-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Jun 25, 2011 at 08:47:26PM +0200, Mahashakti89 wrote: > Hi, > > I am running Debian Sid, two partions are encrypted with > cryptsetup : /home on /dev/sda and /backup on /dev/sdd. > > For /home I used the luks option and I type a password on boot > fot /backup I used /lib/crypsetup/scripts/decrypt_derived and the > keyfile option in order to type only the password for /home. > > Last week I had to format /home , I created a new encrypted volume > with the same luks option and the same password, /backup was untouched > but now I cannot more open the backup volume despite the fact I used > the same decrypt_derivated and keyfile options. > > How do I make this work, I mean , access to /backup ?? What did I > miss ?? > > Hope my explanations are clear .... If I understand this right, then decrypt_derived uses the master key of an already mapped device to be used as input into something else, here yout backup device's passphrase. Is so, then the problem is clear: LUKS does not derive the master key form you password. Rather the password is used as one of 8 encrypted versions of the master key and the master key gets generated randomly on luksFormat. (The encrypted master key is also expanded into anti-forensic stripes, but that is not relevant for your problem.) Now, when you dit the formatting of /home, you also generated a dnew master key and decrypt_derived reports that new key now. Unless you have a header backup or a master key backup of the old /home, then /backup is gone permanently, i.e. nothing can be done. If you have a header backup, restore that header to a luks partition that you do not care about (the FAQ explains how to do this with a loopback-file, which should work), map the partition with you password and call decryot_derived on it. That gives you the password for /backup. The luks partition used here will never even be accessed, do not mount it. You just have to put the header somwehere in order to be able to map the device and get the master key from it. Dont't use a luks partition with data for this! Arno - -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F - ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFOB+DcGC7wC1BV+QYRAuQMAJ9sZVUj/mrU+fYWXp+3J3vQIzOBagCggqgV LEw6QJ3KpCfdgqvXmmdxAWo= =tyyM -----END PGP SIGNATURE----- _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
