lost)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hmm, this was still mounted? Ah, I see. Another thing to add to
my list to things not to do when tired: Giving advice in critical 
situations. Sorry.

One thing you can do before trying Milan's instructions is to 
make an image backup (with dd/dd_rescue) of the decrypted device,
i.e. the device in /dev/mapper/<something>.
That will fix the current state in case something goes wrong
and you can do conventional recovery on the image.

Arno


On Mon, Aug 02, 2010 at 03:43:01PM +0200, Milan Broz wrote:
> 
> 
> On 08/02/2010 11:58 AM, Milan Broz wrote:
> > If you see dm-crypt mapping there mapped to proper drive, you can still recreate
> > LUKS header with some some magic.
> 
> Well, here is the idea how to reconstruct LUKS header from active mapping
> if header is lost but mapping is still active.
> (Note: if device is not active, recovery is impossible).
> 
> - it will change LUKS UUID!
> - no passphrase needed, it asks for new one (root access required of course)
> - cryptsetup 1.1.x required.
> 
> Do not save master key file (second param) to unencrypted filesystem!
> 
> I'll add something similar to cryptsetup distro into DOC install,
> for now take this as an idea - see attached script (it will not touch device,
> only saves master key to file and print required parameters for cryptsetup).
> 
> BEWARE: NO GUARANTEES AT ALL. NOT PROPERLY TESTED.
> 
> Example:
>   If you have mapped device named "luks_sdb", script will produce this:
> 
>   # <script> luks_sdb /mnt/safedisk/sdb_master_key
> 
>   Generating master key to file /mnt/safedisk/sdb_master_key.
>   You can now try to reformat LUKS device using:
>   cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 --align-payload=2056 --master-key-file=/mnt/safedisk/sdb_master_key /dev/sdb
> 
> Milan
> 
> [---cut here---]
> #!/bin/bash
> 
> # Try to get LUKS info and master key from active mapping and prepare parameters for cryptsetup"
> # (C) 2010 Milan Broz <asi@xxxxxx>
> 
> 
> fail() { echo -e $1 ; exit 1 ; }
> field() { echo $(dmsetup table --target crypt --showkeys $DEVICE | cut -d' ' -f$1) ; }
> field_cryptsetup() { echo $(cryptsetup status $DEVICE | grep $1 | sed "s/.*$1:\s*//;s/\ .*//") ; }
> 
> which xxd >/dev/null || fail "You need xxd (part of vim package) installed to convert key."
> 
> [ -z "$2" ] && fail "LUKS header from active mapping, use:\n $0 crypt_mapped_device mk_file_name";
> 
> DEVICE=$1
> MK_FILE=$2
> 
> [ -z "$(field 4)" ] && fail "Mapping $1 not active or it is not crypt target."
> 
> CIPHER=$(field_cryptsetup cipher)
> OFFSET=$(field_cryptsetup offset)
> REAL_DEVICE=$(field_cryptsetup device)
> KEY_SIZE=$(field_cryptsetup keysize)
> KEY=$(field 5)
> 
> [ -z "$CIPHER" -o -z "$OFFSET" -o "$OFFSET" -le 383 -o -z "$KEY" ] && fail "Incompatible device, sorry."
> 
> echo "Generating master key to file $MK_FILE."
> echo -E -n $KEY| xxd -r -p >$MK_FILE
> 
> echo "You can now try to reformat LUKS device using:"
> echo "  cryptsetup luksFormat -c $CIPHER -s $KEY_SIZE --align-payload=$OFFSET --master-key-file=$MK_FILE $REAL_DEVICE"
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt


[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux