[dm-crypt] valid passphrase not accepted

[dm-crypt] valid passphrase not accepted

[ts0]

Hello everybody,

i have a serious problem regarding a luks-encrypted raid10 on gentoo  
linux 64 bit.

after rebooting i wasn´t able to unlock the luks-partition.
the luks header is there. the kernel configuration hasn´t changed (all  
ciphers are integrated). the passphrase is valid but not accepted.

even if i boot with a gentoo live cd and want to open the luks  
partition it isn´t possible. any suggestions.

i hope someone can help me.

thanks

Re: [dm-crypt] valid passphrase not accepted

[Arno Wagner]

Is this a new LUKS container? If so, you most likely
made a mistake on password entry or have a changed keymap.

Please make absolutely sure that is not the case.

Arno


On Wed, Oct 27, 2010 at 02:15:44PM +0200, ts0@dotlike.net wrote:
> Hello everybody,
>
> i have a serious problem regarding a luks-encrypted raid10 on gentoo  
> linux 64 bit.
>
> after rebooting i wasn?t able to unlock the luks-partition.
> the luks header is there. the kernel configuration hasn?t changed (all  
> ciphers are integrated). the passphrase is valid but not accepted.
>
> even if i boot with a gentoo live cd and want to open the luks partition 
> it isn?t possible. any suggestions.
>
> i hope someone can help me.
>
> thanks
>
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] valid passphrase not accepted

[Heinz Diehl]

On 27.10.2010, ts0@dotlike.net wrote: 

> after rebooting i wasn´t able to unlock the luks-partition.
> the luks header is there. the kernel configuration hasn´t changed
> (all ciphers are integrated). the passphrase is valid but not
> accepted.

A shot in the dark: do you use the same keymapping when you're entering
the passphrase as you did while LUKS-formatting the drive?

Re: [dm-crypt] valid passphrase not accepted

[Arno Wagner]

I am currently assisting the OP offline. Seems the LUKS
header was overwritten in some fashion.

Arno

On Wed, Oct 27, 2010 at 04:39:23PM +0200, Heinz Diehl wrote:
> On 27.10.2010, ts0@dotlike.net wrote: 
> 
> > after rebooting i wasn?t able to unlock the luks-partition.
> > the luks header is there. the kernel configuration hasn?t changed
> > (all ciphers are integrated). the passphrase is valid but not
> > accepted.
> 
> A shot in the dark: do you use the same keymapping when you're entering
> the passphrase as you did while LUKS-formatting the drive?
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] valid passphrase not accepted

[Rick Moritz]

[-- Attachment #1: Type: text/plain, Size: 2138 bytes --]

Considering the amount of traffic on the list regarding issues like this,
maybe future versions of dm-crypt should issue an annoying warning when
creating LUKS-format mapped devices, about how a backup of the header is
STRONGLY recommended, with data loss due to accidental overwriting of the
header being the number one reason for data loss.
Possibly even with explicit instructions on how to perform a backup, so that
users can simply copy and paste the command-line and adjust their device
names.
Adding a flag to turn the warning off for unattended set-ups (or whatever
reason) should make this have minimum negative impact.
(I haven't used LUKS yet, so I can't verify whether something like this is
implemented already -- if it is, excuse the redundancy...)

Best of luck to the OP....

On Wed, Oct 27, 2010 at 5:56 PM, Arno Wagner <arno@wagner.name> wrote:

> I am currently assisting the OP offline. Seems the LUKS
> header was overwritten in some fashion.
>
> Arno
>
> On Wed, Oct 27, 2010 at 04:39:23PM +0200, Heinz Diehl wrote:
> > On 27.10.2010, ts0@dotlike.net wrote:
> >
> > > after rebooting i wasn?t able to unlock the luks-partition.
> > > the luks header is there. the kernel configuration hasn?t changed
> > > (all ciphers are integrated). the passphrase is valid but not
> > > accepted.
> >
> > A shot in the dark: do you use the same keymapping when you're entering
> > the passphrase as you did while LUKS-formatting the drive?
> >
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >
>
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
> arno@wagner.name
> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
> 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

[-- Attachment #2: Type: text/html, Size: 3073 bytes --]

Re: [dm-crypt] valid passphrase not accepted

[Arno Wagner]

I think this will not help and is not the way to do it.

The FAQ already addresses all these questions and it is
part of the cryptsetup packages. Those that read documentation
will be sufficiently warned. The others will ignore a warning
that cryptsetup gives them as well.

The second problem is that a LUKS header backup is a security
risk, so we cannot recommend it in general. And we cannot
recommend it conditionally without going into more detail 
(as the FAQ, again, does on this question).

Anyways, the people hit are those without data backup.
They can just as easily be hit by a dead disk or other
data-loss scenario. We can not solve that for them.

There are also quite a few people that do not understand
how their header got corrupted and they all specific help.

Arno


On Wed, Oct 27, 2010 at 06:07:04PM +0200, Rick Moritz wrote:
> Considering the amount of traffic on the list regarding issues like this,
> maybe future versions of dm-crypt should issue an annoying warning when
> creating LUKS-format mapped devices, about how a backup of the header is
> STRONGLY recommended, with data loss due to accidental overwriting of the
> header being the number one reason for data loss.
> Possibly even with explicit instructions on how to perform a backup, so that
> users can simply copy and paste the command-line and adjust their device
> names.
> Adding a flag to turn the warning off for unattended set-ups (or whatever
> reason) should make this have minimum negative impact.
> (I haven't used LUKS yet, so I can't verify whether something like this is
> implemented already -- if it is, excuse the redundancy...)
> 
> Best of luck to the OP....
> 
> On Wed, Oct 27, 2010 at 5:56 PM, Arno Wagner <arno@wagner.name> wrote:
> 
> > I am currently assisting the OP offline. Seems the LUKS
> > header was overwritten in some fashion.
> >
> > Arno
> >
> > On Wed, Oct 27, 2010 at 04:39:23PM +0200, Heinz Diehl wrote:
> > > On 27.10.2010, ts0@dotlike.net wrote:
> > >
> > > > after rebooting i wasn?t able to unlock the luks-partition.
> > > > the luks header is there. the kernel configuration hasn?t changed
> > > > (all ciphers are integrated). the passphrase is valid but not
> > > > accepted.
> > >
> > > A shot in the dark: do you use the same keymapping when you're entering
> > > the passphrase as you did while LUKS-formatting the drive?
> > >
> > > _______________________________________________
> > > dm-crypt mailing list
> > > dm-crypt@saout.de
> > > http://www.saout.de/mailman/listinfo/dm-crypt
> > >
> >
> > --
> > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
> > arno@wagner.name
> > GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
> > 338F
> > ----
> > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
> >
> > If it's in the news, don't worry about it.  The very definition of
> > "news" is "something that hardly ever happens." -- Bruce Schneier
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] valid passphrase not accepted

[Heinz Diehl]

On 27.10.2010, Rick Moritz wrote: 

> Considering the amount of traffic on the list regarding issues like this,
> maybe future versions of dm-crypt should issue an annoying warning when
> creating LUKS-format mapped devices, about how a backup of the header is
> STRONGLY recommended

No, it's not. Read the FAQ, especially item nr.2 and the answer
from Clemens:

http://www.saout.de/tikiwiki/tiki-index.php?page=LUKSFaq

Re: [dm-crypt] valid passphrase not accepted

[Arno Wagner]

On Wed, Oct 27, 2010 at 06:23:01PM +0200, Heinz Diehl wrote:
> On 27.10.2010, Rick Moritz wrote: 
> 
> > Considering the amount of traffic on the list regarding issues like this,
> > maybe future versions of dm-crypt should issue an annoying warning when
> > creating LUKS-format mapped devices, about how a backup of the header is
> > STRONGLY recommended
> 
> No, it's not. Read the FAQ, especially item nr.2 and the answer
> from Clemens:
> 
> http://www.saout.de/tikiwiki/tiki-index.php?page=LUKSFaq

Aehm, that is the old, obsolete FAQ. You should not reference
it anymore. The current FAQ is at

   http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions

and in the cryptsetup source package.

Arno

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier