Re: Is partial LUKS recovery possible?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Dec 02, 2010 at 10:44:25PM +0100, Miklos Bagi wrote:
> > Mh, I'm not really sure what you mean with "salt" here.
> >
> > To set up a dm-crypt mapping you need a (block)cipher, a key, and a
> > (underlying) device.
> > If you set up a CBC-ESSIV (Encrypted Salt-Sector IV) cipher, there is
> > something like a salt (although this is more or less a misnomer)
> > involved, but this is deduced from the key.
> > So, you don't need an explicit salt to set up a dm-crypt mapping if you
> > know the key (called master key in LUKS context).
> Correct, this I can check when I luksDump my partition information: MK
> bits, MK digest, MK salt.
> The one I was talking about is in a key slot (same luksDump provides the
> info), and comes with iterations, key material offset and AF stripes.
> When I initialize my partition with cryptsetup --create, I see no way
> determining whether these details are matching, so I might be "reading"
> the whole partition wrong.
...
> I sense there might be a diff in terminology here. By master key I mean
> the one particular file provided to cryptsetup luksFormat <my_device>
> <key_file>, and used primarily to provide better security and at the
> same time avoid the requirement to enter passphrase.

All right, then we indeed have a difference in terminology here. Since
you explicitely claimed to "have the master key file available" I
assumed you were aware of the terminology.

What you have is not the master key but a key to unlock a LUKS keyslot,
i.e. a key the master key is derived from. The information you claimed
to have in your first mail (chipher, keysize, offset, and key file) are
not sufficient in this case.
To derive the master key (used to en/decrypt your data) from your key
you mandatorily need the salt and iterations of the respective key slot.
If you don't have that, you are definitely lost.

However, when you can luksDump your partition information (as you state
above) or when you have an older luksDump output available, you have all
the information required to restore the LUKS header, including the
mentioned salt and iterations.

On Thu, Dec 02, 2010 at 10:53:24PM +0100, Miklos Bagi wrote:
> I've been playing around with setting it up a couple of ways, no luck yet.
> The one most looking like the most "valid" to me at this stage is:
> #cryptsetup create crypt-test-sda1 /dev/sda1 -d <keyfile> -o 2056
> cipher, keysize, etc are detected properly - but xfs finds no supblock.

`cryptsetup create' does not detect anything, it just uses default
values for all the parameters you did not specify explicitely.
And the mappings it creates do all look equally "valid" - i.e. the
mapping it creates decrypts your partition to something... mostly more
or less random looking data.


PS: I re-added dm-crypt@ back to CC:

regards
   Mario
-- 
I've never been certain whether the moral of the Icarus story should
only be, as is generally accepted, "Don't try to fly too high," or
whether it might also be thought of as, "Forget the wax and feathers
and do a better job on the wings."            -- Stanley Kubrick

Attachment: signature.asc
Description: Digital signature

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt

[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux