* [dm-crypt] LUKS Header and partition dimension @ 2011-03-28 10:41 Claudio Moretti 2011-03-28 11:02 ` Milan Broz 2011-03-28 15:01 ` Arno Wagner 0 siblings, 2 replies; 5+ messages in thread From: Claudio Moretti @ 2011-03-28 10:41 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 1318 bytes --] Hi all, a few days ago my MBR was changed (I don't know how) and my extended partition which contained three LUKS partitions (root, home and swap) disappeared. I testdisk-ed my disk and it found the beginning of those three partitions, but was unable to determine the size. I tried setting a larger size for the first partition, but when I tried to decrypt it, cryptsetup reported "No key available with this passphrase". I am positive that I'm trying with the right password on the right partition; I discovered that anti-forensic information is stored on the entire LUKS partition, so I tried setting the end of the partition at one sector less than the start of the next one, but I was unable to decrypt the disk. I wrote a script which is trying to reduce the partition dimension one sector a time and that will stop if cryptsetup succeeds. My question is: if the partition size changes, does cryptsetup stop unlocking the disk? (maybe because of a partition-size hash, or something that prevents unlocking a disk/partition if its size is not exactly the one that was created) If the partition size has no relation with the disk unlocking, does it mean that somehow my LUKS header is corrupted (and therefore I'll be unable to unlock the disk, because I was so stupid I didn't backup the header)? Thanks, Claudio [-- Attachment #2: Type: text/html, Size: 1396 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] LUKS Header and partition dimension 2011-03-28 10:41 [dm-crypt] LUKS Header and partition dimension Claudio Moretti @ 2011-03-28 11:02 ` Milan Broz 2011-03-28 15:01 ` Arno Wagner 1 sibling, 0 replies; 5+ messages in thread From: Milan Broz @ 2011-03-28 11:02 UTC (permalink / raw) To: Claudio Moretti; +Cc: dm-crypt On 03/28/2011 12:41 PM, Claudio Moretti wrote: > If the partition size has no relation with the disk unlocking, does > it mean that somehow my LUKS header is corrupted (and therefore I'll > be unable to unlock the disk, because I was so stupid I didn't backup > the header)? Unfortunately you probably just answered yourself. Partition size (resp. partition end) is not important, you just need full LUKS header starting in the beginning with not corrupted active keyslots to unlock it. Also see http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#6._Backup_and_Data_Recovery Milan ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] LUKS Header and partition dimension 2011-03-28 10:41 [dm-crypt] LUKS Header and partition dimension Claudio Moretti 2011-03-28 11:02 ` Milan Broz @ 2011-03-28 15:01 ` Arno Wagner 2011-03-29 9:56 ` Claudio Moretti 1 sibling, 1 reply; 5+ messages in thread From: Arno Wagner @ 2011-03-28 15:01 UTC (permalink / raw) To: dm-crypt On Mon, Mar 28, 2011 at 10:41:52AM +0000, Claudio Moretti wrote: > Hi all, > a few days ago my MBR was changed (I don't know how) and my extended > partition which contained three LUKS partitions (root, home and swap) > disappeared. Bad. Very bad. Should not happen in a healty system, unless you were doing something dangerous and messed up. May also be caused by badly written malware. > I testdisk-ed my disk and it found the beginning of those three partitions, > but was unable to determine the size. LUKS only needs the start, size is irrelevant for LUKS. To find the start, you can look for the magic string 'L','U','K','S', 0xBA, 0xBE, which marks the beginning of the LUKS metadata Header. Ens is completely irrelevant to LUKS, so if you just want a trial unlock (but not mount of the partition), you can just set any partition size > 10MB or so. You can also copy these 10MB to file and trial-unlock using a loop device (See "How do I use LUKS with a loop-device?" in Section 2 of the FAQ) > I tried setting a larger size for the first partition, but when I tried to > decrypt it, cryptsetup reported "No key available with this passphrase". > I am positive that I'm trying with the right password on the right > partition; I discovered that anti-forensic information is stored on the > entire LUKS partition, No, it is not. IT is directly after the metadata-header and before the data area. See http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions, Section "6. Backup and Data Recovery", entry "What does the on-disk structure of LUKS look like?". > so I tried setting the end of the partition at one > sector less than the start of the next one, but I was unable to decrypt the > disk. > I wrote a script which is trying to reduce the partition dimension one > sector a time and that will stop if cryptsetup succeeds. > My question is: if the partition size changes, does cryptsetup stop > unlocking the disk? (maybe because of a partition-size hash, or something > that prevents unlocking a disk/partition if its size is not exactly the one > that was created) > If the partition size has no relation with the disk unlocking, does it mean > that somehow my LUKS header is corrupted (and therefore I'll be unable to > unlock the disk, because I was so stupid I didn't backup the header)? Your header and/or keyslot areas were damaged. This is a killer, meaning there likely is no way you can get your data back. Also see FAQ entry "What happens if I overwrite the start of a LUKS partition or damage the LUKS header or key-slots?" I completely agree with Milan, very likely your data is irretrivable. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] LUKS Header and partition dimension 2011-03-28 15:01 ` Arno Wagner @ 2011-03-29 9:56 ` Claudio Moretti 2011-03-29 13:43 ` Arno Wagner 0 siblings, 1 reply; 5+ messages in thread From: Claudio Moretti @ 2011-03-29 9:56 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 228 bytes --] Thank you both for your reply. In the end, I formatted and just a few seconds ago I dumped both root and home LUKS headers and my current MBR. I'm learning, or so it seems. Thanks again, and long live backups (sigh..) Claudio [-- Attachment #2: Type: text/html, Size: 256 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] LUKS Header and partition dimension 2011-03-29 9:56 ` Claudio Moretti @ 2011-03-29 13:43 ` Arno Wagner 0 siblings, 0 replies; 5+ messages in thread From: Arno Wagner @ 2011-03-29 13:43 UTC (permalink / raw) To: dm-crypt Backup is sort-of a rite of passage: You need to lose something valuable once, before you take it seriously. The strong wording at the beginning of the FAQ is no accident. I still expect that for most people it will not be enough. Seems to be some kind of fundamental human limitation that can only be overcome through painful experience. Arno On Tue, Mar 29, 2011 at 11:56:29AM +0200, Claudio Moretti wrote: > Thank you both for your reply. > In the end, I formatted and just a few seconds ago I dumped both root and > home LUKS headers and my current MBR. > I'm learning, or so it seems. > > Thanks again, and long live backups (sigh..) > > Claudio > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-03-29 13:43 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-03-28 10:41 [dm-crypt] LUKS Header and partition dimension Claudio Moretti 2011-03-28 11:02 ` Milan Broz 2011-03-28 15:01 ` Arno Wagner 2011-03-29 9:56 ` Claudio Moretti 2011-03-29 13:43 ` Arno Wagner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.