Re: [dm-crypt] Missing keyslot or broken header or still some hope?

From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Missing keyslot or broken header or still some hope?
Date: Sat, 5 Nov 2016 00:28:12 +0100	[thread overview]
Message-ID: <20161104232812.GB12763@tansi.org> (raw)
In-Reply-To: <trinity-8449ece6-dfcb-4215-a05f-5b9503f07117-1478288132697@3capp-webde-bap40>

Hi Mark,

On Fri, Nov 04, 2016 at 20:35:32 CET, zero.tonin@web.de wrote:
> Hi all, and hi Arno,
>

> first of all, sorry the html "emails" - I don't usually do this and
> usually use plain-text only myself.  The last mails were, however, in this
> emergency situation, sent from my phone, where I cannot change this
> behavior, unfortunately...

Understandable. No harm done.

> 
> After fighting a little bit with cryptsetup (i must have missed some
> information which packages are required to compile from source), I did get
> the keyslot checker to work.  Unfortunately, the output is obscure to me,
> so I home someone can help me interpret this.

It says your key-slots have no larger areas overwritten with other data.
That is by far the most common thing that happens. Not here, it seems.

> I suspected a hw issue and thus, at least, ran the vendor's diagnostic
> tools, but no issue could be found, including memory and HDD - would it
> more likely be something related to the disk itself (bad sectors, broken
> read-heads et cetera?)

No idea. Maybe bad buffer-memory on the disk or something like
it.

> Great idea to test the drive on a different machine - would a dd copy
> suffice for that, as I am afraid I do not posses the skills to take my
> laptop apart.  not as long as there might be hope to rescue stuff
> otherwise.  I would do this as a last resort, if the hw is broken o a
> degree anyway, of course.

In principle, yes, but if you have a problem with bit-errors on
reading or the like, then you would at least need to also 
do an md5sum or the like of copy and original to make
sure there are no errors. A single bit-error in a 
keyslot makes it unusable.

> Thanks again for your time and efforts, everybody,

No problem.

Regards,
Arno

> Mark
> 
> user@debian:~/.bin/cryptsetup/misc/keyslot_checker$ sudo ./chk_luks_keyslots -v /dev/sda5
> 
> parameters (commandline and LUKS header):
>   sector size: 512
>   threshold:   0.900000
> 
> - processing keyslot 0:  start: 0x001000   end: 0x03f800 
> - processing keyslot 1:  keyslot not in use
> - processing keyslot 2:  keyslot not in use
> - processing keyslot 3:  keyslot not in use
> - processing keyslot 4:  keyslot not in use
> - processing keyslot 5:  keyslot not in use
> - processing keyslot 6:  keyslot not in use
> - processing keyslot 7:  keyslot not in use
> 
> 
> > Gesendet: Freitag, 04. November 2016 um 11:32 Uhr
> > Von: "Arno Wagner" <arno@wagner.name>
> > An: dm-crypt@saout.de
> > Betreff: Re: [dm-crypt] Missing keyslot or broken header or still some hope?
> >
> > Hi,
> > 
> > first, please do not post HTML-'emails' to this list.
> > It cuts you off from most people here.
> > 
> > Second, from the 'acting up' I would deduce that you
> > have some kind of severe hardware problem. It may be that
> > this prevents the unlock. Can you try this disk in a 
> > different computer?
> > 
> > There is also the keyslot-checker in misc/keyslot_checker/
> > of the cryptsetup source distribution, that may tell
> > you more.
> > 
> > Regards,
> > Arno
> > 
> > 
> > On Thu, Nov 03, 2016 at 21:58:30 CET, Zero Tonin wrote:
> > >    Hi Michael,
> > > 
> > >    thank you very much for your response, I appreciate your time and
> > >    willingnes to help a stranger!
> > > 
> > > 
> > >     Below I will paste the output of --debug a well as, in case it
> > >    provides usefull information, the output of sfdisk -l for the
> > >    partitions on the drive.
> > > 
> > > 
> > >     Again, thank you ever so much, please do let me know if there is any
> > >    further detail or informaion I could provide to hopefulyl be bale  to
> > >    recover this.
> > > 
> > > 
> > >     Kind rgeards,
> > > 
> > >     Mark
> > > 
> > >    (I was unaware this mailing list is a "clear name" environemt, sorry
> > >    for the anonymity in my first mail)
> > > 
> > > 
> > > 
> > > 
> > >    user@debian:~$ sudo /sbin/sfdisk -l
> > > 
> > >    Disk /dev/sda: 77825 cylinders, 255 heads, 63 sectors/track
> > > 
> > >    sfdisk: Warning: extended partition does not start at a cylinder
> > >    boundary.
> > > 
> > >    DOS and Linux will interpret the contents differently.
> > > 
> > >    Units: cylinders of 8225280 bytes, blocks of 1024 bytes, counting from
> > >    0
> > > 
> > >       Device Boot Start     End   #cyls    #blocks   Id  System
> > > 
> > >    /dev/sda1   *      0+     31-     31-    248832   83  Linux
> > > 
> > >    /dev/sda2         31+  77825-  77795- 624880641    5  Extended
> > > 
> > >    /dev/sda3          0       -       0          0    0  Empty
> > > 
> > >    /dev/sda4          0       -       0          0    0  Empty
> > > 
> > >    /dev/sda5         31+  77825-  77795- 624880640   83  Linux
> > > 
> > >    user@debian:~$ sudo cryptsetup --debug luksOpen /dev/sda5 crypt1
> > > 
> > >    # cryptsetup 1.6.6 processing "cryptsetup --debug luksOpen /dev/sda5
> > >    crypt1"
> > > 
> > >    # Running command open.
> > > 
> > >    # Locking memory.
> > > 
> > >    # Installing SIGINT/SIGTERM handler.
> > > 
> > >    # Unblocking interruption on signal.
> > > 
> > >    # Allocating crypt device /dev/sda5 context.
> > > 
> > >    # Trying to open and read device /dev/sda5.
> > > 
> > >    # Initialising device-mapper backend library.
> > > 
> > >    # Trying to load LUKS1 crypt type from device /dev/sda5.
> > > 
> > >    # Crypto backend (gcrypt 1.6.3) initialized.
> > > 
> > >    # Detected kernel Linux 3.16.0-4-amd64 x86_64.
> > > 
> > >    # Reading LUKS header of size 1024 from device /dev/sda5
> > > 
> > >    # Key length 64, device size 1249761280 sectors, header size 4036
> > >    sectors.
> > > 
> > >    # Timeout set to 0 miliseconds.
> > > 
> > >    # Password retry count set to 3.
> > > 
> > >    # Password verification disabled.
> > > 
> > >    # Iteration time set to 1000 miliseconds.
> > > 
> > >    # Activating volume crypt1 [keyslot -1] using [none] passphrase.
> > > 
> > >    # dm version   OF   [16384] (*1)
> > > 
> > >    # dm versions   OF   [16384] (*1)
> > > 
> > >    # Detected dm-crypt version 1.13.0, dm-ioctl version 4.27.0.
> > > 
> > >    # Device-mapper backend running with UDEV support enabled.
> > > 
> > >    # dm status crypt1  OF   [16384] (*1)
> > > 
> > >    # Interactive passphrase entry requested.
> > > 
> > >    Enter passphrase for /dev/sda5:
> > > 
> > >    # Trying to open key slot 0 [ACTIVE_LAST].
> > > 
> > >    # Reading key slot 0 area.
> > > 
> > >    # Using userspace crypto wrapper to access keyslot area.
> > > 
> > >    # Trying to open key slot 1 [INACTIVE].
> > > 
> > >    # Trying to open key slot 2 [INACTIVE].
> > > 
> > >    # Trying to open key slot 3 [INACTIVE].
> > > 
> > >    # Trying to open key slot 4 [INACTIVE].
> > > 
> > >    # Trying to open key slot 5 [INACTIVE].
> > > 
> > >    # Trying to open key slot 6 [INACTIVE].
> > > 
> > >    # Trying to open key slot 7 [INACTIVE].
> > > 
> > >    No key available with this passphrase.
> > > 
> > >    On 3 Nov 2016, at 19:04, Michael Kjörling <[1]michael@kjorling.se>
> > >    wrote:
> > > 
> > >    On 3 Nov 2016 18:30 +0000, from [2]zero.tonin@web.de (Zero Tonin):
> > > 
> > >      user@debian:~$ sudo cryptsetup luksOpen /dev/sda5 crypt1
> > > 
> > >      Enter passphrase for /dev/sda5:
> > > 
> > >      No key available with this passphrase.
> > > 
> > >    Could you try running this again, but add the `--debug` option to
> > >    cryptsetup, then post the resulting log?
> > >    Make sure to sanitize the passphrase itself from the log if it's there
> > >    (I don't know), but leave everything else intact.
> > >    --
> > >    Michael Kjörling • [3]https://michael.kjorling.se •
> > >    [4]michael@kjorling.se
> > >                    “People who think they know everything really annoy
> > >                    those of us who know we don’t.” (Bjarne Stroustrup)
> > >    _______________________________________________
> > >    dm-crypt mailing list
> > >    [5]dm-crypt@saout.de
> > >    [6]http://www.saout.de/mailman/listinfo/dm-crypt
> > > 
> > > References
> > > 
> > >    1. mailto:michael@kjorling.se
> > >    2. mailto:zero.tonin@web.de
> > >    3. https://michael.kjorling.se/
> > >    4. mailto:michael@kjorling.se
> > >    5. mailto:dm-crypt@saout.de
> > >    6. http://www.saout.de/mailman/listinfo/dm-crypt
> > 
> > > _______________________________________________
> > > dm-crypt mailing list
> > > dm-crypt@saout.de
> > > http://www.saout.de/mailman/listinfo/dm-crypt
> > 
> > 
> > -- 
> > Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
> > GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> > ----
> > A good decision is based on knowledge and not on numbers. -- Plato
> > 
> > If it's in the news, don't worry about it.  The very definition of 
> > "news" is "something that hardly ever happens." -- Bruce Schneier
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier