echo "pass" piped to sudo tee cryptsetup luksOpen overwritten LUKS partition

public inbox for cryptsetup@lists.linux.dev
 help / color / mirror / Atom feed

* echo "pass" piped to sudo tee cryptsetup luksOpen overwritten LUKS partition
@ 2024-11-30 13:36 Rafal Babinicz
  2024-11-30 16:23 ` Michael Kjörling
  2024-11-30 16:45 ` Milan Broz
  0 siblings, 2 replies; 3+ messages in thread
From: Rafal Babinicz @ 2024-11-30 13:36 UTC (permalink / raw)
  To: cryptsetup

[-- Attachment #1.1: Type: text/plain, Size: 1910 bytes --]

Hi,

firstly I am sorry for disturbing your workflows, but if there is a chance
you can help me I must try.
That is not excuse to my behavior, but I care for my father after stroke
and these difficult times heavily disturbed my focus and foresight.
During disk replacement I rendered my old LUKS encrypted disk unrecognized
(my verbatim shell history attached).

TL:DR can I revert what I did there? Especially that line:
$ echo "passphrase" | sudo tee cryptsetup luksOpen /dev/sdb3 enc

Basically I wanted to see passphrase to check whether I type it out
correctly so echoed it and piped with sudo tee to cryptsetup luksOopen, and
I think there is where I've overwritten something.

Before changes I made backup of LUKS header, backup of disk, but in my lack
of focus I left keys to it on the device, so I cannot access them.

I made a backup of my disk in question:
sudo dd if=/dev/sdb3 of=/home/k/t/luks/disk.img bs=64K status=progress
[sudo] password for k:
240900833280 bytes (241 GB, 224 GiB) copied, 6397 s, 37.7 MB/s
3676322+1 records in
3676322+1 records out
240931479040 bytes (241 GB, 224 GiB) copied, 6399.13 s, 37.7 MB/s

and will try cryptsetup repair that copy now, maybe the second header is
intact?

Do you know how to reverse my mistake in shell session and what happened?
If that is not possible I will try to use UART on my NAS to get access to
it and recover LUKS backup header and access backups, but figuring that out
will take months to me.

I felt safe, because I had backups and have keys on my Yubikey, but
critically forget that passphrase to SSH key to backup server is saved in
pass manager storage on that very disk.

Here is the firt 16M of /dev/sdb3 dumbed with
head -c 16M /dev/sdb3 > luksheaderdamage.img
https://drive.google.com/file/d/1Cntljx8mebZdNlEKx9feu7KbwWH7_hUT/view?usp=drive_link

Please if you have any ideas, you will literally save my digital life.
Sincerely R

[-- Attachment #1.2: Type: text/html, Size: 2432 bytes --]

[-- Attachment #2: lukstee.txt --]
[-- Type: text/plain, Size: 11439 bytes --]

k@potop:~]$ lsblk
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda             8:0    0 476.9G  0 disk
├─sda1          8:1    0   511M  0 part
├─sda2          8:2    0 460.4G  0 part
│ └─nixos-enc 254:0    0 460.4G  0 crypt /home
│                                        /nix/store
│                                        /nix
│                                        /
└─sda3          8:3    0    16G  0 part  [SWAP]
sdb             8:16   0 232.9G  0 disk
├─sdb1          8:17   0   512M  0 part
├─sdb2          8:18   0     8G  0 part
└─sdb3          8:19   0 224.4G  0 part
sr0            11:0    1  1024M  0 rom

[k@potop:~]$ cryptsetup luksOpen /dev/sdb3 enc
Device /dev/sdb3 does not exist or access denied.

[k@potop:~]$ sudo cryptsetup luksOpen /dev/sdb3 enc
[sudo] password for k:
Enter passphrase for /dev/sdb3:
No key available with this passphrase.
Enter passphrase for /dev/sdb3:
No key available with this passphrase.
Enter passphrase for /dev/sdb3:
No key available with this passphrase.

[k@potop:~]$ sudo cryptsetup luksOpen /dev/sdb3 enc
Enter passphrase for /dev/sdb3: Error reading passphrase from terminal.

[k@potop:~]$ sudo cryptsetup luksOpen /dev/sdb3 enc odysejaEfemerycznaGilgameszaTichegoBialegoWilka
Enter passphrase for /dev/sdb3: Error reading passphrase from terminal.

[k@potop:~]$ echo "odysejaEfemerycznaGilgameszaTichegoBialegoWilka" | sudo tee cryptsetup luksOpen /dev/sdb3 enc
odysejaEfemerycznaGilgameszaTichegoBialegoWilka

[k@potop:~]$ lsblk
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda             8:0    0 476.9G  0 disk
├─sda1          8:1    0   511M  0 part
├─sda2          8:2    0 460.4G  0 part
│ └─nixos-enc 254:0    0 460.4G  0 crypt /home
│                                        /nix/store
│                                        /nix
│                                        /
└─sda3          8:3    0    16G  0 part  [SWAP]
sdb             8:16   0 232.9G  0 disk
├─sdb1          8:17   0   512M  0 part
├─sdb2          8:18   0     8G  0 part
└─sdb3          8:19   0 224.4G  0 part
sr0            11:0    1  1024M  0 rom

[k@potop:~]$ echo "odysejaEfemerycznaGilgameszaTichegoBialegoWilka" | sudo tee -a cryptsetup luksOpen /dev/sdb3 enc
odysejaEfemerycznaGilgameszaTichegoBialegoWilka
tee: /dev/sdb3: No space left on device

[k@potop:~]$ echo "odysejaEfemerycznaGilgameszaTichegoBialegoWilka" | sudo tee -a cryptsetup luksOpen /dev/sdb3 enc -
odysejaEfemerycznaGilgameszaTichegoBialegoWilka
tee: /dev/sdb3: No space left on device

[k@potop:~]$ echo "odysejaEfemerycznaGilgameszaTichegoBialegoWilka" | sudo tee cryptsetup luksOpen /dev/sdb3 enc -
odysejaEfemerycznaGilgameszaTichegoBialegoWilka

[k@potop:~]$ echo "odysejaEfemerycznaGilgameszaTichegoBialegoWilka" | cryptsetup luksOpen /dev/sdb3 enc -
Device /dev/sdb3 does not exist or access denied.

[k@potop:~]$ echo "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb3 enc -
Device /dev/sdb3 does not exist or access denied.

[k@potop:~]$ echo "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb3 enc -d -
Device /dev/sdb3 does not exist or access denied.

[k@potop:~]$ sudo -i

[root@potop:~]# echo "odysejaEfemerycznaTichegoGilgameszaBialegoWilka | cryptsetup luksOpen /dev/sdb3 enc -d -
> ^C

[root@potop:~]# echo "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb3 enc -d -
Device /dev/sdb3 is not a valid LUKS device.

[root@potop:~]# lsblk
NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda             8:0    0 476.9G  0 disk
├─sda1          8:1    0   511M  0 part
├─sda2          8:2    0 460.4G  0 part
│ └─nixos-enc 254:0    0 460.4G  0 crypt /home
│                                        /nix/store
│                                        /nix
│                                        /
└─sda3          8:3    0    16G  0 part  [SWAP]
sdb             8:16   0 232.9G  0 disk
├─sdb1          8:17   0   512M  0 part
├─sdb2          8:18   0     8G  0 part
└─sdb3          8:19   0 224.4G  0 part
sr0            11:0    1  1024M  0 rom

[root@potop:~]# echo "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb3 enc -
Device /dev/sdb3 is not a valid LUKS device.

[root@potop:~]# echo "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb2 enc -
Device /dev/sdb2 is not a valid LUKS device.

[root@potop:~]# echo "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb1 enc -
Device /dev/sdb1 is not a valid LUKS device.

[root@potop:~]# echo "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb enc -
Device /dev/sdb is not a valid LUKS device.

[root@potop:~]# echo "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb enc
Device /dev/sdb is not a valid LUKS device.

[root@potop:~]# echo "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb3 enc
Device /dev/sdb3 is not a valid LUKS device.

[root@potop:~]# echo -n "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb3 enc
Device /dev/sdb3 is not a valid LUKS device.

[root@potop:~]# echo -n "odysejaEfemerycznaTichegoGilgameszaBialegoWilka" | cryptsetup luksOpen /dev/sdb3 enc -d -
Device /dev/sdb3 is not a valid LUKS device.

[root@potop:~]# lsblk -o path,fstype,uuid
PATH                  FSTYPE      UUID
/dev/sda              btrfs       a7e0d63f-7ce0-4ccf-bc3d-b43b1f707548
/dev/sda1             vfat        29F3-C8C6
/dev/sda2             crypto_LUKS 00627b94-a6dc-46b3-826a-c22912f4107e
/dev/sda3             swap        477ad472-85b3-40fc-9285-a4b932f54f2f
/dev/sdb
/dev/sdb1             vfat        CD78-CE34
/dev/sdb2             swap        1359d59b-8f06-4d14-aef3-9aa8bcb76c06
/dev/sdb3
/dev/sdc
/dev/sdc1             exfat       4A21-0000
/dev/sr0
/dev/mapper/nixos-enc btrfs       108969bf-9a61-412b-a99e-83c0cffbd70d

[root@potop:~]# cryptsetup isLuks /dev/sd3
Device /dev/sd3 does not exist or access denied.

[root@potop:~]# cryptsetup isLuks /dev/sdb3

[root@potop:~]# mount /dev/sdb3 /mnt
mount: /mnt: wrong fs type, bad option, bad superblock on /dev/sdb3, missing codepage or helper program, or other error.
       dmesg(1) may have more information after failed mount system call.

[root@potop:~]# cryptsetup open /dev/sdb3
Command requires device and mapped name as arguments.

[root@potop:~]# cryptsetup open /dev/sdb3 enc
Device /dev/sdb3 is not a valid LUKS device.

[root@potop:~]# blkid
/dev/sdb3: PARTLABEL="Linux filesystem" PARTUUID="92a98245-6bcf-45ac-83cc-fda53d80ff6b"

[root@potop:~]# cryptsetup --debug luksDump /dev/sdb3
# cryptsetup 2.7.5 processing "cryptsetup --debug luksDump /dev/sdb3"
# Verifying parameters for command luksDump.
# Running command luksDump.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sdb3.
# Trying to open and read device /dev/sdb3 with direct-io.
# Direct-io is supported and works.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/sdb3.
# Crypto backend (OpenSSL 3.3.2 3 Sep 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.5.
# Detected kernel Linux 6.6.63 x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/sdb3.
# Opening lock resource file /run/cryptsetup/L_8:19
# Verifying lock handle for /dev/sdb3.
# Device /dev/sdb3 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/sdb3
# Verifying locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x8000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x10000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x20000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x40000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x80000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x100000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x200000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x400000.
# Reusing open ro fd on device /dev/sdb3
# LUKS2 header read failed (-22).
# Device /dev/sdb3 READ lock released.
Device /dev/sdb3 is not a valid LUKS device.
# Releasing crypt device /dev/sdb3 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/sdb3.
Command failed with code -1 (wrong or missing parameters).

[root@potop:~]# cryptsetup repair /dev/sdb3

WARNING!
========
Really try to repair LUKS device header?

Are you sure? (Type 'yes' in capital letters): ^C
[root@potop:~]# exit
logout

[k@potop:~]$ sudo cryptsetup open /dev/sdb3 enc
Device /dev/sdb3 is not a valid LUKS device.

[k@potop:~]$ sudo cryptsetup luksOpen --debug /dev/sdb3 enc
# cryptsetup 2.7.5 processing "cryptsetup luksOpen --debug /dev/sdb3 enc"
# Verifying parameters for command open.
# Running command open.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sdb3.
# Trying to open and read device /dev/sdb3 with direct-io.
# Direct-io is supported and works.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/sdb3.
# Crypto backend (OpenSSL 3.3.2 3 Sep 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.5.
# Detected kernel Linux 6.6.63 x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/sdb3.
# Opening lock resource file /run/cryptsetup/L_8:19
# Verifying lock handle for /dev/sdb3.
# Device /dev/sdb3 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/sdb3
# Verifying locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x8000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x10000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x20000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x40000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x80000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x100000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x200000.
# Reusing open ro fd on device /dev/sdb3
# Trying to read secondary LUKS2 header at offset 0x400000.
# Reusing open ro fd on device /dev/sdb3
# LUKS2 header read failed (-22).
# Device /dev/sdb3 READ lock released.
Device /dev/sdb3 is not a valid LUKS device.
# Releasing crypt device /dev/sdb3 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/sdb3.
Command failed with code -1 (wrong or missing parameters).

[k@potop:~]$ cry

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: echo "pass" piped to sudo tee cryptsetup luksOpen overwritten LUKS partition
  2024-11-30 13:36 echo "pass" piped to sudo tee cryptsetup luksOpen overwritten LUKS partition Rafal Babinicz
@ 2024-11-30 16:23 ` Michael Kjörling
  2024-11-30 16:45 ` Milan Broz
  1 sibling, 0 replies; 3+ messages in thread
From: Michael Kjörling @ 2024-11-30 16:23 UTC (permalink / raw)
  To: cryptsetup

On 30 Nov 2024 14:36 +0100, from babiniczr@gmail.com (Rafal Babinicz):
> TL:DR can I revert what I did there? Especially that line:
> $ echo "passphrase" | sudo tee cryptsetup luksOpen /dev/sdb3 enc
> 
> Basically I wanted to see passphrase to check whether I type it out
> correctly so echoed it and piped with sudo tee to cryptsetup luksOopen, and
> I think there is where I've overwritten something.

I think you may be in luck, actually, because it _looks_ at a glance
like only the first few dozen bytes (specifically the first 48 bytes)
have been damaged by your overwriting the first part of the partition
with the attempted passphrase.

In LUKS 1, that part of the header contains the LUKS magic constant,
LUKS version, cipher name and cipher mode. In LUKS 2, it contains the
magic constant, LUKS version, header size, sequence ID and the
beginning of the label. (For links to the on-disk format
specifications, see section 1.2 of the FAQ at
<https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions>.)

If you hexdump the first 64 bytes or so of the header on-disk, this is
what it actually contains:

00000000: 6f64 7973 656a 6145 6665 6d65 7279 637a  odysejaEfemerycz
00000010: 6e61 4769 6c67 616d 6573 7a61 5469 6368  naGilgameszaTich
00000020: 6567 6f42 6961 6c65 676f 5769 6c6b 610a  egoBialegoWilka.
00000030: 6e36 3400 0000 0000 0000 0000 0000 0000  n64.............

Annotating this based on the LUKS 1 on-disk header format (the | mark
the first nibble of each byte for each field):

00000000: 6f64 7973 656a 6145 6665 6d65 7279 637a  odysejaEfemerycz
.         | |  | |  | |                                              LUKS_MAGIC
.                        | |                                         LUKS version
.                             | |  | |  | |  | |                     cipher name
00000010: 6e61 4769 6c67 616d 6573 7a61 5469 6368  naGilgameszaTich
.         | |  | |  | |  | |  | |  | |  | |  | |                     cipher name
00000020: 6567 6f42 6961 6c65 676f 5769 6c6b 610a  egoBialegoWilka.
.         | |  | |  | |  | |                                         cipher name
.                             | |  | |  | |  | |                     cipher mode
00000030: 6e36 3400 0000 0000 0000 0000 0000 0000  n64.............
.         | |  | |  | |  | |  | |  | |  | |  | |                     cipher mode

The "n64" followed by zeroes may conceivably be the end of "plain64",
so this looks like a plausible match.

If instead we try to annotate the binary data as a LUKS 2 header:

00000000: 6f64 7973 656a 6145 6665 6d65 7279 637a  odysejaEfemerycz
.         | |  | |  | |                                              magic
.                        | |                                         version
.                             | |  | |  | |  | |                     hdr_size
00000010: 6e61 4769 6c67 616d 6573 7a61 5469 6368  naGilgameszaTich
.         | |  | |  | |  | |                                         seqid
.                             | |  | |  | |  | |                     label[0..7]
00000020: 6567 6f42 6961 6c65 676f 5769 6c6b 610a  egoBialegoWilka.
.         | |  | |  | |  | |  | |  | |  | |  | |                     label[8..23]
00000030: 6e36 3400 0000 0000 0000 0000 0000 0000  n64.............
.         | |  | |  | |  | |  | |  | |  | |  | |                     label[24..39]

This appears less likely, but it's conceivable that you might have had
a 27 byte label ending in "n64". Still, without a more in-depth
analysis, my working hypothesis would be that this was a LUKS 1, not a
LUKS 2, header. Unfortunately I believe this means that there's only
one copy of the header, leaving recovery tools less to work with.

In either case, _the information stored in this part of the header is
relatively non-critical_. Key data does not begin until byte 108
(start of key-bytes) in the LUKS 1 header, or around byte 104 (start
of salt) in LUKS 2.

So _if_ you know the passphrase, whether the header is LUKS 1 or LUKS
2 (which stores an extra copy of the header, but seems a worse fit),
while I'm not sure whether there are ready-made tools available to do
it properly, it is _quite possibly_ the case that a valid, working
header can be constructed from what's left _given_ that you know the
passphrase.

-- 
Michael Kjörling
🔗 https://michael.kjorling.se

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: echo "pass" piped to sudo tee cryptsetup luksOpen overwritten LUKS partition
  2024-11-30 13:36 echo "pass" piped to sudo tee cryptsetup luksOpen overwritten LUKS partition Rafal Babinicz
  2024-11-30 16:23 ` Michael Kjörling
@ 2024-11-30 16:45 ` Milan Broz
  1 sibling, 0 replies; 3+ messages in thread
From: Milan Broz @ 2024-11-30 16:45 UTC (permalink / raw)
  To: Rafal Babinicz, cryptsetup

On 11/30/24 2:36 PM, Rafal Babinicz wrote:
> During disk replacement I rendered my old LUKS encrypted disk unrecognized (my verbatim shell history attached).

You just discovered why LUKS header backup is kind of useful.

> TL:DR can I revert what I did there? Especially that line:
> $ echo "passphrase" | sudo tee cryptsetup luksOpen /dev/sdb3 enc

So this is the tee command what overwritten the header, not cryptsetup.

That said, you perhaps overwrote only 48 bytes.

Try this:

# create a fake container
truncate -s 16M fake.img

# format it with the same cipher you had in your image (password is not important)
echo | cryptsetup luksFormat --type luks1 --cipher aes-xts-plain64 fake.img

# replace these 48 bytes (it contain magic, version and cipher only)
dd if=fake.img of=luksheaderdamage.img bs=48 count=1 conv=notrunc

Now the image is LUKS1 gain, try you password.

The one you provided is not correct, so either you redacted it or something else happened.

BTW with LUKS2 format this would be fixed automatically as there is backup header.

Milan


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-11-30 16:45 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-30 13:36 echo "pass" piped to sudo tee cryptsetup luksOpen overwritten LUKS partition Rafal Babinicz
2024-11-30 16:23 ` Michael Kjörling
2024-11-30 16:45 ` Milan Broz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox