[dm-crypt] Can't access a LUKS encrypted partition

[dm-crypt] Can't access a LUKS encrypted partition

[jeff.esquivel]

[-- Attachment #1: Type: text/plain, Size: 6222 bytes --]

Hi everyone,

I'm trying to access an encrypted partition on an external USB hard drive
(WD My Passport Slim) but I get this:

$ sudo cryptsetup -v luksOpen /dev/sdb1 securepart
Enter passphrase for /dev/sdb1:
No key available with this passphrase.

Some background information on the issue:

DAY 1

I received this new external hard drive some days ago, the first thing I
did was run badblocks on it (while at the same time writing it with random
data), like this (on that day I had other USB disk plugged in before, which
is why I'm was working with sdc instead of sdb as stated above):

$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sdc

Then I created a new DOS partition table (using fdisk) and then a new
primary partition that spanned the whole disk, and after that I created a
new LUKS volumen on the new partition as this:

$ sudo cryptsetup --verify-passphrase luksFormat /dev/sdc1 -c aes -s 256 -h
sha256
$ sudo cryptsetup luksOpen /dev/sdc1 secure
$ sudo mkfs -t ext4 -m 0 /dev/mapper/secure
$ sudo cryptsetup luksClose secure

I then disconnected and reconnected the disk to see if Ubuntu (I'm using
14.04 on 64 bits) would recognize it. It did and asked me for the
passphrase on a window, I entered it and worked correctly, I then proceeded
to copy some unimportant big files (more than 50GB) from the other USB disk
I had plugged in. Another detail which may be important, I had the LUKS
disk connected through a USB  hub (which also has an ethernet card on the
same physical device).

DAY 2

I connected both disks again, when Ubuntu asked me for the LUKS passphrase
I entered it and it worked as expected, I proceeded to copy some more
unimportant files from the other USB disk to the LUKS partition (about
150GB at least). I disconnected and reconnected the disk at least twice
this day and everything worked OK.

DAY 3

Same as day before, the encrypted partition unlocked without a problem, I
proceeded to copy all of my important files from the other USB disk to the
encrypted partition (about 200GB), this day I used the USB hub/ethernet
card again to connect the external hard drive that had the LUKS partition
(I mention this because I also have a wireless mouse that works with an USB
receiver that was plugged to the same USB hub and noticed some laggyness
when using this mouse, I thought it was related to the amount of bandwidth
being used by the drive while copying all of my files).


DAY 4

I plugged the external hard drive, Ubuntu asks me for my passphrase and it
won't work, at first I thought it was a typo or something and tried again,
but failed again, I then typed the passphrase on a text editor and then
cut+paste it into the windows that was asking me for it and it didn't work
either. I tried one more time, this time from the command line, and I got
the error shown above ("No key available...").

THINGS I'VE TRIED

I search the Internet for a possible cause and fix, I found some threads on
this list (and other places) where people had inadvertently overwritten
their LUKS header while booting another distro that thought the LUKS
partition was some swap partition, but I don't think this applies to me as
1) There was never a swap partition on this disk 2) I haven't booted or
even connected this specific hard drive to other distro/computer.

I also ran the recommended isLuks command and the keyslot_checker tool to
see if there was any indication of header corruption, but it seems like
that's not the issue:

$ sudo cryptsetup -v isLuks /dev/sdb1
Command successful.

$ sudo ./chk_luks_keyslots -v /dev/sdb1

parameters (commandline and LUKS header):
  sector size: 512
  threshold:   0.900000

- processing keyslot 0:  start: 0x001000   end: 0x020400
- processing keyslot 1:  keyslot not in use
- processing keyslot 2:  keyslot not in use
- processing keyslot 3:  keyslot not in use
- processing keyslot 4:  keyslot not in use
- processing keyslot 5:  keyslot not in use
- processing keyslot 6:  keyslot not in use
- processing keyslot 7:  keyslot not in use

Also, this is the output from luksDump:

$ sudo cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:           1
Cipher name:       aes
Cipher mode:       cbc-plain
Hash spec:         sha256
Payload offset:    4096
MK bits:           256
MK digest:         a5 61 25 03 2e 98 5a 48 d1 62 c6 fc dd ca 1f b8 9d c5 09
a8
MK salt:           b4 6f 62 bc 0c 81 6a 57 6e 6f 21 54 70 df 89 62
                   0a 69 e9 eb 38 6c 45 8d 82 a2 85 64 3f c7 09 9d
MK iterations:     27875
UUID:              e747b7df-3086-455e-9f8d-71cb76d1f534

Key Slot 0: ENABLED
    Iterations:             123076
    Salt:                   af cc 4c eb 24 e5 0b 7a 6d fd b1 4c d1 da 3a f1
                              97 bb 96 6d 65 a4 f5 36 68 66 e9 40 b8 70 f9
d1
    Key material offset:    8
    AF stripes:                4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

So, up to this moment I have three hypothesis:

1) There is something that changed on my system that broke cryptsetup's
behaviour making it unable to open my encrypted partition (is this
possible? for example, if there was some module missing from my kernel or
if I installed some new package that could have changed something).

2) I entered my passphrase incorrectly when luksFormat'ing, and then
proceeded to enter it incorrectly the next 4 times I unlocked the partition
(just in case, I generated about 700 different possible combinations using
the most common typos I could've made when entering my passphrase and then
used the crypt_dict tool to test them unsuccessfully).

3) There was some issue with the hub I was using which meant that some data
could have been written incorrectly to encrypted partition's header (is
this possible? I mean, I was copying files to the partition, I don't see
how that could affect the header, but maybe when unmounting the partition
the header gets written to, I don't know).

Any help would be greatly appreciated.

Thank you for your time,


PS: Please CC me, as I'm not subscribed to this list and excuse my english
as I'm s not a native speaker.

-- 
Jeffrey Esquivel S.

[-- Attachment #2: Type: text/html, Size: 7011 bytes --]

Re: [dm-crypt] Can't access a LUKS encrypted partition

[Konstantin Bläsi]

[-- Attachment #1: Type: text/plain, Size: 7110 bytes --]

On 08/11/2014 03:58 AM, jeff.esquivel@gmail.com wrote:
> Hi everyone,
>
> I'm trying to access an encrypted partition on an external USB hard
> drive (WD My Passport Slim) but I get this:
>
> $ sudo cryptsetup -v luksOpen /dev/sdb1 securepart
> Enter passphrase for /dev/sdb1:
> No key available with this passphrase.
>
> Some background information on the issue:
>
> DAY 1
>
> I received this new external hard drive some days ago, the first thing
> I did was run badblocks on it (while at the same time writing it with
> random data), like this (on that day I had other USB disk plugged in
> before, which is why I'm was working with sdc instead of sdb as stated
> above):
>
> $ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sdc
>
> Then I created a new DOS partition table (using fdisk) and then a new
> primary partition that spanned the whole disk, and after that I
> created a new LUKS volumen on the new partition as this:
>
> $ sudo cryptsetup --verify-passphrase luksFormat /dev/sdc1 -c aes -s
> 256 -h sha256
> $ sudo cryptsetup luksOpen /dev/sdc1 secure
> $ sudo mkfs -t ext4 -m 0 /dev/mapper/secure
> $ sudo cryptsetup luksClose secure
>
> I then disconnected and reconnected the disk to see if Ubuntu (I'm
> using 14.04 on 64 bits) would recognize it. It did and asked me for
> the passphrase on a window, I entered it and worked correctly, I then
> proceeded to copy some unimportant big files (more than 50GB) from the
> other USB disk I had plugged in. Another detail which may be
> important, I had the LUKS disk connected through a USB  hub (which
> also has an ethernet card on the same physical device).
>
> DAY 2
>
> I connected both disks again, when Ubuntu asked me for the LUKS
> passphrase I entered it and it worked as expected, I proceeded to copy
> some more unimportant files from the other USB disk to the LUKS
> partition (about 150GB at least). I disconnected and reconnected the
> disk at least twice this day and everything worked OK.
>
> DAY 3
>
> Same as day before, the encrypted partition unlocked without a
> problem, I proceeded to copy all of my important files from the other
> USB disk to the encrypted partition (about 200GB), this day I used the
> USB hub/ethernet card again to connect the external hard drive that
> had the LUKS partition (I mention this because I also have a wireless
> mouse that works with an USB receiver that was plugged to the same USB
> hub and noticed some laggyness when using this mouse, I thought it was
> related to the amount of bandwidth being used by the drive while
> copying all of my files).
>
>
> DAY 4
>
> I plugged the external hard drive, Ubuntu asks me for my passphrase
> and it won't work, at first I thought it was a typo or something and
> tried again, but failed again, I then typed the passphrase on a text
> editor and then cut+paste it into the windows that was asking me for
> it and it didn't work either. I tried one more time, this time from
> the command line, and I got the error shown above ("No key available...").
>
> THINGS I'VE TRIED
>
> I search the Internet for a possible cause and fix, I found some
> threads on this list (and other places) where people had inadvertently
> overwritten their LUKS header while booting another distro that
> thought the LUKS partition was some swap partition, but I don't think
> this applies to me as 1) There was never a swap partition on this disk
> 2) I haven't booted or even connected this specific hard drive to
> other distro/computer.
>
> I also ran the recommended isLuks command and the keyslot_checker tool
> to see if there was any indication of header corruption, but it seems
> like that's not the issue:
>
> $ sudo cryptsetup -v isLuks /dev/sdb1
> Command successful.
>
> $ sudo ./chk_luks_keyslots -v /dev/sdb1
>
> parameters (commandline and LUKS header):
>   sector size: 512
>   threshold:   0.900000
>
> - processing keyslot 0:  start: 0x001000   end: 0x020400
> - processing keyslot 1:  keyslot not in use
> - processing keyslot 2:  keyslot not in use
> - processing keyslot 3:  keyslot not in use
> - processing keyslot 4:  keyslot not in use
> - processing keyslot 5:  keyslot not in use
> - processing keyslot 6:  keyslot not in use
> - processing keyslot 7:  keyslot not in use
>
> Also, this is the output from luksDump:
>
> $ sudo cryptsetup luksDump /dev/sdb1
> LUKS header information for /dev/sdb1
>
> Version:           1
> Cipher name:       aes
> Cipher mode:       cbc-plain
> Hash spec:         sha256
> Payload offset:    4096
> MK bits:           256
> MK digest:         a5 61 25 03 2e 98 5a 48 d1 62 c6 fc dd ca 1f b8 9d
> c5 09 a8
> MK salt:           b4 6f 62 bc 0c 81 6a 57 6e 6f 21 54 70 df 89 62
>                    0a 69 e9 eb 38 6c 45 8d 82 a2 85 64 3f c7 09 9d
> MK iterations:     27875
> UUID:              e747b7df-3086-455e-9f8d-71cb76d1f534
>
> Key Slot 0: ENABLED
>     Iterations:             123076
>     Salt:                   af cc 4c eb 24 e5 0b 7a 6d fd b1 4c d1 da
> 3a f1
>                               97 bb 96 6d 65 a4 f5 36 68 66 e9 40 b8
> 70 f9 d1
>     Key material offset:    8
>     AF stripes:                4000
> Key Slot 1: DISABLED
> Key Slot 2: DISABLED
> Key Slot 3: DISABLED
> Key Slot 4: DISABLED
> Key Slot 5: DISABLED
> Key Slot 6: DISABLED
> Key Slot 7: DISABLED
>
> So, up to this moment I have three hypothesis:
>
> 1) There is something that changed on my system that broke
> cryptsetup's behaviour making it unable to open my encrypted partition
> (is this possible? for example, if there was some module missing from
> my kernel or if I installed some new package that could have changed
> something).
>
> 2) I entered my passphrase incorrectly when luksFormat'ing, and then
> proceeded to enter it incorrectly the next 4 times I unlocked the
> partition (just in case, I generated about 700 different possible
> combinations using the most common typos I could've made when entering
> my passphrase and then used the crypt_dict tool to test them
> unsuccessfully).
>
> 3) There was some issue with the hub I was using which meant that some
> data could have been written incorrectly to encrypted partition's
> header (is this possible? I mean, I was copying files to the
> partition, I don't see how that could affect the header, but maybe
> when unmounting the partition the header gets written to, I don't know).
>
> Any help would be greatly appreciated.
>
> Thank you for your time,
>
>
> PS: Please CC me, as I'm not subscribed to this list and excuse my
> english as I'm s not a native speaker.
>
> -- 
> Jeffrey Esquivel S.
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Hi,

make sure all required kernel modules are _loaded_ before using
cryptsetup (a few bugs have been discovered lately depending on that
condition).
Did you try some live iso image like systemrescuecd?
I found a case where the latest kbd package (responsible for the
keyboard layout) broke the correct entry of the password:
https://bbs.archlinux.org/viewtopic.php?id=169408

Greetings ;)

[-- Attachment #2: Type: text/html, Size: 10900 bytes --]

Re: [dm-crypt] Can't access a LUKS encrypted partition

[jeff.esquivel]

[-- Attachment #1: Type: text/plain, Size: 2447 bytes --]

Hi Konstanin,


On Sun, Aug 10, 2014 at 11:37 PM, Konstantin Bläsi <ktrackfd@googlemail.com>
wrote:

[...]


> Hi,
>
> make sure all required kernel modules are _loaded_ before using cryptsetup
> (a few bugs have been discovered lately depending on that condition).
>

I just tried after modprobe'ing dm-crypt, aes and sha256, the only error I
got was this:

$ sudo modprobe aes
modprobe: ERROR: could not insert 'padlock_aes': No such device

But lsmod shows that there is at least one aes module loaded (I think it is
a hardware accelerated version of AES):

$ lsmod | grep aes
aesni_intel           152648  5634
aes_x86_64             17131  1 aesni_intel
lrw                    13323  1 aesni_intel
glue_helper            14095  1 aesni_intel
ablk_helper            13597  1 aesni_intel
cryptd                 20531  2818
ghash_clmulni_intel,aesni_intel,ablk_helper

Another thing that may be important, I was following a guide (
https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage)
when setting up LUKS and it recommended that I created the a modprobe alias
file in case of failure when loading the modules, so I did (I added alias
aes aes_generic to /etc/modprobe/aliases.conf), but it failed with a
different error:

$ sudo modprobe aes
modprobe: ERROR: ../libkmod/libkmod-module.c:809
kmod_module_insert_module() could not find module by name='aes_generic'
modprobe: ERROR: could not insert 'aes_generic': Function not implemented

So I removed that alias altogether (this was the day I was creating the
encrypted volume). I already tried to unlock the volume both ways (with
that alias present and without it) and neither way has worked.


> Did you try some live iso image like systemrescuecd?
>

I haven't tried this yet as I'm afraid that could make things worse (in
case there is some weird bug like the swap bug mentioned in my first
e-mail), but if you think it is worth trying, I'll do so.


> I found a case where the latest kbd package (responsible for the keyboard
> layout) broke the correct entry of the password:
> https://bbs.archlinux.org/viewtopic.php?id=169408
>

Ok, I'll take a look and see if that could apply here (but I'm not
optimistic as I already tried entering my password on Gedit and then
copy+paste it into cryptsetup's prompt).


>  Greetings ;)
>

Thank you very much for your reply.


-- 
Jeffrey Esquivel S.

[-- Attachment #2: Type: text/html, Size: 3869 bytes --]

Re: [dm-crypt] Can't access a LUKS encrypted partition

[Arno Wagner]

Most likely scenario: Something else changed in the password-input
chain. Do you have any non-ISO-7bit chars in your passphrase? These
will change their binary value when going to Unicode. You 
mau also have characters switched because of a keyboard-layout
issue.

The FAQ has more info in item 1.2

Also note that asking a question on a mailing-list without 
subscribing is a sure way to miss answers and generally 
not a good idea. What you do is to subscribe, ask, and
when things are cleared up, unsubscribe.

Arno


On Mon, Aug 11, 2014 at 03:58:36 CEST, jeff.esquivel@gmail.com wrote:
> Hi everyone,
> 
> I'm trying to access an encrypted partition on an external USB hard drive
> (WD My Passport Slim) but I get this:
> 
> $ sudo cryptsetup -v luksOpen /dev/sdb1 securepart
> Enter passphrase for /dev/sdb1:
> No key available with this passphrase.
> 
> Some background information on the issue:
> 
> DAY 1
> 
> I received this new external hard drive some days ago, the first thing I
> did was run badblocks on it (while at the same time writing it with random
> data), like this (on that day I had other USB disk plugged in before, which
> is why I'm was working with sdc instead of sdb as stated above):
> 
> $ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sdc
> 
> Then I created a new DOS partition table (using fdisk) and then a new
> primary partition that spanned the whole disk, and after that I created a
> new LUKS volumen on the new partition as this:
> 
> $ sudo cryptsetup --verify-passphrase luksFormat /dev/sdc1 -c aes -s 256 -h
> sha256
> $ sudo cryptsetup luksOpen /dev/sdc1 secure
> $ sudo mkfs -t ext4 -m 0 /dev/mapper/secure
> $ sudo cryptsetup luksClose secure
> 
> I then disconnected and reconnected the disk to see if Ubuntu (I'm using
> 14.04 on 64 bits) would recognize it. It did and asked me for the
> passphrase on a window, I entered it and worked correctly, I then proceeded
> to copy some unimportant big files (more than 50GB) from the other USB disk
> I had plugged in. Another detail which may be important, I had the LUKS
> disk connected through a USB  hub (which also has an ethernet card on the
> same physical device).
> 
> DAY 2
> 
> I connected both disks again, when Ubuntu asked me for the LUKS passphrase
> I entered it and it worked as expected, I proceeded to copy some more
> unimportant files from the other USB disk to the LUKS partition (about
> 150GB at least). I disconnected and reconnected the disk at least twice
> this day and everything worked OK.
> 
> DAY 3
> 
> Same as day before, the encrypted partition unlocked without a problem, I
> proceeded to copy all of my important files from the other USB disk to the
> encrypted partition (about 200GB), this day I used the USB hub/ethernet
> card again to connect the external hard drive that had the LUKS partition
> (I mention this because I also have a wireless mouse that works with an USB
> receiver that was plugged to the same USB hub and noticed some laggyness
> when using this mouse, I thought it was related to the amount of bandwidth
> being used by the drive while copying all of my files).
> 
> 
> DAY 4
> 
> I plugged the external hard drive, Ubuntu asks me for my passphrase and it
> won't work, at first I thought it was a typo or something and tried again,
> but failed again, I then typed the passphrase on a text editor and then
> cut+paste it into the windows that was asking me for it and it didn't work
> either. I tried one more time, this time from the command line, and I got
> the error shown above ("No key available...").
> 
> THINGS I'VE TRIED
> 
> I search the Internet for a possible cause and fix, I found some threads on
> this list (and other places) where people had inadvertently overwritten
> their LUKS header while booting another distro that thought the LUKS
> partition was some swap partition, but I don't think this applies to me as
> 1) There was never a swap partition on this disk 2) I haven't booted or
> even connected this specific hard drive to other distro/computer.
> 
> I also ran the recommended isLuks command and the keyslot_checker tool to
> see if there was any indication of header corruption, but it seems like
> that's not the issue:
> 
> $ sudo cryptsetup -v isLuks /dev/sdb1
> Command successful.
> 
> $ sudo ./chk_luks_keyslots -v /dev/sdb1
> 
> parameters (commandline and LUKS header):
>   sector size: 512
>   threshold:   0.900000
> 
> - processing keyslot 0:  start: 0x001000   end: 0x020400
> - processing keyslot 1:  keyslot not in use
> - processing keyslot 2:  keyslot not in use
> - processing keyslot 3:  keyslot not in use
> - processing keyslot 4:  keyslot not in use
> - processing keyslot 5:  keyslot not in use
> - processing keyslot 6:  keyslot not in use
> - processing keyslot 7:  keyslot not in use
> 
> Also, this is the output from luksDump:
> 
> $ sudo cryptsetup luksDump /dev/sdb1
> LUKS header information for /dev/sdb1
> 
> Version:           1
> Cipher name:       aes
> Cipher mode:       cbc-plain
> Hash spec:         sha256
> Payload offset:    4096
> MK bits:           256
> MK digest:         a5 61 25 03 2e 98 5a 48 d1 62 c6 fc dd ca 1f b8 9d c5 09
> a8
> MK salt:           b4 6f 62 bc 0c 81 6a 57 6e 6f 21 54 70 df 89 62
>                    0a 69 e9 eb 38 6c 45 8d 82 a2 85 64 3f c7 09 9d
> MK iterations:     27875
> UUID:              e747b7df-3086-455e-9f8d-71cb76d1f534
> 
> Key Slot 0: ENABLED
>     Iterations:             123076
>     Salt:                   af cc 4c eb 24 e5 0b 7a 6d fd b1 4c d1 da 3a f1
>                               97 bb 96 6d 65 a4 f5 36 68 66 e9 40 b8 70 f9
> d1
>     Key material offset:    8
>     AF stripes:                4000
> Key Slot 1: DISABLED
> Key Slot 2: DISABLED
> Key Slot 3: DISABLED
> Key Slot 4: DISABLED
> Key Slot 5: DISABLED
> Key Slot 6: DISABLED
> Key Slot 7: DISABLED
> 
> So, up to this moment I have three hypothesis:
> 
> 1) There is something that changed on my system that broke cryptsetup's
> behaviour making it unable to open my encrypted partition (is this
> possible? for example, if there was some module missing from my kernel or
> if I installed some new package that could have changed something).
> 
> 2) I entered my passphrase incorrectly when luksFormat'ing, and then
> proceeded to enter it incorrectly the next 4 times I unlocked the partition
> (just in case, I generated about 700 different possible combinations using
> the most common typos I could've made when entering my passphrase and then
> used the crypt_dict tool to test them unsuccessfully).
> 
> 3) There was some issue with the hub I was using which meant that some data
> could have been written incorrectly to encrypted partition's header (is
> this possible? I mean, I was copying files to the partition, I don't see
> how that could affect the header, but maybe when unmounting the partition
> the header gets written to, I don't know).
> 
> Any help would be greatly appreciated.
> 
> Thank you for your time,
> 
> 
> PS: Please CC me, as I'm not subscribed to this list and excuse my english
> as I'm s not a native speaker.
> 
> -- 
> Jeffrey Esquivel S.

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato

Re: [dm-crypt] Can't access a LUKS encrypted partition

[jeff.esquivel]

[-- Attachment #1: Type: text/plain, Size: 1369 bytes --]

Hi Arno,


On Mon, Aug 11, 2014 at 4:07 AM, Arno Wagner <arno@wagner.name> wrote:

> Most likely scenario: Something else changed in the password-input
> chain. Do you have any non-ISO-7bit chars in your passphrase? These
> will change their binary value when going to Unicode. You
> mau also have characters switched because of a keyboard-layout
> issue.
>

Sorry, I forgot to add that to my first e-mail, my password is made up of
only non-ISO-7bit ASCII characters (as checked on this table:
http://en.wikipedia.org/wiki/ASCII#ASCII_printable_code_chart) and since I
installed this OS (which was about a couple weeks before getting the new
hard disk) I've only had two layouts on it: US and US International. Is
copy+paste the passphrase from a text editor a good way to avoid both of
these issues or would that fail too?

The FAQ has more info in item 1.2
>
> Also note that asking a question on a mailing-list without
> subscribing is a sure way to miss answers and generally
> not a good idea. What you do is to subscribe, ask, and
> when things are cleared up, unsubscribe.
>

Ok, thanks for the information, I already subscribed. Sorry for not reading
the whole FAQ before, I just looked at the bits that seemed to be related
to my problem, but I'll make sure I read the whole thing today.


Thank you very much for your reply.

[...]


-- 
Jeffrey Esquivel S.

[-- Attachment #2: Type: text/html, Size: 2068 bytes --]

Re: [dm-crypt] Can't access a LUKS encrypted partition

[Arno Wagner]

On Mon, Aug 11, 2014 at 17:29:25 CEST, jeff.esquivel@gmail.com wrote:
> Hi Arno,
> 
> 
> On Mon, Aug 11, 2014 at 4:07 AM, Arno Wagner <arno@wagner.name> wrote:
> 
> > Most likely scenario: Something else changed in the password-input
> > chain. Do you have any non-ISO-7bit chars in your passphrase? These
> > will change their binary value when going to Unicode. You
> > mau also have characters switched because of a keyboard-layout
> > issue.
> >
> 
> Sorry, I forgot to add that to my first e-mail, my password is made up of
> only non-ISO-7bit ASCII characters (as checked on this table:
> http://en.wikipedia.org/wiki/ASCII#ASCII_printable_code_chart) and since I
> installed this OS (which was about a couple weeks before getting the new
> hard disk) I've only had two layouts on it: US and US International. Is
> copy+paste the passphrase from a text editor a good way to avoid both of
> these issues or would that fail too?

I think there is a misunderstanding here: 
   ISO-7bit = original 7 bit ASCII.

Do you only have chars from the table you link? If so, you have only
ISO-7bit chars. As the US-international layout has only ISO-7bit 
chars on it, inputting anything else would be pretty difficult with 
that layout.

As to text-editor: That has the same issues, except for the
keyboard layout. 

(If you do not use any of the original ASCII/ISO-7bit chars,
I would be curious how you enter them with an US keyboard.
Windows-key remapped to compose?)

I still suspect you switched locales at some point or there
is a dropped line-ending or something like that. Did you
use cryptsetup directly before and after it stopped working?
Same shell? Tried to switch y and z? Some capitalization-error?

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato

Re: [dm-crypt] Can't access a LUKS encrypted partition

[jeff.esquivel]

[-- Attachment #1: Type: text/plain, Size: 3672 bytes --]

Hi Arno,


On Mon, Aug 11, 2014 at 11:45 AM, Arno Wagner <arno@wagner.name> wrote:

> On Mon, Aug 11, 2014 at 17:29:25 CEST, jeff.esquivel@gmail.com wrote:
> > Hi Arno,
> >
> >
> > On Mon, Aug 11, 2014 at 4:07 AM, Arno Wagner <arno@wagner.name> wrote:
> >
> > > Most likely scenario: Something else changed in the password-input
> > > chain. Do you have any non-ISO-7bit chars in your passphrase? These
> > > will change their binary value when going to Unicode. You
> > > mau also have characters switched because of a keyboard-layout
> > > issue.
> > >
> >
> > Sorry, I forgot to add that to my first e-mail, my password is made up of
> > only non-ISO-7bit ASCII characters (as checked on this table:
> > http://en.wikipedia.org/wiki/ASCII#ASCII_printable_code_chart) and
> since I
> > installed this OS (which was about a couple weeks before getting the new
> > hard disk) I've only had two layouts on it: US and US International. Is
> > copy+paste the passphrase from a text editor a good way to avoid both of
> > these issues or would that fail too?
>
> I think there is a misunderstanding here:
>    ISO-7bit = original 7 bit ASCII.
>
> Do you only have chars from the table you link? If so, you have only
> ISO-7bit chars. As the US-international layout has only ISO-7bit
> chars on it, inputting anything else would be pretty difficult with
> that layout.
>

Ok, I get it now, sorry, I thought only extended charsets used the ISO
abbreviation (such as ISO-8859-1, etc.), didn't know ASCII in itself was an
ISO standard. My passphrase uses only ISO-7bit characters (all of the
characters in my passphrase appear on the Wikipedia table I linked before).
I can also send you the password if it helps (I'm not using it for anything
important other than this).

As to text-editor: That has the same issues, except for the
> keyboard layout.
>

Ok, got it.


> (If you do not use any of the original ASCII/ISO-7bit chars,
> I would be curious how you enter them with an US keyboard.
> Windows-key remapped to compose?)
>

> I still suspect you switched locales at some point or there
> is a dropped line-ending or something like that. Did you
> use cryptsetup directly before and after it stopped working?
> Same shell? Tried to switch y and z? Some capitalization-error?
>

I did the formatting using cryptsetup directly on the command line, but all
of the successful unlocks where done using Ubuntu's window, something like
the one shown in this screenshot: http://www.imagebot.net/wally/1914 ,
after I couldn't unlock the partition with this method, I switched to
trying it on the command line directly (in case there was some Ubuntu/GTK
stuff that was getting in the way).

I have tried a lot of possible typos combinations (1536 to be exact, I
generated them with a tool that would generate all of the strings that
match a given regular expression and then thought about all the possible
typos I could make on this keyboard with this layout) using the crypt_dict
tool that came with the cryptsetup tarball.

Other information which may be important: I'm using cryptsetup 1.6.1 (and
compiled both crypt_dict and chk_luks_keyslots using that version's
tarball), also I'm using kernel 3.16.0-031600rc6-generic (because this new
machine has some quirks that are resolved only in the latest kernel
version).

Another could-be important fact: I tried stracing cryptsetup and I don't
see my passphrase anywhere (on the FAQ said that it may be possible that
the passphrase could be seen on an strace, but I don't know if that would
be in ASCII or as the hex value of each character).


Thank you very much for all the help, I really appreciate it,

-- 
Jeffrey Esquivel S.

[-- Attachment #2: Type: text/html, Size: 5121 bytes --]

Re: [dm-crypt] Can't access a LUKS encrypted partition

[Arno Wagner]

On Mon, Aug 11, 2014 at 21:07:37 CEST, jeff.esquivel@gmail.com wrote:
> Hi Arno,
>
> Ok, I get it now, sorry, I thought only extended charsets used the ISO
> abbreviation (such as ISO-8859-1, etc.), didn't know ASCII in itself was an
> ISO standard. 

The idea is that ISO-7bit is plain 7-bit ASCII. 

> My passphrase uses only ISO-7bit characters (all of the
> characters in my passphrase appear on the Wikipedia table I linked before).
> I can also send you the password if it helps (I'm not using it for anything
> important other than this).

No need. If it is plain ASCII, then character encoding is not
the issue at least not on the input side. Basically all encodings, 
including UTF-8 encode plain ASCII the same.
 
> As to text-editor: That has the same issues, except for the
> > keyboard layout.
> >
> 
> Ok, got it.
> 
> 
> > (If you do not use any of the original ASCII/ISO-7bit chars,
> > I would be curious how you enter them with an US keyboard.
> > Windows-key remapped to compose?)
> >
> 
> > I still suspect you switched locales at some point or there
> > is a dropped line-ending or something like that. Did you
> > use cryptsetup directly before and after it stopped working?
> > Same shell? Tried to switch y and z? Some capitalization-error?
> >
> 
> I did the formatting using cryptsetup directly on the command line, but all
> of the successful unlocks where done using Ubuntu's window, something like
> the one shown in this screenshot: http://www.imagebot.net/wally/1914 ,
> after I couldn't unlock the partition with this method, I switched to
> trying it on the command line directly (in case there was some Ubuntu/GTK
> stuff that was getting in the way).

Ok, so the initial setting was from commandline and you
tried it at the end with the commandline. Good.

> I have tried a lot of possible typos combinations (1536 to be exact, I
> generated them with a tool that would generate all of the strings that
> match a given regular expression and then thought about all the possible
> typos I could make on this keyboard with this layout) using the crypt_dict
> tool that came with the cryptsetup tarball.
> 
> Other information which may be important: I'm using cryptsetup 1.6.1 (and

That one is a bit older. Though I am using it too on some
machines.

> compiled both crypt_dict and chk_luks_keyslots using that version's
> tarball), also I'm using kernel 3.16.0-031600rc6-generic (because this new
> machine has some quirks that are resolved only in the latest kernel
> version).

That combination of ultra-new rc kernel (which also still may have 
bugs) and older cryptsetup is my next suspicion. 

Can you try with 1.6.5? Sources are linked here
   http://code.google.com/p/cryptsetup/wiki/Cryptsetup165

Also, can you try with something 3.10.x-ish? Even if you 
experience other issues you could try to unlock, geting
a root-shell would be enough for that.

> Another could-be important fact: I tried stracing cryptsetup and I don't
> see my passphrase anywhere (on the FAQ said that it may be possible that
> the passphrase could be seen on an strace, but I don't know if that would
> be in ASCII or as the hex value of each character).

That part I wrote last week ;-)

Strace output can change a lot with cryptsetup versions.
The example in the FAQ looks the same in 1.6.1 and 1.6.5 though.
Here is a bit more context (passphrase "test"):

write(6, "Enter passphrase for /root/f/luk"..., 39) = 39
ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(6, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon -echo ...}) = 0
ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0
read(6, "test\n", 512)                  = 5  
ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0
ioctl(6, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo ...}) = 0
ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
write(6, "\n", 1)                       = 1

If you do not find your passphrase in there, then it does 
not get to cryptsetup. The lines above are the very act of 
cryptsetup reading the passphrase chars from the terminal. 
If there is some hex in there insead, then you may have an 
encoding problem afetr all. The "Enter passphrase for..." should 
make it easy to find the place in any case. You can input any 
other passphrase for an strace recording BTW, the only thing 
different is that the unlock fails in that case.

> Thank you very much for all the help, I really appreciate it,

You are welcome. This also helps improving the FAQ, as sometimes
issues crop up that may hot others as well, but are not in 
there yet.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato

Re: [dm-crypt] Can't access a LUKS encrypted partition

[jeff.esquivel]

[-- Attachment #1: Type: text/plain, Size: 6428 bytes --]

Hi Arno,


On Mon, Aug 11, 2014 at 3:21 PM, Arno Wagner <arno@wagner.name> wrote:

> On Mon, Aug 11, 2014 at 21:07:37 CEST, jeff.esquivel@gmail.com wrote:
> > Hi Arno,
> >
> > Ok, I get it now, sorry, I thought only extended charsets used the ISO
> > abbreviation (such as ISO-8859-1, etc.), didn't know ASCII in itself was
> an
> > ISO standard.
>
> The idea is that ISO-7bit is plain 7-bit ASCII.
>

Ok, good to know it, he he.

 > My passphrase uses only ISO-7bit characters (all of the
> > characters in my passphrase appear on the Wikipedia table I linked
> before).
> > I can also send you the password if it helps (I'm not using it for
> anything
> > important other than this).
>
> No need. If it is plain ASCII, then character encoding is not
> the issue at least not on the input side. Basically all encodings,
> including UTF-8 encode plain ASCII the same.
>

Ok.


>  [...]
>
> > I did the formatting using cryptsetup directly on the command line, but
> all
> > of the successful unlocks where done using Ubuntu's window, something
> like
> > the one shown in this screenshot: http://www.imagebot.net/wally/1914 ,
> > after I couldn't unlock the partition with this method, I switched to
> > trying it on the command line directly (in case there was some Ubuntu/GTK
> > stuff that was getting in the way).
>
> Ok, so the initial setting was from commandline and you
> tried it at the end with the commandline. Good.
>
> > I have tried a lot of possible typos combinations (1536 to be exact, I
> > generated them with a tool that would generate all of the strings that
> > match a given regular expression and then thought about all the possible
> > typos I could make on this keyboard with this layout) using the
> crypt_dict
> > tool that came with the cryptsetup tarball.
> >
> > Other information which may be important: I'm using cryptsetup 1.6.1 (and
>
> That one is a bit older. Though I am using it too on some
> machines.
>
> > compiled both crypt_dict and chk_luks_keyslots using that version's
> > tarball), also I'm using kernel 3.16.0-031600rc6-generic (because this
> new
> > machine has some quirks that are resolved only in the latest kernel
> > version).
>
> That combination of ultra-new rc kernel (which also still may have
> bugs) and older cryptsetup is my next suspicion.
>
> Can you try with 1.6.5? Sources are linked here
>    http://code.google.com/p/cryptsetup/wiki/Cryptsetup165
>
> Also, can you try with something 3.10.x-ish? Even if you
> experience other issues you could try to unlock, geting
> a root-shell would be enough for that.
>

Sure, I can try the newest version. Would you recommend me that I do that
on the same machine (it may be a problem because it could conflict with the
already installed version of cryptsetup) or is it better if I do a clean
setup on a VM (I can attach the disk with USB passthrough)? If a clean
setup is recommended, is there any distro that would be better suited for
the job?

Same thing about trying an older kernel version (the older I can get
directly from Ubuntu in 14.04 is 3.13.x so I would need to recompile the
kernel to try on 3.10), so if a clean setup is recommended, I could do the
kernel compiling in there too.


>  > Another could-be important fact: I tried stracing cryptsetup and I don't
> > see my passphrase anywhere (on the FAQ said that it may be possible that
> > the passphrase could be seen on an strace, but I don't know if that would
> > be in ASCII or as the hex value of each character).
>
> That part I wrote last week ;-)
>

He he, I had good timing, then.


> Strace output can change a lot with cryptsetup versions.
> The example in the FAQ looks the same in 1.6.1 and 1.6.5 though.
> Here is a bit more context (passphrase "test"):
>
> write(6, "Enter passphrase for /root/f/luk"..., 39) = 39
> ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
> ...}) = 0
> ioctl(6, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon -echo
> ...}) = 0
> ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo
> ...}) = 0
> read(6, "test\n", 512)                  = 5
> ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo
> ...}) = 0
> ioctl(6, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo
> ...}) = 0
> ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
> ...}) = 0
> write(6, "\n", 1)                       = 1
>
> If you do not find your passphrase in there, then it does
> not get to cryptsetup. The lines above are the very act of
> cryptsetup reading the passphrase chars from the terminal.
> If there is some hex in there insead, then you may have an
> encoding problem afetr all. The "Enter passphrase for..." should
> make it easy to find the place in any case. You can input any
> other passphrase for an strace recording BTW, the only thing
> different is that the unlock fails in that case.
>

Ok, now with more context I did find the passphrase in strace's output, the
only strange things I noticed are:

1) That my passphrase contains a backslash (\) so it is shown duplicated (I
guess it's because the backslash needs escaping so that it won't be
confused with a control character, this is confirmed by the number after
the '=' that seems to be the character count, which is correctly shown when
the newline is taken into account).

2) That the actual text before and after the passphrase is a little bit
different from your example:

ioctl(6, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS,
{B38400 opost isig icanon -echo ...}) = 0

Also, the hex characters I saw before seem to be related to reading
/dev/urandom and then to reading something (I'm guessing it's the heading)
from the temporary crypsetup partition (it changes names, but on the last
try it was called /dev/mapper/temporary-cryptsetup-4805). One weird thing I
noticed here is that the hex characters returned from that temporary
partition are different between each passphrase try (but it could be that
the reading is being done from different places or something like that).


>
> > Thank you very much for all the help, I really appreciate it,
>
> You are welcome. This also helps improving the FAQ, as sometimes
> issues crop up that may hot others as well, but are not in
> there yet.
>

Ok, great, I promise that if we find the solution for this issue I'll write
a FAQ entry about it! :)


Thanks,

-- 
Jeffrey Esquivel S.

[-- Attachment #2: Type: text/html, Size: 8615 bytes --]

Re: [dm-crypt] Can't access a LUKS encrypted partition

[jeff.esquivel]

[-- Attachment #1: Type: text/plain, Size: 1213 bytes --]

Sorry, I forgot one thing on my last e-mail.


On Mon, Aug 11, 2014 at 3:21 PM, Arno Wagner <arno@wagner.name> wrote:

> On Mon, Aug 11, 2014 at 21:07:37 CEST, jeff.esquivel@gmail.com wrote:
>
[...]
> > I did the formatting using cryptsetup directly on the command line, but
> all
> > of the successful unlocks where done using Ubuntu's window, something
> like
> > the one shown in this screenshot: http://www.imagebot.net/wally/1914 ,
> > after I couldn't unlock the partition with this method, I switched to
> > trying it on the command line directly (in case there was some Ubuntu/GTK
> > stuff that was getting in the way).
>
> Ok, so the initial setting was from commandline and you
> tried it at the end with the commandline. Good.
>

I did the formatting but I didn't tried the unlocking from the command line
at the end (only after formatting and before the creation of the
filesystem). At the end what I did (after luksClose) was that I
disconnected and then reconnected the drive and Ubuntu automatically asked
me for the passphrase (in a window similar to the one in the screenshot I
had send before) and automatically unlocked and mounted the partition after
that.


Thanks,

-- 
Jeffrey Esquivel S.

[-- Attachment #2: Type: text/html, Size: 1958 bytes --]