[dm-crypt] LUKS password forgoten, any way how to change it?

[dm-crypt] LUKS password forgoten, any way how to change it?

[Marek Stopka]

Hi guys, I have forgotten password to my luks encrypted disk, I have
lost no data (yet :) ), because system is still running with unlocked
device, but problem is, that I have a scheduled hardware maintanance
window quite soon, so I was wondering is it somehow easily possible to
luksAddKey without knowing a password or recover password from memory
or it will be much more easier to copy those data somewhere else and
create a new encrypted disk? It is like 12TB of data so I would really
prefer not to copy those data somewhere else, but if I will have to, I
can pull that off...

But I am wondering since key need to be in a memory somewhere there
could be a way... :)

-- 
S pozdravem / Best regards
Marek Stopka
Kontakty / Contacts
Mobil/Cell phone: +420 608 149 955
E-mail: mstopka@opensuse.org
WEB: www.m4r3k.org

Re: [dm-crypt] LUKS password forgoten, any way how to change it?

[Gilles PIETRI]

Le 06/03/2010 01:12, Marek Stopka a écrit :
> Hi guys, I have forgotten password to my luks encrypted disk, I have
> lost no data (yet :) ), because system is still running with unlocked
> device, but problem is, that I have a scheduled hardware maintanance
> window quite soon, so I was wondering is it somehow easily possible to
> luksAddKey without knowing a password or recover password from memory
> or it will be much more easier to copy those data somewhere else and
> create a new encrypted disk? It is like 12TB of data so I would really
> prefer not to copy those data somewhere else, but if I will have to, I
> can pull that off...
> 
> But I am wondering since key need to be in a memory somewhere there
> could be a way... :)
> 

You could probably launch a "hot cold boot attack" then.. I have no idea 
if luks/dmcrypt allows you to do it, but you could use that kind of 
tools: http://citp.princeton.edu/memory/code/ that were made to look for 
the key in RAM after a "cold boot".

I guess the code or the idea behind it will work even better on an alive 
system! Yet, maybe there is a simple way to do so using the standard tools..

Good luck,
Gilou

Re: [dm-crypt] LUKS password forgoten, any way how to change it?

[Heinz Diehl]

On 06.03.2010, Marek Stopka wrote: 

> Hi guys, I have forgotten password to my luks encrypted disk, I have
> lost no data (yet :) ), because system is still running with unlocked
> device, but problem is, that I have a scheduled hardware maintanance
> window quite soon, so I was wondering is it somehow easily possible to
> luksAddKey without knowing a password or recover password from memory

No way. Do a complete backup of your existing data now, and you'll be able to
recover your encrypted partition after a reformatting later.

> or it will be much more easier to copy those data somewhere else and
> create a new encrypted disk? It is like 12TB of data so I would really
> prefer not to copy those data somewhere else, but if I will have to, I
> can pull that off...

Without the correct passphrase, and without any hackish memory manipulation
and similar, the only way is to copy your data to a safe place and to 
recreate your encrypted device later. To unlock/decrypt the master key,
you have to provide the correct passphrase first.
 
> But I am wondering since key need to be in a memory somewhere there
> could be a way... :)

You can read here how it works:

http://cryptsetup.googlecode.com/svn-history/r42/wiki/LUKS-standard/on-disk-format.pdf

Re: [dm-crypt] LUKS password forgoten, any way how to change it?

[Marek Stopka]

Hmm I have succeeded (probably) in getting master key from memory
(yeah! :) ) but it seems that there is no way how to tell cryptsetup
to use supplied key as a master key, damn. :-/

On Sat, Mar 6, 2010 at 2:16 PM, Gilles PIETRI <contact+dev@gilouweb.com> wrote:
> Le 06/03/2010 01:12, Marek Stopka a écrit :
>>
>> Hi guys, I have forgotten password to my luks encrypted disk, I have
>> lost no data (yet :) ), because system is still running with unlocked
>> device, but problem is, that I have a scheduled hardware maintanance
>> window quite soon, so I was wondering is it somehow easily possible to
>> luksAddKey without knowing a password or recover password from memory
>> or it will be much more easier to copy those data somewhere else and
>> create a new encrypted disk? It is like 12TB of data so I would really
>> prefer not to copy those data somewhere else, but if I will have to, I
>> can pull that off...
>>
>> But I am wondering since key need to be in a memory somewhere there
>> could be a way... :)
>>
>
> You could probably launch a "hot cold boot attack" then.. I have no idea if
> luks/dmcrypt allows you to do it, but you could use that kind of tools:
> http://citp.princeton.edu/memory/code/ that were made to look for the key in
> RAM after a "cold boot".
>
> I guess the code or the idea behind it will work even better on an alive
> system! Yet, maybe there is a simple way to do so using the standard tools..
>
> Good luck,
> Gilou
>



-- 
S pozdravem / Best regards
Marek Stopka
Kontakty / Contacts
Mobil/Cell phone: +420 608 149 955
E-mail: mstopka@opensuse.org
WEB: www.m4r3k.org

Re: [dm-crypt] LUKS password forgoten, any way how to change it?

[Bryan Kadzban]

Marek Stopka wrote:
> Hmm I have succeeded (probably) in getting master key from memory 
> (yeah! :) ) but it seems that there is no way how to tell cryptsetup 
> to use supplied key as a master key, damn. :-/

cryptsetup 1.1.0 has a (new) --master-key-file argument.  Not sure if it
will accept the format of the file holding your master key, or if it
will support your current setup (though for LUKS I think the latter is
likely, and for the former, I bet you can find out from the source).

But I think you can test it, too: you should be able to decrypt the
underlying device (read-only) into a second /dev/mapper/ device file, as
a test.  Then do a "/lib/udev/vol_id --export", or an "/sbin/blkid -o
udev -p", on the new /dev/mapper/ device, to ensure that it's recognized
as having the proper filesystem magic bytes, to be sure the decryption
worked correctly.

Re: [dm-crypt] LUKS password forgoten, any way how to change it?

[Milan Broz]

On 03/06/2010 01:12 AM, Marek Stopka wrote:
> Hi guys, I have forgotten password to my luks encrypted disk, I have
> lost no data (yet :) ), because system is still running with unlocked
> device, but problem is, that I have a scheduled hardware maintanance
> window quite soon, so I was wondering is it somehow easily possible to
> luksAddKey without knowing a password or recover password from memory
> or it will be much more easier to copy those data somewhere else and
> create a new encrypted disk? It is like 12TB of data so I would really
> prefer not to copy those data somewhere else, but if I will have to, I
> can pull that off...
> 
> But I am wondering since key need to be in a memory somewhere there
> could be a way... :)

If the encrypted device is active and you are root...

dmsetup table --showkeys

recode master key from the table (from hexa) into binary and store to file

cryptsetup luksAddKey --master-key-file <file above>

(with cryptsetup 1.1.0)

Milan

Re: [dm-crypt] LUKS password forgoten, any way how to change it?

[Heinz Diehl]

On 06.03.2010, Milan Broz wrote: 

> dmsetup table --showkeys

The manpage of my "dmsetup" doesn't know about the --showkeys switch at all.
Nevertheless, it works. So how should one know... :-/

liesel:/home/htd # dmsetup --version
Library version:   1.02.31 (2009-03-03)
Driver version:    4.16.0

Re: [dm-crypt] LUKS password forgoten, any way how to change it?

[Milan Broz]

On 03/06/2010 09:18 PM, Heinz Diehl wrote:
> On 06.03.2010, Milan Broz wrote: 
> 
>> dmsetup table --showkeys
> 
> The manpage of my "dmsetup" doesn't know about the --showkeys switch at all.
> Nevertheless, it works. So how should one know... :-/

Ah, it is not even in CVS. I'll fix this upstream. This option was added
later because "dmsetup table" output can be in various system reports
(like sosreport, lvmdump) and it would be really stupid to leak master
key this way:-)

Thanks for reporting this.
Milan

Re: [dm-crypt] LUKS password forgoten, any way how to change it?

[Arno Wagner]

Seems there is some kind of pissing contest going on:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=245282

If dmsetup has some options then they belong into the man 
page. Alternatively, there needs to be a good and easy to 
see explanation why they are not there and links to the 
relevant man-pages. I find neither. Pretty stupid.

I am filing a bug against the Debian package, the 
documentation is clearly badly broken.

Arno


On Sat, Mar 06, 2010 at 09:18:02PM +0100, Heinz Diehl wrote:
> On 06.03.2010, Milan Broz wrote: 
> 
> > dmsetup table --showkeys
> 
> The manpage of my "dmsetup" doesn't know about the --showkeys switch at all.
> Nevertheless, it works. So how should one know... :-/
> 
> liesel:/home/htd # dmsetup --version
> Library version:   1.02.31 (2009-03-03)
> Driver version:    4.16.0
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] LUKS password forgoten, any way how to change it?

[Arno Wagner]

On Sat, Mar 06, 2010 at 09:41:07PM +0100, Milan Broz wrote:
> On 03/06/2010 09:18 PM, Heinz Diehl wrote:
> > On 06.03.2010, Milan Broz wrote: 
> > 
> >> dmsetup table --showkeys
> > 
> > The manpage of my "dmsetup" doesn't know about the --showkeys switch at all.
> > Nevertheless, it works. So how should one know... :-/
> 
> Ah, it is not even in CVS. I'll fix this upstream. This option was added
> later because "dmsetup table" output can be in various system reports
> (like sosreport, lvmdump) and it would be really stupid to leak master
> key this way:-)
> 
> Thanks for reporting this.
> Milan

Ah, ok. If the Debian folks relay a bug report, just ignore it
then, that would be mine. 

Arno

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] LUKS password forgoten, any way how to change it?

[Heinz Diehl]

On 06.03.2010, Arno Wagner wrote: 

> If dmsetup has some options then they belong into the man 
> page. 

Ack.

> I am filing a bug against the Debian package, the 
> documentation is clearly badly broken.

I'm on a (heavily modified) opensuse 11.1, and the dmsetup documentation
here lacks a few tings, too.