Re: [dm-crypt] valid passphrase not accepted

From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] valid passphrase not accepted
Date: Wed, 27 Oct 2010 18:16:59 +0200	[thread overview]
Message-ID: <20101027161659.GA23407@tansi.org> (raw)
In-Reply-To: <AANLkTimFXw1C1mt0vO2Me_qWS8dd+mPe2Y6dmN2S8-uw@mail.gmail.com>

I think this will not help and is not the way to do it.

The FAQ already addresses all these questions and it is
part of the cryptsetup packages. Those that read documentation
will be sufficiently warned. The others will ignore a warning
that cryptsetup gives them as well.

The second problem is that a LUKS header backup is a security
risk, so we cannot recommend it in general. And we cannot
recommend it conditionally without going into more detail 
(as the FAQ, again, does on this question).

Anyways, the people hit are those without data backup.
They can just as easily be hit by a dead disk or other
data-loss scenario. We can not solve that for them.

There are also quite a few people that do not understand
how their header got corrupted and they all specific help.

Arno

On Wed, Oct 27, 2010 at 06:07:04PM +0200, Rick Moritz wrote:
> Considering the amount of traffic on the list regarding issues like this,
> maybe future versions of dm-crypt should issue an annoying warning when
> creating LUKS-format mapped devices, about how a backup of the header is
> STRONGLY recommended, with data loss due to accidental overwriting of the
> header being the number one reason for data loss.
> Possibly even with explicit instructions on how to perform a backup, so that
> users can simply copy and paste the command-line and adjust their device
> names.
> Adding a flag to turn the warning off for unattended set-ups (or whatever
> reason) should make this have minimum negative impact.
> (I haven't used LUKS yet, so I can't verify whether something like this is
> implemented already -- if it is, excuse the redundancy...)
> 
> Best of luck to the OP....
> 
> On Wed, Oct 27, 2010 at 5:56 PM, Arno Wagner <arno@wagner.name> wrote:
> 
> > I am currently assisting the OP offline. Seems the LUKS
> > header was overwritten in some fashion.
> >
> > Arno
> >
> > On Wed, Oct 27, 2010 at 04:39:23PM +0200, Heinz Diehl wrote:
> > > On 27.10.2010, ts0@dotlike.net wrote:
> > >
> > > > after rebooting i wasn?t able to unlock the luks-partition.
> > > > the luks header is there. the kernel configuration hasn?t changed
> > > > (all ciphers are integrated). the passphrase is valid but not
> > > > accepted.
> > >
> > > A shot in the dark: do you use the same keymapping when you're entering
> > > the passphrase as you did while LUKS-formatting the drive?
> > >
> > > _______________________________________________
> > > dm-crypt mailing list
> > > dm-crypt@saout.de
> > > http://www.saout.de/mailman/listinfo/dm-crypt
> > >
> >
> > --
> > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
> > arno@wagner.name
> > GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
> > 338F
> > ----
> > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
> >
> > If it's in the news, don't worry about it.  The very definition of
> > "news" is "something that hardly ever happens." -- Bruce Schneier
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 