Tried the repair function of the newest cryptsetup from fedora life.
Worked like a charm!
LUKS header repaired and recovered!
Super!
Thanks,
JB
On 11/17/2014 10:34 PM, Jan Rhebergen wrote:
In my (feeble) effort to construct an obstacle for the proverbial
"evil maid" I messed up my system causing a
LUKS keyslot 5 is invalid
error.
My system is a recent Ubuntu installation with full disk encryption
(except for the boot partition of course). In my attempt to thwart
potential "evil maids" I decided to move the boot filesystem and
bootloader to a USB thumbdrive.
After I deleted the boot partition from the laptop hard-drive
partition table and after trying the USB thumbdrive (which worked) I
decided to reverse it again (can't remember why anymore).
To recover the correct place and size I decided use testdisk (you'll
find out why later). This duly detected the original boot partition
boundaries. However it did not correctly detect the LUKS partition
(which I did not notice at the time). It detected a partition of 2MB
instead. So I (regretfully) accepted the found partitions and ended up
with a correct boot partition but with a much too small LUKS
device/partition which was not number /dev/sda5 but
/dev/sda2. Needless to say opening it upon boot did not work.
Disk /dev/sda: 256 GB, 256052966400 bytes
255 heads, 63 sectors/track, 31130 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 32 257008 83 Linux
Warning: Partition 1 does not end on cylinder boundary.
/dev/sda2 32 32 0 83 Linux
Warning: Partition 2 does not end on cylinder boundary.
Command (m for help):
I had backed up the first 512 bytes of the drive and the text output
of fdisk. Only trouble was that I had backed it up on the partition
that I was trying to reach! (kicking myself here). To my defence I
have to say I was tired and it was already late evening. This was the
(lazy) reason for using testdisk.
At this stage I did what is explicitly stated in the FAQ not to
do,.. I panicked!
I used cfdisk to resize the too small LUKS partition to fill the rest
of the disk (as it should). This worked fine and I was able to open
the LUKS device (yeah!) Although I could activate the volume group and
see/detect the logical volumes on it (lvscan/lvdisplay) I could not
mount them (don't remember the error).
At this stage I should have used dd to make a complete image of the
partition hard drive. Plus I should have made a backup of the LUKS
header (probably would have worked). I just didn't think straight I
guess from sheer panic.
Not being able to mount the logical volumes on the LUKS partition I
figured it must have something to do with the fact that the LUKS
partition was on /dev/sda2 instead of /dev/sda5. So I though I'd be
smart and did the following. I created a small temporary (buffer)
partition replacing the empty unallocated space between the boot
partition and the LUKS partition. I subsequently deleted the LUKS
partition, created an extended partition and a new logical partition
spanning the whole drive. Finally deleting the small buffer
partition. So I ended up with what I thought should be the original
partition table. Tried booting and opening it,... alas to no avail. I
suspect that creating this small buffer partition in the 1.05MB
'empty' space caused the trouble and in fact wrote over a few bytes of
the LUKS partition.
So finally I started to do the smart thing although probably too late
and copy the entire drive image over to another drive.
I was able to locate the start of the LUKS partition:
root@goofy:~# hexdump -C /dev/sda | grep LUKS
08073590 73 73 20 64 65 6e 69 65 64 00 4c 55 4b 53 ba be |ss
denied.LUKS..|
08844d90 73 73 20 64 65 6e 69 65 64 00 4c 55 4b 53 ba be |ss
denied.LUKS..|
08e3c190 73 73 20 64 65 6e 69 65 64 00 4c 55 4b 53 ba be |ss
denied.LUKS..|
0f500000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00
|LUKS....aes.....|
I mounted the image file (not /dev/sda) at the appropriate offset and
tried to open it.
losetup -o 0xf500000 -r -f sda.img
cryptsetup luksOpen /dev/loop0 mycrypt
LUKS keyslot 5 is invalid
Now it so happens I don't use this slot but only the default one. So
is there any hope for recovery? If so how do I go about it (now that I
have calmed down).
Any help and advice naturally much appreciated.
regards,
JB
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
