[dm-crypt] luks partition table altered by linux-swap

[dm-crypt] luks partition table altered by linux-swap

[anton ivanov]

Hello,

we have very important server running CentOS 5.3 with incredible
terabytes of valuable data stored in luks partition. Server was just
ok, but one hdd died in RAID-5, so I had to reboot, and didn't mention
this line in fstab:

LABEL=SWAP-sdc1         swap                    swap    defaults        0 0

/dev/sdc1 is our encrypted drive.

after reboot 2gb of swap were added to /dev/sdc1

Sep 25 09:22:54 backup kernel: Adding 2097144k swap on /dev/sdc1.
Priority:-1 extents:1 across:2097144k

After removing swap from this drive I am totally unable to luksOpen
partition, though I know password is 100% correct.

cryptsetup luksOpen /dev/sdc1 crypt2
Enter LUKS passphrase:
Enter LUKS passphrase:
Enter LUKS passphrase:
Command failed: No key available with this passphrase.

LUKS header is at the beginning of drive.

cryptsetup isLuks /dev/sdc1 gives no error - so drive is luks
encrypted and recognized as one, but still cannot be opened.

cryptsetup luksDump /dev/sdc1

LUKS header information for /dev/sdc1

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 1032
MK bits:        128
MK digest:      e0 0b 50 a0 00 42 ae 4a cd 71 cc ff 4b 8a b7 01 88 72 f7 23
MK salt:        19 d5 c1 d6 94 5c 8a ed c3 b4 70 3b a2 e2 a7 55
                96 1d b2 e9 fd 06 59 f3 0e cd 42 a6 dd de cb ab
MK iterations:  10
UUID:           9aafb98c-e64f-4837-aeb8-daafe401ff6f

Key Slot 0: ENABLED
        Iterations:             167170
        Salt:                   91 cc f7 c3 65 03 1c 3a 78 fc d4 80 82 23 25 b4
                                eb 99 fc 2b e6 3f 4b b2 bd cb 47 3a 00 08 17 91
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED


But i.e parted shows this:

GNU Parted 1.8.1
Using /dev/sdc1
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print

Model: Unknown (unknown)
Disk /dev/sdc1: 5990GB
Sector size (logical/physical): 512B/512B
Partition Table: loop

Number  Start   End     Size    File system  Flags
 1      0.00kB  5990GB  5990GB  linux-swap


linux-swap as fs and partition table now changed from gpt to loop.
Anyone knows how to fix this and remove this swap partition and fs
from this partition?

Sorry for my clumsy English, hope you got the main idea of the problem.


-- 
ai.

http://biwwy.com/
last.fm: littlewizard

Re: [dm-crypt] luks partition table altered by linux-swap

[Heinz Diehl]

On 28.09.2009, anton ivanov wrote: 

> After removing swap from this drive I am totally unable to luksOpen
> partition, though I know password is 100% correct.

> Command failed: No key available with this passphrase.

Most likely your initrd misses some modules which cryptsetup needs 
to operate on your encrypted partition.

Re: [dm-crypt] luks partition table altered by linux-swap

[anton ivanov]

This server of mine has 2 raid arrays - both encrypted with luks.
First array is mounted without problem, problem is with partition
table on second one.

I am trying to recover old partition table using gpart, though it is
taking too much time with 6.5 TB drive.

There were no writes onto this disk, so none of the information were
lost. Problem is with partition tables only.

Just curious maybe there is some cryptsetup ability to recover
partition table on disk without luksFormat but using already stored
metadata on the drive.

On Mon, Sep 28, 2009 at 5:28 PM, Heinz Diehl <htd@fancy-poultry.org> wrote:
> On 28.09.2009, anton ivanov wrote:
>
>> After removing swap from this drive I am totally unable to luksOpen
>> partition, though I know password is 100% correct.
>
>> Command failed: No key available with this passphrase.
>
> Most likely your initrd misses some modules which cryptsetup needs
> to operate on your encrypted partition.
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>



-- 
ai.

http://biwwy.com/
last.fm: littlewizard

Re: [dm-crypt] luks partition table altered by linux-swap

[Jonas Meurer]

[-- Attachment #1: Type: text/plain, Size: 721 bytes --]

On 28/09/2009 anton ivanov wrote:
> I am trying to recover old partition table using gpart, though it is
> taking too much time with 6.5 TB drive.
> 
> There were no writes onto this disk, so none of the information were
> lost. Problem is with partition tables only.

i don't know redhat cryptsetup management, but maybe a swap filesystem
was created (mkswap) on the disk in question? in that case, the luks
and/or raid headers might have been overwritten ...

> Just curious maybe there is some cryptsetup ability to recover
> partition table on disk without luksFormat but using already stored
> metadata on the drive.

only in case that you do have a backup of your luks header.

greetings,
 jonas

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [dm-crypt] luks partition table altered by linux-swap

[anton ivanov]

Well, headers seem to be ok. cryptsetup luksDump finds it without any problem.

xxd /dev/sdc1 |head -n 10
0000000: 4c55 4b53 babe 0001 6165 7300 0000 0000  LUKS....aes.....
0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000020: 0000 0000 0000 0000 6362 632d 6573 7369  ........cbc-essi
0000030: 763a 7368 6132 3536 0000 0000 0000 0000  v:sha256........
0000040: 0000 0000 0000 0000 7368 6131 0000 0000  ........sha1....
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000060: 0000 0000 0000 0000 0000 0408 0000 0010  ................
0000070: e00b 50a0 0042 ae4a cd71 ccff 4b8a b701  ..P..B.J.q..K...
0000080: 8872 f723 19d5 c1d6 945c 8aed c3b4 703b  .r.#.....\....p;
0000090: a2e2 a755 961d b2e9 fd06 59f3 0ecd 42a6  ...U......Y...B.


The problem is that the first sector of disk, where partition table is
hold was altered with this damned swap partition of 2gb.

Maybe there is any way on how to create artificial partition table
manually that will be correct for dm-crypt to work? And then write it
to this drive using dd or smth.


On Mon, Sep 28, 2009 at 5:48 PM, Jonas Meurer <jonas@freesources.org> wrote:
> On 28/09/2009 anton ivanov wrote:
>> I am trying to recover old partition table using gpart, though it is
>> taking too much time with 6.5 TB drive.
>>
>> There were no writes onto this disk, so none of the information were
>> lost. Problem is with partition tables only.
>
> i don't know redhat cryptsetup management, but maybe a swap filesystem
> was created (mkswap) on the disk in question? in that case, the luks
> and/or raid headers might have been overwritten ...
>
>> Just curious maybe there is some cryptsetup ability to recover
>> partition table on disk without luksFormat but using already stored
>> metadata on the drive.
>
> only in case that you do have a backup of your luks header.
>
> greetings,
>  jonas
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAkrAzLMACgkQd6lUs+JfIQJXwwCfW22Gjse3wbLM6BzYaoLbpfVJ
> YDsAmwb476W6oloWguoBoNk8Q9VXTZCY
> =ZjmJ
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
>



-- 
ai.

http://biwwy.com/
last.fm: littlewizard

Re: [dm-crypt] luks partition table altered by linux-swap

[Milan Broz]

Jonas Meurer wrote:
> On 28/09/2009 anton ivanov wrote:
> i don't know redhat cryptsetup management, but maybe a swap filesystem
> was created (mkswap) on the disk in question? in that case, the luks
> and/or raid headers might have been overwritten ...

IIRC mkswap in 5.3 do not overwrite first two sectors (so visible LUKS
header is intact) but it probably overwrites part of the first keyslot area.
(I think this changed in new version, there mkswap wipe first 4k.)

If this happens, you are out of luck - it will detect LUKS header but
keyslot is lost and unusable.

(Unfortunately other keyslots are unused, so you cannot use other passphrase.)

> Just curious maybe there is some cryptsetup ability to recover
> partition table on disk without luksFormat but using already stored
> metadata on the drive.

You must first decrypt the data, then you can search in them. Data offset
is known - see LUKS dump and payload offset (in sectors). But without
master key (iow without valid kesylot) you cannot decrypt it anyway.

Milan

Re: [dm-crypt] luks partition table altered by linux-swap

[anton ivanov]

Thanks Milan,

yes swap records begin at

0000400: 0100 0000 ffff 0700 0000 0000 0000 0000  ................
0000410: 0000 0000 0000 0000 0000 0000 5357 4150  ............SWAP
0000420: 2d73 6463 3100 0000 0000 0000 0000 0000  -sdc1...........
0000430: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000440: 0000 0000 0000 0000 0000 0000 0000 0000  ................

while at normally functionin /dev/sda1 i have there is:

0000400: 5841 4749 0000 0001 0000 0000 02b9 53e9  XAGI..........S.
0000410: 0000 0040 0000 0003 0000 0001 0000 0039  ...@...........9
0000420: 0004 4780 ffff ffff ffff ffff ffff ffff  ..G.............
0000430: ffff ffff ffff ffff ffff ffff ffff ffff  ................

So bad luck for me. Thank you for your help.

On Mon, Sep 28, 2009 at 6:03 PM, Milan Broz <mbroz@redhat.com> wrote:
> Jonas Meurer wrote:
>> On 28/09/2009 anton ivanov wrote:
>> i don't know redhat cryptsetup management, but maybe a swap filesystem
>> was created (mkswap) on the disk in question? in that case, the luks
>> and/or raid headers might have been overwritten ...
>
> IIRC mkswap in 5.3 do not overwrite first two sectors (so visible LUKS
> header is intact) but it probably overwrites part of the first keyslot area.
> (I think this changed in new version, there mkswap wipe first 4k.)
>
> If this happens, you are out of luck - it will detect LUKS header but
> keyslot is lost and unusable.
>
> (Unfortunately other keyslots are unused, so you cannot use other passphrase.)
>
>> Just curious maybe there is some cryptsetup ability to recover
>> partition table on disk without luksFormat but using already stored
>> metadata on the drive.
>
> You must first decrypt the data, then you can search in them. Data offset
> is known - see LUKS dump and payload offset (in sectors). But without
> master key (iow without valid kesylot) you cannot decrypt it anyway.
>
> Milan
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>



-- 
ai.

http://biwwy.com/
last.fm: littlewizard

Re: [dm-crypt] luks partition table altered by linux-swap

[anton ivanov]

One idea.

I have the same passphrase on first correctly working drive. Can I
dump keyslot data from it and put it to this wiped out one?

On Mon, Sep 28, 2009 at 7:33 PM, anton ivanov
<run.into.flowers@gmail.com> wrote:
> Thanks Milan,
>
> yes swap records begin at
>
> 0000400: 0100 0000 ffff 0700 0000 0000 0000 0000  ................
> 0000410: 0000 0000 0000 0000 0000 0000 5357 4150  ............SWAP
> 0000420: 2d73 6463 3100 0000 0000 0000 0000 0000  -sdc1...........
> 0000430: 0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0000440: 0000 0000 0000 0000 0000 0000 0000 0000  ................
>
> while at normally functionin /dev/sda1 i have there is:
>
> 0000400: 5841 4749 0000 0001 0000 0000 02b9 53e9  XAGI..........S.
> 0000410: 0000 0040 0000 0003 0000 0001 0000 0039  ...@...........9
> 0000420: 0004 4780 ffff ffff ffff ffff ffff ffff  ..G.............
> 0000430: ffff ffff ffff ffff ffff ffff ffff ffff  ................
>
> So bad luck for me. Thank you for your help.
>
> On Mon, Sep 28, 2009 at 6:03 PM, Milan Broz <mbroz@redhat.com> wrote:
>> Jonas Meurer wrote:
>>> On 28/09/2009 anton ivanov wrote:
>>> i don't know redhat cryptsetup management, but maybe a swap filesystem
>>> was created (mkswap) on the disk in question? in that case, the luks
>>> and/or raid headers might have been overwritten ...
>>
>> IIRC mkswap in 5.3 do not overwrite first two sectors (so visible LUKS
>> header is intact) but it probably overwrites part of the first keyslot area.
>> (I think this changed in new version, there mkswap wipe first 4k.)
>>
>> If this happens, you are out of luck - it will detect LUKS header but
>> keyslot is lost and unusable.
>>
>> (Unfortunately other keyslots are unused, so you cannot use other passphrase.)
>>
>>> Just curious maybe there is some cryptsetup ability to recover
>>> partition table on disk without luksFormat but using already stored
>>> metadata on the drive.
>>
>> You must first decrypt the data, then you can search in them. Data offset
>> is known - see LUKS dump and payload offset (in sectors). But without
>> master key (iow without valid kesylot) you cannot decrypt it anyway.
>>
>> Milan
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>>
>
>
>
> --
> ai.
>
> http://biwwy.com/
> last.fm: littlewizard
>



-- 
ai.

http://biwwy.com/
last.fm: littlewizard

Re: [dm-crypt] luks partition table altered by linux-swap

[Jonas Meurer]

[-- Attachment #1: Type: text/plain, Size: 357 bytes --]

On 28/09/2009 anton ivanov wrote:
> One idea.
> 
> I have the same passphrase on first correctly working drive. Can I
> dump keyslot data from it and put it to this wiped out one?

no, that would make things even worse. the masterkey is unique for every
luks device, and the passphrase is only used to decrypt this master key.

greetings,
 jonas

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [dm-crypt] luks partition table altered by linux-swap

[Jonas Meurer]

[-- Attachment #1: Type: text/plain, Size: 1539 bytes --]

hey,

On 28/09/2009 anton ivanov wrote:
> Well, headers seem to be ok. cryptsetup luksDump finds it without any problem.
> 
> xxd /dev/sdc1 |head -n 10
> 0000000: 4c55 4b53 babe 0001 6165 7300 0000 0000  LUKS....aes.....
> 0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0000020: 0000 0000 0000 0000 6362 632d 6573 7369  ........cbc-essi
> 0000030: 763a 7368 6132 3536 0000 0000 0000 0000  v:sha256........
> 0000040: 0000 0000 0000 0000 7368 6131 0000 0000  ........sha1....
> 0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0000060: 0000 0000 0000 0000 0000 0408 0000 0010  ................
> 0000070: e00b 50a0 0042 ae4a cd71 ccff 4b8a b701  ..P..B.J.q..K...
> 0000080: 8872 f723 19d5 c1d6 945c 8aed c3b4 703b  .r.#.....\....p;
> 0000090: a2e2 a755 961d b2e9 fd06 59f3 0ecd 42a6  ...U......Y...B.
> 
> 
> The problem is that the first sector of disk, where partition table is
> hold was altered with this damned swap partition of 2gb.
> 
> Maybe there is any way on how to create artificial partition table
> manually that will be correct for dm-crypt to work? And then write it
> to this drive using dd or smth.

if only the partition table at beginning of /dev/sdc is damaged, and not
the luks header at beginning of /dev/sdc1, you could find out the sector
where /dev/sdc1 beginns, loop-mount /dev/sdc with offset and try to
luksOpen the loop device:

# losetup -o <bytes> /dev/loop0 /dev/sdc
# cryptsetup luksOpen /dev/loop0 sdc1_crypt

greetings,
 jonas

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [dm-crypt] luks partition table altered by linux-swap

[anton ivanov]

I will try when I get there, but will it work with such big drives?

On Tue, Sep 29, 2009 at 11:27 AM, Jonas Meurer <jonas@freesources.org> wrote:
> hey,
>
> On 28/09/2009 anton ivanov wrote:
>> Well, headers seem to be ok. cryptsetup luksDump finds it without any problem.
>>
>> xxd /dev/sdc1 |head -n 10
>> 0000000: 4c55 4b53 babe 0001 6165 7300 0000 0000  LUKS....aes.....
>> 0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
>> 0000020: 0000 0000 0000 0000 6362 632d 6573 7369  ........cbc-essi
>> 0000030: 763a 7368 6132 3536 0000 0000 0000 0000  v:sha256........
>> 0000040: 0000 0000 0000 0000 7368 6131 0000 0000  ........sha1....
>> 0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
>> 0000060: 0000 0000 0000 0000 0000 0408 0000 0010  ................
>> 0000070: e00b 50a0 0042 ae4a cd71 ccff 4b8a b701  ..P..B.J.q..K...
>> 0000080: 8872 f723 19d5 c1d6 945c 8aed c3b4 703b  .r.#.....\....p;
>> 0000090: a2e2 a755 961d b2e9 fd06 59f3 0ecd 42a6  ...U......Y...B.
>>
>>
>> The problem is that the first sector of disk, where partition table is
>> hold was altered with this damned swap partition of 2gb.
>>
>> Maybe there is any way on how to create artificial partition table
>> manually that will be correct for dm-crypt to work? And then write it
>> to this drive using dd or smth.
>
> if only the partition table at beginning of /dev/sdc is damaged, and not
> the luks header at beginning of /dev/sdc1, you could find out the sector
> where /dev/sdc1 beginns, loop-mount /dev/sdc with offset and try to
> luksOpen the loop device:
>
> # losetup -o <bytes> /dev/loop0 /dev/sdc
> # cryptsetup luksOpen /dev/loop0 sdc1_crypt
>
> greetings,
>  jonas
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAkrBxNUACgkQd6lUs+JfIQK+4ACfaL93TvdClfJ/my7+gCHPQ1HO
> 5BkAoJpYmXdQZIhUwYR5ZiM75FOBhEZj
> =2U7O
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
>



-- 
ai.

http://biwwy.com/
last.fm: littlewizard