From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mbroz@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Mon,  2 Aug 2010 15:43:04 +0200 (CEST)
Received: from int-mx08.intmail.prod.int.phx2.redhat.com
	(int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o72Dh3pE025444
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <dm-crypt@saout.de>; Mon, 2 Aug 2010 09:43:03 -0400
Received: from [10.34.26.15] (mazybook.brq.redhat.com [10.34.26.15])
	by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id o72Dh1nU016962
	for <dm-crypt@saout.de>; Mon, 2 Aug 2010 09:43:02 -0400
Message-ID: <4C56CB65.1060804@redhat.com>
Date: Mon, 02 Aug 2010 15:43:01 +0200
From: Milan Broz <mbroz@redhat.com>
MIME-Version: 1.0
References: <1280697096.16046.1387795841@webmail.messagingengine.com><20100801230113.GA14693@tansi.org><1280704838.643.1387808231@webmail.messagingengine.com>	<20100802002730.GA15890@tansi.org>	<1280738327.12803.1387859489@webmail.messagingengine.com>
	<4C5696E2.1000509@redhat.com>
In-Reply-To: <4C5696E2.1000509@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [dm-crypt] How to gather LUKS parameters from active device (if
 LUKS header lost)
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de



On 08/02/2010 11:58 AM, Milan Broz wrote:
> If you see dm-crypt mapping there mapped to proper drive, you can still recreate
> LUKS header with some some magic.

Well, here is the idea how to reconstruct LUKS header from active mapping
if header is lost but mapping is still active.
(Note: if device is not active, recovery is impossible).

- it will change LUKS UUID!
- no passphrase needed, it asks for new one (root access required of course)
- cryptsetup 1.1.x required.

Do not save master key file (second param) to unencrypted filesystem!

I'll add something similar to cryptsetup distro into DOC install,
for now take this as an idea - see attached script (it will not touch device,
only saves master key to file and print required parameters for cryptsetup).

BEWARE: NO GUARANTEES AT ALL. NOT PROPERLY TESTED.

Example:
  If you have mapped device named "luks_sdb", script will produce this:

  # <script> luks_sdb /mnt/safedisk/sdb_master_key

  Generating master key to file /mnt/safedisk/sdb_master_key.
  You can now try to reformat LUKS device using:
  cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 --align-payload=2056 --master-key-file=/mnt/safedisk/sdb_master_key /dev/sdb

Milan

[---cut here---]
#!/bin/bash

# Try to get LUKS info and master key from active mapping and prepare parameters for cryptsetup"
# (C) 2010 Milan Broz <asi@ucw.cz>


fail() { echo -e $1 ; exit 1 ; }
field() { echo $(dmsetup table --target crypt --showkeys $DEVICE | cut -d' ' -f$1) ; }
field_cryptsetup() { echo $(cryptsetup status $DEVICE | grep $1 | sed "s/.*$1:\s*//;s/\ .*//") ; }

which xxd >/dev/null || fail "You need xxd (part of vim package) installed to convert key."

[ -z "$2" ] && fail "LUKS header from active mapping, use:\n $0 crypt_mapped_device mk_file_name";

DEVICE=$1
MK_FILE=$2

[ -z "$(field 4)" ] && fail "Mapping $1 not active or it is not crypt target."

CIPHER=$(field_cryptsetup cipher)
OFFSET=$(field_cryptsetup offset)
REAL_DEVICE=$(field_cryptsetup device)
KEY_SIZE=$(field_cryptsetup keysize)
KEY=$(field 5)

[ -z "$CIPHER" -o -z "$OFFSET" -o "$OFFSET" -le 383 -o -z "$KEY" ] && fail "Incompatible device, sorry."

echo "Generating master key to file $MK_FILE."
echo -E -n $KEY| xxd -r -p >$MK_FILE

echo "You can now try to reformat LUKS device using:"
echo "  cryptsetup luksFormat -c $CIPHER -s $KEY_SIZE --align-payload=$OFFSET --master-key-file=$MK_FILE $REAL_DEVICE"