Re: [dm-crypt] How to gather LUKS parameters from active device (if LUKS header lost)

["Willie" <tumbleweed@fastmail.net>]

On Mon, 02 Aug 2010 15:43 +0200, "Milan Broz" <mbroz@redhat.com> wrote:
> 
> 
> On 08/02/2010 11:58 AM, Milan Broz wrote:
> > If you see dm-crypt mapping there mapped to proper drive, you can still recreate
> > LUKS header with some some magic.
> 
> Well, here is the idea how to reconstruct LUKS header from active mapping
> if header is lost but mapping is still active.
> (Note: if device is not active, recovery is impossible).
> 
> - it will change LUKS UUID!
> - no passphrase needed, it asks for new one (root access required of
> course)
> - cryptsetup 1.1.x required.
> 
> Do not save master key file (second param) to unencrypted filesystem!
> 
> I'll add something similar to cryptsetup distro into DOC install,
> for now take this as an idea - see attached script (it will not touch
> device,
> only saves master key to file and print required parameters for
> cryptsetup).
> 
> BEWARE: NO GUARANTEES AT ALL. NOT PROPERLY TESTED.
> 
> Example:
>   If you have mapped device named "luks_sdb", script will produce this:
> 
>   # <script> luks_sdb /mnt/safedisk/sdb_master_key
> 
>   Generating master key to file /mnt/safedisk/sdb_master_key.
>   You can now try to reformat LUKS device using:
>   cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256
>   --align-payload=2056 --master-key-file=/mnt/safedisk/sdb_master_key
>   /dev/sdb
> 
> Milan
> 
> [---cut here---]
> #!/bin/bash
> 
> # Try to get LUKS info and master key from active mapping and prepare
> parameters for cryptsetup"
> # (C) 2010 Milan Broz <asi@ucw.cz>
> 
> 
> fail() { echo -e $1 ; exit 1 ; }
> field() { echo $(dmsetup table --target crypt --showkeys $DEVICE | cut
> -d' ' -f$1) ; }
> field_cryptsetup() { echo $(cryptsetup status $DEVICE | grep $1 | sed
> "s/.*$1:\s*//;s/\ .*//") ; }
> 
> which xxd >/dev/null || fail "You need xxd (part of vim package)
> installed to convert key."
> 
> [ -z "$2" ] && fail "LUKS header from active mapping, use:\n $0
> crypt_mapped_device mk_file_name";
> 
> DEVICE=$1
> MK_FILE=$2
> 
> [ -z "$(field 4)" ] && fail "Mapping $1 not active or it is not crypt
> target."
> 
> CIPHER=$(field_cryptsetup cipher)
> OFFSET=$(field_cryptsetup offset)
> REAL_DEVICE=$(field_cryptsetup device)
> KEY_SIZE=$(field_cryptsetup keysize)
> KEY=$(field 5)
> 
> [ -z "$CIPHER" -o -z "$OFFSET" -o "$OFFSET" -le 383 -o -z "$KEY" ] &&
> fail "Incompatible device, sorry."
> 
> echo "Generating master key to file $MK_FILE."
> echo -E -n $KEY| xxd -r -p >$MK_FILE
> 
> echo "You can now try to reformat LUKS device using:"
> echo "  cryptsetup luksFormat -c $CIPHER -s $KEY_SIZE
> --align-payload=$OFFSET --master-key-file=$MK_FILE $REAL_DEVICE"
> 


It gets worse and worse: I go to work, come back and my woman has turned
off the computer. Whatever I was seeing earlier today is no longer there
- just the iso image I wrote to the disk.

I think I'm stuffed, but very very grateful for the helpful replies
here.



-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
                          unladen european swallow