[dm-crypt] After reboot: "Command failed with code 22: Device /dev/md2 is not a valid LUKS device."

[dm-crypt] After reboot: "Command failed with code 22: Device /dev/md2 is not a valid LUKS device."

[Jens-Michael Hoffmann]

hello,

the LUKS device in question was setup on top of a raid6 (/dev/md2) consisting 
of 6 partitions (1.8TB each).

The LUKS device was created with

cryptsetup --verbose --cipher=aes-xts-plain64 --key-size=256 --verify-
passphrase luksFormat /dev/md2

Then it was opened with (probably, what I could tell from history):

cryptsetup -v create md2_crypt /dev/md2

and a XFS filesystem was created on top of it.

I put some files on the filesystem which all seemed to work.
After the first reboot, the array was assembled correctly, but I could not 
create the crypt mapping anymore:

root@babylon5:~# LANG=C cryptsetup -v --debug isLuks /dev/md2
# cryptsetup 1.4.3 processing "cryptsetup -v --debug isLuks /dev/md2"
# Running command isLuks.
# Allocating crypt device /dev/md2 context.
# Trying to open and read device /dev/md2.
# Initialising device-mapper backend, UDEV is enabled.
# Detected dm-crypt version 1.12.1, dm-ioctl version 4.23.1.
# Trying to load LUKS1 crypt type from device /dev/md2.
# Crypto backend (gcrypt 1.5.0) initialized.
# Reading LUKS header of size 1024 from device /dev/md2
# LUKS header not detected.
Device /dev/md2 is not a valid LUKS device.
# Releasing crypt device /dev/md2 context.
# Releasing device-mapper backend.
Command failed with code 22: Device /dev/md2 is not a valid LUKS device.

The data I put there was not overly important, but still it would be nice if 
it would not be all lost.

Is there anything I can try? (I did not yet try cryptsetup --repair)


kind regards,
Jens-Michael

Re: [dm-crypt] After reboot: "Command failed with code 22: Device /dev/md2 is not a valid LUKS device."

[Arno Wagner]

On Tue, Apr 23, 2013 at 05:13:57PM +0200, Jens-Michael Hoffmann wrote:
> hello,
> 
> the LUKS device in question was setup on top of a raid6 (/dev/md2) consisting 
> of 6 partitions (1.8TB each).
> 
> The LUKS device was created with
> 
> cryptsetup --verbose --cipher=aes-xts-plain64 --key-size=256 --verify-
> passphrase luksFormat /dev/md2

Ok.

> Then it was opened with (probably, what I could tell from history):
> 
> cryptsetup -v create md2_crypt /dev/md2

That puts a plain dm-crypt mapping on top of the LUKS device.
Open a LUKS device with "luksOpen" not with "create".
 
> and a XFS filesystem was created on top of it.

That now is in the plain dm-crypt container and likely
did damage the LUKS container created before.

> I put some files on the filesystem which all seemed to work.
> After the first reboot, the array was assembled correctly, but I could not 
> create the crypt mapping anymore:
> 
> root@babylon5:~# LANG=C cryptsetup -v --debug isLuks /dev/md2
> # cryptsetup 1.4.3 processing "cryptsetup -v --debug isLuks /dev/md2"
> # Running command isLuks.
> # Allocating crypt device /dev/md2 context.
> # Trying to open and read device /dev/md2.
> # Initialising device-mapper backend, UDEV is enabled.
> # Detected dm-crypt version 1.12.1, dm-ioctl version 4.23.1.
> # Trying to load LUKS1 crypt type from device /dev/md2.
> # Crypto backend (gcrypt 1.5.0) initialized.
> # Reading LUKS header of size 1024 from device /dev/md2
> # LUKS header not detected.
> Device /dev/md2 is not a valid LUKS device.
> # Releasing crypt device /dev/md2 context.
> # Releasing device-mapper backend.
> Command failed with code 22: Device /dev/md2 is not a valid LUKS device.

Likely something you wrtoe to the plain mapping overwrote
the LUKS header. Open it as plain to access it.

> The data I put there was not overly important, but still it would be 
> nice if it would not be all lost.
> 
> Is there anything I can try? (I did not yet try cryptsetup --repair)

Don't try that. Your data is in a plain dm-crypt container,
not in the LUKS container that was damaged. Just open it
with "create" again. ("create" does not write anything to disk.
IT just creates the plain mapping. No data is written to disk
as a plain mapping does not have metadata.)

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

Re: [dm-crypt] After reboot: "Command failed with code 22: Device /dev/md2 is not a valid LUKS device."

[Jens-Michael Hoffmann]

Am Dienstag, 23. April 2013, 17:52:13 schrieb Arno Wagner:
> On Tue, Apr 23, 2013 at 05:13:57PM +0200, Jens-Michael Hoffmann wrote:
> > hello,
> > 
> > the LUKS device in question was setup on top of a raid6 (/dev/md2)
> > consisting of 6 partitions (1.8TB each).
> > 
> > The LUKS device was created with
> > 
> > cryptsetup --verbose --cipher=aes-xts-plain64 --key-size=256 --verify-
> > passphrase luksFormat /dev/md2
> 
> Ok.
> 
> > Then it was opened with (probably, what I could tell from history):
> > 
> > cryptsetup -v create md2_crypt /dev/md2
> 
> That puts a plain dm-crypt mapping on top of the LUKS device.
> Open a LUKS device with "luksOpen" not with "create".
> 
> > and a XFS filesystem was created on top of it.
> 
> That now is in the plain dm-crypt container and likely
> did damage the LUKS container created before.
> 
> > I put some files on the filesystem which all seemed to work.
> > After the first reboot, the array was assembled correctly, but I could not
> > create the crypt mapping anymore:
> > 
> > root@babylon5:~# LANG=C cryptsetup -v --debug isLuks /dev/md2
> > # cryptsetup 1.4.3 processing "cryptsetup -v --debug isLuks /dev/md2"
> > # Running command isLuks.
> > # Allocating crypt device /dev/md2 context.
> > # Trying to open and read device /dev/md2.
> > # Initialising device-mapper backend, UDEV is enabled.
> > # Detected dm-crypt version 1.12.1, dm-ioctl version 4.23.1.
> > # Trying to load LUKS1 crypt type from device /dev/md2.
> > # Crypto backend (gcrypt 1.5.0) initialized.
> > # Reading LUKS header of size 1024 from device /dev/md2
> > # LUKS header not detected.
> > Device /dev/md2 is not a valid LUKS device.
> > # Releasing crypt device /dev/md2 context.
> > # Releasing device-mapper backend.
> > Command failed with code 22: Device /dev/md2 is not a valid LUKS device.
> 
> Likely something you wrtoe to the plain mapping overwrote
> the LUKS header. Open it as plain to access it.
> 
> > The data I put there was not overly important, but still it would be
> > nice if it would not be all lost.
> > 
> > Is there anything I can try? (I did not yet try cryptsetup --repair)
> 
> Don't try that. Your data is in a plain dm-crypt container,
> not in the LUKS container that was damaged. Just open it
> with "create" again. ("create" does not write anything to disk.
> IT just creates the plain mapping. No data is written to disk
> as a plain mapping does not have metadata.)

Many thanks!

"cryptsetup -v create md2_crypt /dev/md2" indeed successfully created the 
mapping and I could mount the filesystem.

Just out of curiosity: Is the cipher and key size combination (aes-xts-
plain64, 256 bit) the default or why did I have not to specify it to create 
the mapping? (IIUC the metadata of plain mappings is not stored?)


kind regards,
Jens-Michael

Re: [dm-crypt] After reboot: "Command failed with code 22: Device /dev/md2 is not a valid LUKS device."

[Jens-Michael Hoffmann]

[-- Attachment #1: Type: text/plain, Size: 557 bytes --]

> 
> Just out of curiosity: Is the cipher and key size combination (aes-xts-
> plain64, 256 bit) the default or why did I have not to specify it to create
> the mapping? (IIUC the metadata of plain mappings is not stored?)

Never mind, I just realized that that was part of the destroyed luks device, 
so I guess the default cipher/key size of "cryptsetup create" is used now.

Is there perhaps any way for converting the plain mapping into a luks 
mapping or would I just have to create a new luks device and copy data 
over?


kind regards,
Jens-Michael


[-- Attachment #2: Type: text/html, Size: 3118 bytes --]

Re: [dm-crypt] After reboot: "Command failed with code 22: Device /dev/md2 is not a valid LUKS device."

[Arno Wagner]

On Tue, Apr 23, 2013 at 06:18:23PM +0200, Jens-Michael Hoffmann wrote:
> > 
> > Just out of curiosity: Is the cipher and key size combination (aes-xts-
> > plain64, 256 bit) the default or why did I have not to specify it to create
> > the mapping? (IIUC the metadata of plain mappings is not stored?)
> 
> Never mind, I just realized that that was part of the destroyed luks device, 
> so I guess the default cipher/key size of "cryptsetup create" is used now.

Indeed. 
 
> Is there perhaps any way for converting the plain mapping into a luks 
> mapping or would I just have to create a new luks device and copy data 
> over?

While theoretically such a conversion may be possible, you
would have to write the converter yourself. So yes, copying
to a new LUKS container is the way to go.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare