From: Milan Broz <gmazyland@gmail.com>
To: Darek Hisc <darek.hisc@aleeas.com>, cryptsetup@lists.linux.dev
Subject: Re: Problem after detaching the header
Date: Sat, 1 Jul 2023 23:00:16 +0200 [thread overview]
Message-ID: <7424eaa5-ea88-d746-9bc6-e8b04cc48769@gmail.com> (raw)
In-Reply-To: <168823123339.9.10246224821676034944.147890655@aleeas.com>
On 7/1/23 19:06, Darek Hisc wrote:
>
>> - luksErase will destroy keyslots (key material)
> Does it also destroy the Master Key?
Volume Key (also known as Master Key) is stored in keyslot(s).
luksErase removes all keyslots, thus removes all keys, see man cryptsetup-luksErase
>> but still keeps LUKS header on the device, including UUID (so you can reference the device through UUID
>> even if it cannot be unlocked without detached header)
> From the comments I've received here https://unix.stackexchange.com/questions/750288/properly-detach-the-luks-header-from-the-existing-fdelvm-encryption it also appears that the missing UUID is to blame after destroying the entire header.
>
>> Check that UUID is not referenced in config.
> How to check?
It depends on your distro. Crypttab, bootloader config, old blkid cache, whatever.
I have no idea, it was just a hint.
The FAQ contains generic info, various distros can have various additional steps
(we should update it to mention it, though).
>
>> But as Arno said, this is really question for your distro (note that cryptab
>> file can be managed by systemd, but there are also non-systemd versions).
> If it's not a cryptsetup problem, it probably affects many (or all) distributions. I suggest to add the relevant information to FAQ 2.20 because the current wording suggests that the given procedure is sufficient and it is not (because it causes a UUID problem that needs to be solved somehow)
>
>> Also without console log it is not clear what exactly fails.
> Please tell me what to enter in the initramfs console to check it and I will give you the result
>
> Another solution that looks very interesting:
> In a comment on stackexchange, someone suggested creating a dummy header instead of the original one, but using a detached one. Do you see any potential problems and is this a good idea?
LUKS header after calling luksErase is actually "dummy" header (if it means header without keyslots).
So I think this is what you get after calling luksErase in your steps 1-5.
Your device can be only unlocked with detached header, but data device is still visible marked as LUKS,
that should be enough if your goal is to store key separately.
Milan
next prev parent reply other threads:[~2023-07-01 21:00 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-29 19:17 Problem after detaching the header Darek Hisc
2023-06-30 2:50 ` Arno Wagner
2023-06-30 9:04 ` Darek Hisc
2023-06-30 10:54 ` Arno Wagner
2023-07-01 7:50 ` Milan Broz
2023-07-01 17:06 ` Darek Hisc
2023-07-01 21:00 ` Milan Broz [this message]
2023-07-04 16:58 ` Darek Hisc
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7424eaa5-ea88-d746-9bc6-e8b04cc48769@gmail.com \
--to=gmazyland@gmail.com \
--cc=cryptsetup@lists.linux.dev \
--cc=darek.hisc@aleeas.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox