Re: [dm-crypt] LUKS Header and partition dimension

[Arno Wagner <arno@wagner.name>]

On Mon, Mar 28, 2011 at 10:41:52AM +0000, Claudio Moretti wrote:
> Hi all,
> a few days ago my MBR was changed (I don't know how) and my extended
> partition which contained three LUKS partitions (root, home and swap)
> disappeared.

Bad. Very bad. Should not happen in a healty system, unless
you were doing something dangerous and messed up. May also
be caused by badly written malware.

> I testdisk-ed my disk and it found the beginning of those three partitions,
> but was unable to determine the size.

LUKS only needs the start, size is irrelevant for LUKS.
To find the start, you can look for the magic string
'L','U','K','S', 0xBA, 0xBE, which marks the beginning
of the LUKS metadata Header. Ens is completely irrelevant 
to LUKS, so if you just want a trial unlock (but not mount
of the partition), you can just set any partition size > 10MB 
or so. You can also copy these 10MB to file and trial-unlock
using a loop device (See "How do I use LUKS with a loop-device?"
in Section 2 of the FAQ)

> I tried setting a larger size for the first partition, but when I tried to
> decrypt it, cryptsetup reported "No key available with this passphrase".
> I am positive that I'm trying with the right password on the right
> partition; I discovered that anti-forensic information is stored on the
> entire LUKS partition, 

No, it is not. IT is directly after the metadata-header and
before the data area. See 
http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions,
Section "6. Backup and Data Recovery", entry "What does the 
on-disk structure of LUKS look like?".

> so I tried setting the end of the partition at one
> sector less than the start of the next one, but I was unable to decrypt the
> disk.
> I wrote a script which is trying to reduce the partition dimension one
> sector a time and that will stop if cryptsetup succeeds.
> My question is: if the partition size changes, does cryptsetup stop
> unlocking the disk? (maybe because of a partition-size hash, or something
> that prevents unlocking a disk/partition if its size is not exactly the one
> that was created)
> If the partition size has no relation with the disk unlocking, does it mean
> that somehow my LUKS header is corrupted (and therefore I'll be unable to
> unlock the disk, because I was so stupid I didn't backup the header)?

Your header and/or keyslot areas were damaged. This is a killer,
meaning there likely is no way you can get your data back.

Also see FAQ entry
"What happens if I overwrite the start of a LUKS partition or damage 
the LUKS header or key-slots?"

I completely agree with Milan, very likely your data is irretrivable.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier