From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tumbleweed@fastmail.net>
Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com
	[66.111.4.25])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.saout.de (Postfix) with ESMTPS
	for <dm-crypt@saout.de>; Mon,  2 Aug 2010 19:34:06 +0200 (CEST)
Received: from compute2.internal (compute2.internal [10.202.2.42])
	by gateway1.messagingengine.com (Postfix) with ESMTP id 1BF9718BA85
	for <dm-crypt@saout.de>; Mon,  2 Aug 2010 13:33:30 -0400 (EDT)
Message-Id: <1280770406.18055.1387939849@webmail.messagingengine.com>
From: "Willie" <tumbleweed@fastmail.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
References: <1280697096.16046.1387795841@webmail.messagingengine.com><20100801230113.GA14693@tansi.org><1280704838.643.1387808231@webmail.messagingengine.com>
	<20100802002730.GA15890@tansi.org>
	<1280738327.12803.1387859489@webmail.messagingengine.com><4C5696E2.1000509@redhat.com>
	<4C56CB65.1060804@redhat.com>
In-Reply-To: <4C56CB65.1060804@redhat.com>
Date: Mon, 02 Aug 2010 10:33:26 -0700
Subject: Re: [dm-crypt] How to gather LUKS parameters from active device (if
 LUKS header lost)
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de


On Mon, 02 Aug 2010 15:43 +0200, "Milan Broz" <mbroz@redhat.com> wrote:
> 
> 
> On 08/02/2010 11:58 AM, Milan Broz wrote:
> > If you see dm-crypt mapping there mapped to proper drive, you can still recreate
> > LUKS header with some some magic.
> 
> Well, here is the idea how to reconstruct LUKS header from active mapping
> if header is lost but mapping is still active.
> (Note: if device is not active, recovery is impossible).
> 
> - it will change LUKS UUID!
> - no passphrase needed, it asks for new one (root access required of
> course)
> - cryptsetup 1.1.x required.
> 
> Do not save master key file (second param) to unencrypted filesystem!
> 
> I'll add something similar to cryptsetup distro into DOC install,
> for now take this as an idea - see attached script (it will not touch
> device,
> only saves master key to file and print required parameters for
> cryptsetup).
> 
> BEWARE: NO GUARANTEES AT ALL. NOT PROPERLY TESTED.
> 
> Example:
>   If you have mapped device named "luks_sdb", script will produce this:
> 
>   # <script> luks_sdb /mnt/safedisk/sdb_master_key
> 
>   Generating master key to file /mnt/safedisk/sdb_master_key.
>   You can now try to reformat LUKS device using:
>   cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256
>   --align-payload=2056 --master-key-file=/mnt/safedisk/sdb_master_key
>   /dev/sdb
> 
> Milan
> 
> [---cut here---]
> #!/bin/bash
> 
> # Try to get LUKS info and master key from active mapping and prepare
> parameters for cryptsetup"
> # (C) 2010 Milan Broz <asi@ucw.cz>
> 
> 
> fail() { echo -e $1 ; exit 1 ; }
> field() { echo $(dmsetup table --target crypt --showkeys $DEVICE | cut
> -d' ' -f$1) ; }
> field_cryptsetup() { echo $(cryptsetup status $DEVICE | grep $1 | sed
> "s/.*$1:\s*//;s/\ .*//") ; }
> 
> which xxd >/dev/null || fail "You need xxd (part of vim package)
> installed to convert key."
> 
> [ -z "$2" ] && fail "LUKS header from active mapping, use:\n $0
> crypt_mapped_device mk_file_name";
> 
> DEVICE=$1
> MK_FILE=$2
> 
> [ -z "$(field 4)" ] && fail "Mapping $1 not active or it is not crypt
> target."
> 
> CIPHER=$(field_cryptsetup cipher)
> OFFSET=$(field_cryptsetup offset)
> REAL_DEVICE=$(field_cryptsetup device)
> KEY_SIZE=$(field_cryptsetup keysize)
> KEY=$(field 5)
> 
> [ -z "$CIPHER" -o -z "$OFFSET" -o "$OFFSET" -le 383 -o -z "$KEY" ] &&
> fail "Incompatible device, sorry."
> 
> echo "Generating master key to file $MK_FILE."
> echo -E -n $KEY| xxd -r -p >$MK_FILE
> 
> echo "You can now try to reformat LUKS device using:"
> echo "  cryptsetup luksFormat -c $CIPHER -s $KEY_SIZE
> --align-payload=$OFFSET --master-key-file=$MK_FILE $REAL_DEVICE"
> 


It gets worse and worse: I go to work, come back and my woman has turned
off the computer. Whatever I was seeing earlier today is no longer there
- just the iso image I wrote to the disk.

I think I'm stuffed, but very very grateful for the helpful replies
here.



-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
                          unladen european swallow