[dm-crypt] UUID question

[dm-crypt] UUID question

[David Li]

[-- Attachment #1: Type: text/plain, Size: 279 bytes --]

Hi, I wonder if the dm-crypt partition UUID (shown in blkid -p <dev>) can
be used to uniquely associate it with the set of keys the partition will
need. Are there any cases that the UUID would change during the partition's
lifetime?

If not UUID, any other suggestions?

Thanks.

[-- Attachment #2: Type: text/html, Size: 368 bytes --]

Re: [dm-crypt] UUID question

[Arno Wagner]

On Mon, Dec 17, 2012 at 04:10:50PM -0800, David Li wrote:
> Hi, I wonder if the dm-crypt partition UUID (shown in blkid -p <dev>) can
> be used to uniquely associate it with the set of keys the partition will
> need. Are there any cases that the UUID would change during the partition's
> lifetime?

The UUID is actually a filesystem attribute, not a partition 
attribute. That said, for purpose of an UUID, LUKS is regarded as a 
filesystem, which is IMO the correct way to view it, but not a 
perfect one. So, yes, the UUID will change if you do a luksFormat 
(aptly named if LUKS is regarded as a filesystem), but it will not 
change otherwise. As a luksFormat invalidates all keys, that should 
do for your purpose. 

Arno 
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

Re: [dm-crypt] UUID question

[Marc Ballarin]

Am 18.12.2012 01:36, schrieb Arno Wagner:
> On Mon, Dec 17, 2012 at 04:10:50PM -0800, David Li wrote:
>> Hi, I wonder if the dm-crypt partition UUID (shown in blkid -p <dev>) can
>> be used to uniquely associate it with the set of keys the partition will
>> need. Are there any cases that the UUID would change during the partition's
>> lifetime?
>
> The UUID is actually a filesystem attribute, not a partition
> attribute...

This depends on the partition format in use. For example GPT, and maybe 
others, provide an additional UUID for partititons (actually GPT even 
supports Labels):

$ sudo blkid -p /dev/sda1
/dev/sda1: LABEL="data_usb" UUID="9b70c4bf-6b40-4be3-9cb7-030db682ad35" 
VERSION="1.0" TYPE="ext4" USAGE="filesystem" PART_ENTRY_SCHEME="gpt" 
PART_ENTRY_UUID="3d18a590-d329-4a82-be02-c3588098d625" 
PART_ENTRY_TYPE="0fc63daf-8483-4772-8e79-3d69d8477de4" 
PART_ENTRY_NUMBER="1" PART_ENTRY_OFFSET="2048" 
PART_ENTRY_SIZE="3907027087" PART_ENTRY_DISK="8:0"

Whereas dos/mbr does not:

$sudo blkid -p /dev/sda1
/dev/sda1: UUID="b786a3a4-26e7-4765-aed1-9bc472522c06" VERSION="1.0" 
TYPE="ext4" USAGE="filesystem" PART_ENTRY_SCHEME="dos" 
PART_ENTRY_TYPE="0x83" PART_ENTRY_FLAGS="0x80" PART_ENTRY_NUMBER="1" 
PART_ENTRY_OFFSET="2048" PART_ENTRY_SIZE="63997952" PART_ENTRY_DISK="8:0"

While the GPT UUID should never change, it might happen if some bogus 
resizing tool is used.

So, if a LUKS-UUID is available I would always prefer it and only fall 
back to partition UUIDs when not using LUKS.

Regards,
Marc

Re: [dm-crypt] UUID question

[Milan Broz]

On 12/18/2012 01:36 AM, Arno Wagner wrote:
> On Mon, Dec 17, 2012 at 04:10:50PM -0800, David Li wrote:
>> Hi, I wonder if the dm-crypt partition UUID (shown in blkid -p <dev>) can
>> be used to uniquely associate it with the set of keys the partition will
>> need. Are there any cases that the UUID would change during the partition's
>> lifetime?
> 
> The UUID is actually a filesystem attribute, not a partition 
> attribute. That said, for purpose of an UUID, LUKS is regarded as a 
> filesystem, which is IMO the correct way to view it, but not a 
> perfect one. So, yes, the UUID will change if you do a luksFormat 
> (aptly named if LUKS is regarded as a filesystem), but it will not 
> change otherwise. As a luksFormat invalidates all keys, that should 
> do for your purpose. 

Well, it is more complicated. blkid recognizes UUID from metadata
on disk. There are several groups of metadata and there are priorities
(raid devices have priority to filesystem for example).
UUID is generic attribute, even MD devices, LVM PVs etc have UUID.

LUKS is basically handled like MD (raid) device.

Anyway, question was if UUID can change during lifetime - no.
(reformat is not part of lifetime, you will lose data)
To be precise, you can change UUID but it must be explicit user action
(see man cryptsetup).

And it is preferred way to reference LUKS device by its UUID (if the
physical disk is moved likde sdb->sdc, it still works).

An example:

# blkid /dev/sdb
/dev/sdb: UUID="bb0c71ca-24c0-4a73-b7ff-ebdbcf152040" TYPE="crypto_LUKS"

# blkid -U bb0c71ca-24c0-4a73-b7ff-ebdbcf152040
/dev/sdb


And cryptsetup itself (in recent versions) recognizes UUID as device parameter:

#cryptsetup luksOpen UUID=bb0c71ca-24c0-4a73-b7ff-ebdbcf152040 test
Enter passphrase for /dev/disk/by-uuid/bb0c71ca-24c0-4a73-b7ff-ebdbcf152040: 

And you should be able to use UUID in /etc/crypttab as well.

Milan

Re: [dm-crypt] UUID question

[Arno Wagner]

On Tue, Dec 18, 2012 at 09:21:48AM +0100, Milan Broz wrote:
> On 12/18/2012 01:36 AM, Arno Wagner wrote:
> > On Mon, Dec 17, 2012 at 04:10:50PM -0800, David Li wrote:
> >> Hi, I wonder if the dm-crypt partition UUID (shown in blkid -p <dev>) can
> >> be used to uniquely associate it with the set of keys the partition will
> >> need. Are there any cases that the UUID would change during the partition's
> >> lifetime?
> > 
> > The UUID is actually a filesystem attribute, not a partition 
> > attribute. That said, for purpose of an UUID, LUKS is regarded as a 
> > filesystem, which is IMO the correct way to view it, but not a 
> > perfect one. So, yes, the UUID will change if you do a luksFormat 
> > (aptly named if LUKS is regarded as a filesystem), but it will not 
> > change otherwise. As a luksFormat invalidates all keys, that should 
> > do for your purpose. 
> 
> Well, it is more complicated. blkid recognizes UUID from metadata
> on disk. There are several groups of metadata and there are priorities
> (raid devices have priority to filesystem for example).

Interesting. I admit I only checked where LUKS and ext2/3/4 keep 
the UUID and whether DOS partitions have them. Is there some 
documentation on these priorities, or is the source of blkid 
authorative?

> UUID is generic attribute, even MD devices, LVM PVs etc have UUID.
> 
> LUKS is basically handled like MD (raid) device.

Makes sense.

Arno




> Anyway, question was if UUID can change during lifetime - no.
> (reformat is not part of lifetime, you will lose data)
> To be precise, you can change UUID but it must be explicit user action
> (see man cryptsetup).
> 
> And it is preferred way to reference LUKS device by its UUID (if the
> physical disk is moved likde sdb->sdc, it still works).
> 
> An example:
> 
> # blkid /dev/sdb
> /dev/sdb: UUID="bb0c71ca-24c0-4a73-b7ff-ebdbcf152040" TYPE="crypto_LUKS"
> 
> # blkid -U bb0c71ca-24c0-4a73-b7ff-ebdbcf152040
> /dev/sdb
> 
> 
> And cryptsetup itself (in recent versions) recognizes UUID as device parameter:
> 
> #cryptsetup luksOpen UUID=bb0c71ca-24c0-4a73-b7ff-ebdbcf152040 test
> Enter passphrase for /dev/disk/by-uuid/bb0c71ca-24c0-4a73-b7ff-ebdbcf152040: 
> 
> And you should be able to use UUID in /etc/crypttab as well.
> 
> Milan
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

Re: [dm-crypt] UUID question

[Arno Wagner]

On Tue, Dec 18, 2012 at 09:12:01AM +0100, Marc Ballarin wrote:
> Am 18.12.2012 01:36, schrieb Arno Wagner:
> >On Mon, Dec 17, 2012 at 04:10:50PM -0800, David Li wrote:
> >>Hi, I wonder if the dm-crypt partition UUID (shown in blkid -p <dev>) can
> >>be used to uniquely associate it with the set of keys the partition will
> >>need. Are there any cases that the UUID would change during the partition's
> >>lifetime?
> >
> >The UUID is actually a filesystem attribute, not a partition
> >attribute...
> 
> This depends on the partition format in use. For example GPT, and
> maybe others, provide an additional UUID for partititons (actually
> GPT even supports Labels):
> 
> $ sudo blkid -p /dev/sda1
> /dev/sda1: LABEL="data_usb"
> UUID="9b70c4bf-6b40-4be3-9cb7-030db682ad35" VERSION="1.0"
> TYPE="ext4" USAGE="filesystem" PART_ENTRY_SCHEME="gpt"
> PART_ENTRY_UUID="3d18a590-d329-4a82-be02-c3588098d625"
> PART_ENTRY_TYPE="0fc63daf-8483-4772-8e79-3d69d8477de4"
> PART_ENTRY_NUMBER="1" PART_ENTRY_OFFSET="2048"
> PART_ENTRY_SIZE="3907027087" PART_ENTRY_DISK="8:0"
> 
> Whereas dos/mbr does not:
> 
> $sudo blkid -p /dev/sda1
> /dev/sda1: UUID="b786a3a4-26e7-4765-aed1-9bc472522c06" VERSION="1.0"
> TYPE="ext4" USAGE="filesystem" PART_ENTRY_SCHEME="dos"
> PART_ENTRY_TYPE="0x83" PART_ENTRY_FLAGS="0x80" PART_ENTRY_NUMBER="1"
> PART_ENTRY_OFFSET="2048" PART_ENTRY_SIZE="63997952"
> PART_ENTRY_DISK="8:0"
> 
> While the GPT UUID should never change, it might happen if some
> bogus resizing tool is used.
> 
> So, if a LUKS-UUID is available I would always prefer it and only
> fall back to partition UUIDs when not using LUKS.
> 
> Regards,
> Marc

Interesting. Seems (again), my view of things is too simplistic ;-)

Anyways, the gist is that change of UUIDs is not something that 
should ordionarily happen during the lifetime of whatever
carries it.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

Re: [dm-crypt] UUID question

[David Li]

[-- Attachment #1: Type: text/plain, Size: 2653 bytes --]

cryptsetup luksUUID <dev> also shows UUID, Perhaps this is the luks UUID
that is independent of the partition format.


On Tue, Dec 18, 2012 at 12:57 AM, Arno Wagner <arno@wagner.name> wrote:

> On Tue, Dec 18, 2012 at 09:12:01AM +0100, Marc Ballarin wrote:
> > Am 18.12.2012 01:36, schrieb Arno Wagner:
> > >On Mon, Dec 17, 2012 at 04:10:50PM -0800, David Li wrote:
> > >>Hi, I wonder if the dm-crypt partition UUID (shown in blkid -p <dev>)
> can
> > >>be used to uniquely associate it with the set of keys the partition
> will
> > >>need. Are there any cases that the UUID would change during the
> partition's
> > >>lifetime?
> > >
> > >The UUID is actually a filesystem attribute, not a partition
> > >attribute...
> >
> > This depends on the partition format in use. For example GPT, and
> > maybe others, provide an additional UUID for partititons (actually
> > GPT even supports Labels):
> >
> > $ sudo blkid -p /dev/sda1
> > /dev/sda1: LABEL="data_usb"
> > UUID="9b70c4bf-6b40-4be3-9cb7-030db682ad35" VERSION="1.0"
> > TYPE="ext4" USAGE="filesystem" PART_ENTRY_SCHEME="gpt"
> > PART_ENTRY_UUID="3d18a590-d329-4a82-be02-c3588098d625"
> > PART_ENTRY_TYPE="0fc63daf-8483-4772-8e79-3d69d8477de4"
> > PART_ENTRY_NUMBER="1" PART_ENTRY_OFFSET="2048"
> > PART_ENTRY_SIZE="3907027087" PART_ENTRY_DISK="8:0"
> >
> > Whereas dos/mbr does not:
> >
> > $sudo blkid -p /dev/sda1
> > /dev/sda1: UUID="b786a3a4-26e7-4765-aed1-9bc472522c06" VERSION="1.0"
> > TYPE="ext4" USAGE="filesystem" PART_ENTRY_SCHEME="dos"
> > PART_ENTRY_TYPE="0x83" PART_ENTRY_FLAGS="0x80" PART_ENTRY_NUMBER="1"
> > PART_ENTRY_OFFSET="2048" PART_ENTRY_SIZE="63997952"
> > PART_ENTRY_DISK="8:0"
> >
> > While the GPT UUID should never change, it might happen if some
> > bogus resizing tool is used.
> >
> > So, if a LUKS-UUID is available I would always prefer it and only
> > fall back to partition UUIDs when not using LUKS.
> >
> > Regards,
> > Marc
>
> Interesting. Seems (again), my view of things is too simplistic ;-)
>
> Anyways, the gist is that change of UUIDs is not something that
> should ordionarily happen during the lifetime of whatever
> carries it.
>
> Arno
> --
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> One of the painful things about our time is that those who feel certainty
> are stupid, and those with any imagination and understanding are filled
> with doubt and indecision. -- Bertrand Russell
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

[-- Attachment #2: Type: text/html, Size: 3808 bytes --]

Re: [dm-crypt] UUID question

[Sven Eschenberg]

cryptsetup luksUUID <dev> will return the luks header's UUID if <dev>
holds a luks header, and yes, this should usually not change the same way
as the UUID of a filesystem souldn't.

There's 2 problems though:

1.) You'd have to know <dev> in advance or iterate over all possible (non
locked) blockdevices (which is what blkid usually does anyway for you)

2.) a blockdev could possibly hold a luks header and still be part of a md
device (depending on metadata version), you'd better hope that the md
device is set up already, when you issue your cryptsetup commands.

Concerning the original question:

The UUID within the LUKS header should not change throughout the LUKS
volume's lifetime, except for enforced changes (as noted before).

To associated keys based on luks UUID, using something like:
'blkid -t TYPE="crypto_LUKS" -s UUID'
is probably a good starting point, as it gives you the UUID to retrieve
the keys based on the UUID and the device inode you'd use on further calls
to cryptsetup etc. - The rest is just a little shell magic ;-)

Regards

-Sven


On Tue, December 18, 2012 17:46, David Li wrote:
> cryptsetup luksUUID <dev> also shows UUID, Perhaps this is the luks UUID
> that is independent of the partition format.
>
>
> On Tue, Dec 18, 2012 at 12:57 AM, Arno Wagner <arno@wagner.name> wrote:
>
>> On Tue, Dec 18, 2012 at 09:12:01AM +0100, Marc Ballarin wrote:
>> > Am 18.12.2012 01:36, schrieb Arno Wagner:
>> > >On Mon, Dec 17, 2012 at 04:10:50PM -0800, David Li wrote:
>> > >>Hi, I wonder if the dm-crypt partition UUID (shown in blkid -p
>> <dev>)
>> can
>> > >>be used to uniquely associate it with the set of keys the partition
>> will
>> > >>need. Are there any cases that the UUID would change during the
>> partition's
>> > >>lifetime?
>> > >
>> > >The UUID is actually a filesystem attribute, not a partition
>> > >attribute...
>> >
>> > This depends on the partition format in use. For example GPT, and
>> > maybe others, provide an additional UUID for partititons (actually
>> > GPT even supports Labels):
>> >
>> > $ sudo blkid -p /dev/sda1
>> > /dev/sda1: LABEL="data_usb"
>> > UUID="9b70c4bf-6b40-4be3-9cb7-030db682ad35" VERSION="1.0"
>> > TYPE="ext4" USAGE="filesystem" PART_ENTRY_SCHEME="gpt"
>> > PART_ENTRY_UUID="3d18a590-d329-4a82-be02-c3588098d625"
>> > PART_ENTRY_TYPE="0fc63daf-8483-4772-8e79-3d69d8477de4"
>> > PART_ENTRY_NUMBER="1" PART_ENTRY_OFFSET="2048"
>> > PART_ENTRY_SIZE="3907027087" PART_ENTRY_DISK="8:0"
>> >
>> > Whereas dos/mbr does not:
>> >
>> > $sudo blkid -p /dev/sda1
>> > /dev/sda1: UUID="b786a3a4-26e7-4765-aed1-9bc472522c06" VERSION="1.0"
>> > TYPE="ext4" USAGE="filesystem" PART_ENTRY_SCHEME="dos"
>> > PART_ENTRY_TYPE="0x83" PART_ENTRY_FLAGS="0x80" PART_ENTRY_NUMBER="1"
>> > PART_ENTRY_OFFSET="2048" PART_ENTRY_SIZE="63997952"
>> > PART_ENTRY_DISK="8:0"
>> >
>> > While the GPT UUID should never change, it might happen if some
>> > bogus resizing tool is used.
>> >
>> > So, if a LUKS-UUID is available I would always prefer it and only
>> > fall back to partition UUIDs when not using LUKS.
>> >
>> > Regards,
>> > Marc
>>
>> Interesting. Seems (again), my view of things is too simplistic ;-)
>>
>> Anyways, the gist is that change of UUIDs is not something that
>> should ordionarily happen during the lifetime of whatever
>> carries it.
>>
>> Arno
>> --
>> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email:
>> arno@wagner.name
>> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D
>> 9718
>> ----
>> One of the painful things about our time is that those who feel
>> certainty
>> are stupid, and those with any imagination and understanding are filled
>> with doubt and indecision. -- Bertrand Russell
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

Re: [dm-crypt] UUID question

[Yaron Sheffer]

Hi Sven,

a quick correction: blkid is (surprisingly) not smart enough, and your 
command line results in duplicates. Both the /dev (e.g. /dev/sdg) and 
the equivalent /dev/disk/by-uuid are listed.

So you want to use:

blkid -t TYPE="crypto_LUKS" -s UUID /dev/disk/by-uuid/*

(tested on Ubuntu 10.04 Lucid).

Thanks,
     Yaron

On 12/20/2012 01:00 PM, dm-crypt-request@saout.de wrote:
> Date: Thu, 20 Dec 2012 00:30:23 +0100
> From: "Sven Eschenberg" <sven@whgl.uni-frankfurt.de>
> To: dm-crypt@saout.de
> Subject: Re: [dm-crypt] UUID question
> Message-ID:
> 	<18e39b1120b315e7553bdb330e5103c5.squirrel@ssl.verfeiert.org>
> Content-Type: text/plain;charset=utf-8
>
> cryptsetup luksUUID <dev> will return the luks header's UUID if <dev>
> holds a luks header, and yes, this should usually not change the same way
> as the UUID of a filesystem souldn't.
>
> There's 2 problems though:
>
> 1.) You'd have to know <dev> in advance or iterate over all possible (non
> locked) blockdevices (which is what blkid usually does anyway for you)
>
> 2.) a blockdev could possibly hold a luks header and still be part of a md
> device (depending on metadata version), you'd better hope that the md
> device is set up already, when you issue your cryptsetup commands.
>
> Concerning the original question:
>
> The UUID within the LUKS header should not change throughout the LUKS
> volume's lifetime, except for enforced changes (as noted before).
>
> To associated keys based on luks UUID, using something like:
> 'blkid -t TYPE="crypto_LUKS" -s UUID'
> is probably a good starting point, as it gives you the UUID to retrieve
> the keys based on the UUID and the device inode you'd use on further calls
> to cryptsetup etc. - The rest is just a little shell magic ;-)
>
> Regards
>
> -Sven
>
>

Re: [dm-crypt] UUID question

[Sven Eschenberg]

Hi Yaron,

Old bugs it seems. Neither my gentoo box, nor a Ubuntu 12.10 showed the
behavior you describe. Can you verify that the entries under
/dev/disk/by-uuid/ are softlinks on Lucid?

Regards

-Sven

On Thu, December 20, 2012 12:16, Yaron Sheffer wrote:
> Hi Sven,
>
> a quick correction: blkid is (surprisingly) not smart enough, and your
> command line results in duplicates. Both the /dev (e.g. /dev/sdg) and
> the equivalent /dev/disk/by-uuid are listed.
>
> So you want to use:
>
> blkid -t TYPE="crypto_LUKS" -s UUID /dev/disk/by-uuid/*
>
> (tested on Ubuntu 10.04 Lucid).
>
> Thanks,
>      Yaron
>
> On 12/20/2012 01:00 PM, dm-crypt-request@saout.de wrote:
>> Date: Thu, 20 Dec 2012 00:30:23 +0100
>> From: "Sven Eschenberg" <sven@whgl.uni-frankfurt.de>
>> To: dm-crypt@saout.de
>> Subject: Re: [dm-crypt] UUID question
>> Message-ID:
>> 	<18e39b1120b315e7553bdb330e5103c5.squirrel@ssl.verfeiert.org>
>> Content-Type: text/plain;charset=utf-8
>>
>> cryptsetup luksUUID <dev> will return the luks header's UUID if <dev>
>> holds a luks header, and yes, this should usually not change the same
>> way
>> as the UUID of a filesystem souldn't.
>>
>> There's 2 problems though:
>>
>> 1.) You'd have to know <dev> in advance or iterate over all possible
>> (non
>> locked) blockdevices (which is what blkid usually does anyway for you)
>>
>> 2.) a blockdev could possibly hold a luks header and still be part of a
>> md
>> device (depending on metadata version), you'd better hope that the md
>> device is set up already, when you issue your cryptsetup commands.
>>
>> Concerning the original question:
>>
>> The UUID within the LUKS header should not change throughout the LUKS
>> volume's lifetime, except for enforced changes (as noted before).
>>
>> To associated keys based on luks UUID, using something like:
>> 'blkid -t TYPE="crypto_LUKS" -s UUID'
>> is probably a good starting point, as it gives you the UUID to retrieve
>> the keys based on the UUID and the device inode you'd use on further
>> calls
>> to cryptsetup etc. - The rest is just a little shell magic ;-)
>>
>> Regards
>>
>> -Sven
>>
>>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>