On Thu, Aug 25, 2011 at 12:55:40PM +0000, Ralf wrote: > > Hi, > > I have a problem accessing my data, I have backups but I try to understand what > happened so it does not happen again. So maybe you can help me to understand the > problem I am faced with. > > I run a mdadm-software-raid6 across 4x 1TB sata disks resulting in a ~2TB > /dev/md0. This md0 is consistent and never had issues. > [...] > > Would it even be enough to have 99*64k behind the luks header to decrypt > the FS? Or what exact blocks would it need to for the IV calculations or > decryption? Is there a way to randomly try to decrypt specific blocks > using the luksheader + my well known password to check if it works or not? > As you can see in the FAQ, item "What does the on-disk structure of LUKS look like?" a LUKS header keyslot with standard parameters is 128kiB long, so no, it is not enough. Incidentally, with XTS as you are using, it is 256kiB and you need to add 4096B offset for the header. All in the FAQ. You should realy have a look at the FAQ before you fumble in the dark like that. You should also have a look a the "PASSPHRASES" warning at the start of the FAQ. And no, wihout an intact keyslot, you password is worthless. On the other hand, if header and keyslot werw intact, you would be abnle to luksOpen. cryptsetup does not care where the header is or what device it is on, as long as it gets told the offset of its start. > Can you explain why my luks header is at offset 64k and why it may reject > my password on the offsetted loopback device? Keyslot damage? There is a reason the FAQ strongly recommends having a header backup. > Do you have any idea what might have happened? No idea. A possible next step (after you have read up on the LUKS on disk structure) is to look at keyslot 0 and the other keyslots. Keyslot 1-7 should be zeroed. Keyslot 0 should be all random-looking without any discernable structure at all. If it is not, then something wrote into it and effectively erased it, courtesy of the anti-forensivc properties of LUKS. As to preventing this happening again: Read the FAQ, have a header backup, understand you on-disk structure and you should be fine. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
