From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com
 [IPv6:2a00:1450:400c:c09::235])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Wed,  6 Apr 2016 08:37:11 +0200 (CEST)
Received: by mail-wm0-x235.google.com with SMTP id 191so46546924wmq.0
 for <dm-crypt@saout.de>; Tue, 05 Apr 2016 23:37:10 -0700 (PDT)
References: <57048FA2.7090008@holgerdanske.com> <5704A0C7.2040707@gmail.com>
 <5704A5C5.4000002@holgerdanske.com>
From: Milan Broz <gmazyland@gmail.com>
Message-ID: <5704AE94.5030705@gmail.com>
Date: Wed, 6 Apr 2016 08:37:08 +0200
MIME-Version: 1.0
In-Reply-To: <5704A5C5.4000002@holgerdanske.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] Debian 7.10 random key swap Device /dev/sda2 is not
 a valid LUKS device.
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: David Christensen <dpchrist@holgerdanske.com>, dm-crypt@saout.de

On 04/06/2016 07:59 AM, David Christensen wrote:
> On 04/05/2016 10:38 PM, Milan Broz wrote:
>> On 04/06/2016 06:25 AM, David Christensen wrote:
>> LUKS device cannot be used with random volume key, so I guess you use
>> just plain device without header. (So obviously header backup fails because
>> there is no header.)

Just one correction of my own words - LUKS key has random volume key, just it is
generated once and stored in keyslots. It cannot be easily just regenerated on every boot
(or you have to run luksFormat - and this makes no sense, plain device fits better here).
 
> Thank you for the information.
> 
> 
>>
>> You can verify it by checking entry in /etc/crypttab - no luks keyword:
>>
>>> # grep sda2 /etc/fstab
>>> /dev/mapper/sda2_crypt                    none                    swap
>>
>> or running "cryptsetup status sda2_crypt" over unlocked device
>> (type is LUKS1 for LUKS devices)
> 
> # cryptsetup status sda2_crypt
> /dev/mapper/sda2_crypt is active and is in use.
>    type:    PLAIN
>    cipher:  aes-xts-plain64
>    keysize: 256 bits
>    device:  /dev/sda2
>    offset:  0 sectors
>    size:    976896 sectors
>    mode:    read/write
> 
> 
> So, what I'm seeing is expected and correct, because a random-key 
> encrypted swap uses dm-crypt on the raw partition, there is no LUKS 
> container, and therefore no LUKS header to back up (?).

Yes, that's correct - you can also see that data offset as 0 sectors,
so the whole device is used.

In fact, there is no need to run any backup - the whole swap device
should get new random key and is reformatted (mkswap) on every boot.
(It cannot be used for hibernation.)

Milan