[dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[David Christensen]

dm-crypt:

I have a Debian 7.10 (Wheezy) computer with a random-key swap device. 
The disk and swap are working.


When I try to backup the LUKS header:

     # cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file 
luksheaderbackup-sda2.bin
     Device /dev/sda2 is not a valid LUKS device.


Is this expected/ normal behavior for a dm-crypt/ LUKS random-key swap 
partition?


David



# cat /etc/debian_version
7.10

# dpkg-query -l cryptsetup
Desired=Unknown/Install/Remove/Purge/Hold
| 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  cryptsetup     2:1.4.3-4    amd64        disk encryption support - 
startup

# grep sda2 /etc/crypttab
sda2_crypt /dev/sda2                                 /dev/urandom 
  cipher=aes-xts-plain64,size=256,swap

# grep sda2 /etc/fstab
/dev/mapper/sda2_crypt                    none                    swap 
        sw                                              0       0

# swapon -s
Filename				Type		Size	Used	Priority
/dev/mapper/sda2_crypt                  partition	488444	0	-1

# cryptsetup -v isLuks /dev/sda2
Device /dev/sda2 is not a valid LUKS device.
Command failed with code 22: Device /dev/sda2 is not a valid LUKS device.

# cryptsetup -v luksDump /dev/sda2
Device /dev/sda2 is not a valid LUKS device.
Command failed with code 22: Device /dev/sda2 is not a valid LUKS device.

Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[Milan Broz]

On 04/06/2016 06:25 AM, David Christensen wrote:
> dm-crypt:
> 
> I have a Debian 7.10 (Wheezy) computer with a random-key swap device. 
> The disk and swap are working.
> 
> 
> When I try to backup the LUKS header:
> 
>      # cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file 
> luksheaderbackup-sda2.bin
>      Device /dev/sda2 is not a valid LUKS device.
> 
> 
> Is this expected/ normal behavior for a dm-crypt/ LUKS random-key swap 
> partition?

LUKS device cannot be used with random volume key, so I guess you use
just plain device without header. (So obviously header backup fails because
there is no header.)

You can verify it by checking entry in /etc/crypttab - no luks keyword:

> # grep sda2 /etc/fstab
> /dev/mapper/sda2_crypt                    none                    swap 

or running "cryptsetup status sda2_crypt" over unlocked device
(type is LUKS1 for LUKS devices)

Milan

Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[David Christensen]

On 04/05/2016 10:38 PM, Milan Broz wrote:
> On 04/06/2016 06:25 AM, David Christensen wrote:
> LUKS device cannot be used with random volume key, so I guess you use
> just plain device without header. (So obviously header backup fails because
> there is no header.)

Thank you for the information.


>
> You can verify it by checking entry in /etc/crypttab - no luks keyword:
>
>> # grep sda2 /etc/fstab
>> /dev/mapper/sda2_crypt                    none                    swap
>
> or running "cryptsetup status sda2_crypt" over unlocked device
> (type is LUKS1 for LUKS devices)

# cryptsetup status sda2_crypt
/dev/mapper/sda2_crypt is active and is in use.
   type:    PLAIN
   cipher:  aes-xts-plain64
   keysize: 256 bits
   device:  /dev/sda2
   offset:  0 sectors
   size:    976896 sectors
   mode:    read/write


So, what I'm seeing is expected and correct, because a random-key 
encrypted swap uses dm-crypt on the raw partition, there is no LUKS 
container, and therefore no LUKS header to back up (?).


David

Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[Milan Broz]

On 04/06/2016 07:59 AM, David Christensen wrote:
> On 04/05/2016 10:38 PM, Milan Broz wrote:
>> On 04/06/2016 06:25 AM, David Christensen wrote:
>> LUKS device cannot be used with random volume key, so I guess you use
>> just plain device without header. (So obviously header backup fails because
>> there is no header.)

Just one correction of my own words - LUKS key has random volume key, just it is
generated once and stored in keyslots. It cannot be easily just regenerated on every boot
(or you have to run luksFormat - and this makes no sense, plain device fits better here).
 
> Thank you for the information.
> 
> 
>>
>> You can verify it by checking entry in /etc/crypttab - no luks keyword:
>>
>>> # grep sda2 /etc/fstab
>>> /dev/mapper/sda2_crypt                    none                    swap
>>
>> or running "cryptsetup status sda2_crypt" over unlocked device
>> (type is LUKS1 for LUKS devices)
> 
> # cryptsetup status sda2_crypt
> /dev/mapper/sda2_crypt is active and is in use.
>    type:    PLAIN
>    cipher:  aes-xts-plain64
>    keysize: 256 bits
>    device:  /dev/sda2
>    offset:  0 sectors
>    size:    976896 sectors
>    mode:    read/write
> 
> 
> So, what I'm seeing is expected and correct, because a random-key 
> encrypted swap uses dm-crypt on the raw partition, there is no LUKS 
> container, and therefore no LUKS header to back up (?).

Yes, that's correct - you can also see that data offset as 0 sectors,
so the whole device is used.

In fact, there is no need to run any backup - the whole swap device
should get new random key and is reformatted (mkswap) on every boot.
(It cannot be used for hibernation.)

Milan

Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[Michael Kjörling]

On 5 Apr 2016 21:25 -0700, from dpchrist@holgerdanske.com (David Christensen):
> # grep sda2 /etc/crypttab
> sda2_crypt /dev/sda2                                 /dev/urandom
> cipher=aes-xts-plain64,size=256,swap

Since you don't have the "luks" option, Debian does not treat this as
a LUKS device. So when cryptsetup claims that /dev/sda2 "is not a
valid LUKS device" it is quite correct.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[David Christensen]

On 04/06/2016 03:55 AM, Michael Kjörling wrote:
> On 5 Apr 2016 21:25 -0700, from dpchrist@holgerdanske.com (David Christensen):
>> # grep sda2 /etc/crypttab
>> sda2_crypt /dev/sda2                                 /dev/urandom
>> cipher=aes-xts-plain64,size=256,swap
>
> Since you don't have the "luks" option, Debian does not treat this as
> a LUKS device. So when cryptsetup claims that /dev/sda2 "is not a
> valid LUKS device" it is quite correct.
>

Thanks for the information.


So, RTFM 'crypttab':  at boot time /sbin/cryptdisks_start will create a 
plain dm-crypt device with target name 'sda2_crypt' 
(/dev/mapper/sda2_crypt) from source device /dev/sda2 with a 256-bit key 
(option 'size') from file /dev/urandom and with cipher aes-xts-plain64 
(option 'cipher'), and then run /sbin/mkswap on the created device 
(option 'swap') (?).


And, as plain dm-crypt devices do not have a LUKS header, 
'luksHeaderBackup' has nothing to back up and the error message I'm 
seeing is expected and correct (?).


David

Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[Sven Eschenberg]

Yes David,

You are right. And as long as you do not need persistant swap to i.e. 
store a hibernate image, it is absolutely reasonable to use a new random 
key on each boot.

Regards

-Sven


Am 06.04.2016 um 21:35 schrieb David Christensen:
> On 04/06/2016 03:55 AM, Michael Kjörling wrote:
>> On 5 Apr 2016 21:25 -0700, from dpchrist@holgerdanske.com (David
>> Christensen):
>>> # grep sda2 /etc/crypttab
>>> sda2_crypt /dev/sda2                                 /dev/urandom
>>> cipher=aes-xts-plain64,size=256,swap
>>
>> Since you don't have the "luks" option, Debian does not treat this as
>> a LUKS device. So when cryptsetup claims that /dev/sda2 "is not a
>> valid LUKS device" it is quite correct.
>>
>
> Thanks for the information.
>
>
> So, RTFM 'crypttab':  at boot time /sbin/cryptdisks_start will create a
> plain dm-crypt device with target name 'sda2_crypt'
> (/dev/mapper/sda2_crypt) from source device /dev/sda2 with a 256-bit key
> (option 'size') from file /dev/urandom and with cipher aes-xts-plain64
> (option 'cipher'), and then run /sbin/mkswap on the created device
> (option 'swap') (?).
>
>
> And, as plain dm-crypt devices do not have a LUKS header,
> 'luksHeaderBackup' has nothing to back up and the error message I'm
> seeing is expected and correct (?).
>
>
> David
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[David Christensen]

On 04/06/2016 01:26 PM, Sven Eschenberg wrote:
> Yes David,
>
> You are right. And as long as you do not need persistant swap to i.e.
> store a hibernate image, it is absolutely reasonable to use a new random
> key on each boot.

Thanks everyone for helping me learn more about dm-crypt.  :-)


David

Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[Arno Wagner]

In fact, as confidental data can be written to swap,
changing the key on boot is a security feature.

Rergards,
Arno


On Wed, Apr 06, 2016 at 22:26:09 CEST, Sven Eschenberg wrote:
> Yes David,
> 
> You are right. And as long as you do not need persistant swap to
> i.e. store a hibernate image, it is absolutely reasonable to use a
> new random key on each boot.
> 
> Regards
> 
> -Sven
> 
> 
> Am 06.04.2016 um 21:35 schrieb David Christensen:
> >On 04/06/2016 03:55 AM, Michael Kjörling wrote:
> >>On 5 Apr 2016 21:25 -0700, from dpchrist@holgerdanske.com (David
> >>Christensen):
> >>># grep sda2 /etc/crypttab
> >>>sda2_crypt /dev/sda2                                 /dev/urandom
> >>>cipher=aes-xts-plain64,size=256,swap
> >>
> >>Since you don't have the "luks" option, Debian does not treat this as
> >>a LUKS device. So when cryptsetup claims that /dev/sda2 "is not a
> >>valid LUKS device" it is quite correct.
> >>
> >
> >Thanks for the information.
> >
> >
> >So, RTFM 'crypttab':  at boot time /sbin/cryptdisks_start will create a
> >plain dm-crypt device with target name 'sda2_crypt'
> >(/dev/mapper/sda2_crypt) from source device /dev/sda2 with a 256-bit key
> >(option 'size') from file /dev/urandom and with cipher aes-xts-plain64
> >(option 'cipher'), and then run /sbin/mkswap on the created device
> >(option 'swap') (?).
> >
> >
> >And, as plain dm-crypt devices do not have a LUKS header,
> >'luksHeaderBackup' has nothing to back up and the error message I'm
> >seeing is expected and correct (?).
> >
> >
> >David
> >
> >_______________________________________________
> >dm-crypt mailing list
> >dm-crypt@saout.de
> >http://www.saout.de/mailman/listinfo/dm-crypt
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not a valid LUKS device.

[Arno Wagner]

That was a joke, BTW ;-)

Regards,
Arno

On Thu, Apr 07, 2016 at 11:39:09 CEST, Arno Wagner wrote:
> In fact, as confidental data can be written to swap,
> changing the key on boot is a security feature.
> 
> Rergards,
> Arno
> 
> 
> On Wed, Apr 06, 2016 at 22:26:09 CEST, Sven Eschenberg wrote:
> > Yes David,
> > 
> > You are right. And as long as you do not need persistant swap to
> > i.e. store a hibernate image, it is absolutely reasonable to use a
> > new random key on each boot.
> > 
> > Regards
> > 
> > -Sven
> > 
> > 
> > Am 06.04.2016 um 21:35 schrieb David Christensen:
> > >On 04/06/2016 03:55 AM, Michael Kjörling wrote:
> > >>On 5 Apr 2016 21:25 -0700, from dpchrist@holgerdanske.com (David
> > >>Christensen):
> > >>># grep sda2 /etc/crypttab
> > >>>sda2_crypt /dev/sda2                                 /dev/urandom
> > >>>cipher=aes-xts-plain64,size=256,swap
> > >>
> > >>Since you don't have the "luks" option, Debian does not treat this as
> > >>a LUKS device. So when cryptsetup claims that /dev/sda2 "is not a
> > >>valid LUKS device" it is quite correct.
> > >>
> > >
> > >Thanks for the information.
> > >
> > >
> > >So, RTFM 'crypttab':  at boot time /sbin/cryptdisks_start will create a
> > >plain dm-crypt device with target name 'sda2_crypt'
> > >(/dev/mapper/sda2_crypt) from source device /dev/sda2 with a 256-bit key
> > >(option 'size') from file /dev/urandom and with cipher aes-xts-plain64
> > >(option 'cipher'), and then run /sbin/mkswap on the created device
> > >(option 'swap') (?).
> > >
> > >
> > >And, as plain dm-crypt devices do not have a LUKS header,
> > >'luksHeaderBackup' has nothing to back up and the error message I'm
> > >seeing is expected and correct (?).
> > >
> > >
> > >David
> > >
> > >_______________________________________________
> > >dm-crypt mailing list
> > >dm-crypt@saout.de
> > >http://www.saout.de/mailman/listinfo/dm-crypt
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> -- 
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
> 
> If it's in the news, don't worry about it.  The very definition of 
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier