From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id j24uvvnmW-Qx for <dm-crypt@saout.de>;
 Sat,  7 Jan 2012 13:48:17 +0100 (CET)
Received: from v4.tansi.org (ns.km33513-03.keymachine.de [87.118.94.3])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Sat,  7 Jan 2012 13:48:17 +0100 (CET)
Received: from gatewagner.dyndns.org (84-74-163-71.dclient.hispeed.ch
 [84.74.163.71]) by v4.tansi.org (Postfix) with ESMTPA id 5D9B420415C
 for <dm-crypt@saout.de>; Sat,  7 Jan 2012 13:48:17 +0100 (CET)
Date: Sat, 7 Jan 2012 13:48:16 +0100
From: Arno Wagner <arno@wagner.name>
Message-ID: <20120107124816.GC22097@tansi.org>
References: <37321234-b10d-4d2c-b47c-e2c25c1a2733@dynomob>
 <a07caa07-6ef4-41ed-b9e7-eecf6782ab23@dynomob>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <a07caa07-6ef4-41ed-b9e7-eecf6782ab23@dynomob>
Subject: Re: [dm-crypt] HELP, luksFormat over existing container
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Sat, Jan 07, 2012 at 10:57:08AM -0000, Konstantin V. Gavrilenko wrote:
> Hello list,
> 
> I have a problem :(
> 
> by mistake, instead of luksOpen I executed lukFormat on the loop device
> with associated cryptofile.  even though the key is was the same, I have
> no backup of original luksHeader, so I assume i have no way of recovering
> the SALT.  

And the master key is different in addition, at least in the first
key-slot that also has been overwritten.

> I am pretty much in Acceptance that it is not possible to
> recover anything, but would like to get an external confirmation, advice.

You are correct. Next step is to fix your set-up by adding
backup, see the FAQ.  
 
> p.s. surprised and disappointing that cryptsetup does not issue a warning
> when running luksFormat over luks preformatted container :(

It gives you a very clear warning and asks for an uppercase "YES"
and asks for the passphrease two times. That _should_ be enough. 
There is only so much a tool can do to protect you. The UNIX way is
to warn you, but to assume you want to do what you specified if
you ignore the warning. 

There are a number of ways to kill the header that give a lot less 
warning. Or none at all. Also the FAQ warns very, very clearly that 
you _need_ a backup and should have a header backup. The backup
is the second line of defense and one of its major tasks is to
protect against user errors.

See it this way: Most people do not bother with backup until
they lose something important. The earlier you make that 
experience, the better.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell