* [dm-crypt] Extract master key from running system
@ 2011-07-28 3:07 Brian
2011-07-28 5:04 ` Arno Wagner
0 siblings, 1 reply; 4+ messages in thread
From: Brian @ 2011-07-28 3:07 UTC (permalink / raw)
To: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 1088 bytes --]
Hi all -
Sorry to ask such a noob question, but the FAQ states in the section on "Why is all my data permanently gone if I overwrite the LUKS header?":
"If your header does not contain an intact salt, best go directly to the last stage ("Acceptance") and think about what to do now. There is one exception that I know of: If your LUKS container is still open, then it may be possible to extract the master key from the running system. Ask on the mailing-list on how to do that and make sure nobody switches off the machine."
If anybody can help fill in the blanks there I'd very much appreciate it. I'm on the verge of the acceptance stage of grieving myself, but realized that I might fall into this category - the external drive was removed, and initialized on a new machine - never properly closed the container, and the machine is still running. I also still see the dm device. I believe the LUKS header is trashed on disk - isLuks gives 234 return, luksDump tells me it's not a valid LUKS device. Any way to recover here? Or do I accept?
Thanks in advance!
- Brian
[-- Attachment #2: Type: text/html, Size: 1854 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Extract master key from running system
2011-07-28 3:07 [dm-crypt] Extract master key from running system Brian
@ 2011-07-28 5:04 ` Arno Wagner
2011-07-28 7:14 ` Milan Broz
0 siblings, 1 reply; 4+ messages in thread
From: Arno Wagner @ 2011-07-28 5:04 UTC (permalink / raw)
To: dm-crypt
On Wed, Jul 27, 2011 at 08:07:24PM -0700, Brian wrote:
> Hi all -
>
> Sorry to ask such a noob question, but the FAQ states in the section on
> "Why is all my data permanently gone if I overwrite the LUKS header?": "If
> your header does not contain an intact salt, best go directly to the last
> stage ("Acceptance") and think about what to do now. There is one
> exception that I know of: If your LUKS container is still open, then it
> may be possible to extract the master key from the running system. Ask on
> the mailing-list on how to do that and make sure nobody switches off the
> machine."
>
> If anybody can help fill in the blanks there I'd very much appreciate it.
> I'm on the verge of the acceptance stage of grieving myself, but realized
> that I might fall into this category - the external drive was removed, and
> initialized on a new machine - never properly closed the container, and
> the machine is still running. I also still see the dm device. I believe
> the LUKS header is trashed on disk - isLuks gives 234 return, luksDump
> tells me it's not a valid LUKS device. Any way to recover here? Or do I
> accept?
I have to admit that there is no info in the FAQ because when I wrote
that I did not have time to find out. In the mean time I have had
an opportunity to do so, so I should probably update the FAQ. First,
I think trying to dump will not create additional damage. Here is what
works on my machine:
cryptsetup luksDump --dump-master-key
This asks first for a "YES" and then for a valid passphrase.
Result looks like this (test-container via losetup):
LUKS header information for /dev/loop0
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Payload offset: 4096
UUID: 79c87d87-a8c0-4967-b1e4-4c54a11b8b93
MK bits: 256
MK dump: 7d b6 99 d8 3a 09 97 51 92 fa 99 47 b4 bf 33 01
a2 12 0e b3 0d 41 f1 c5 e8 78 e3 78 fe eb 1b d8
If you get this, then you have the real, not protected master
key. The way to use it is to convert the hex digits of the
MK dump into a binary file, e.g. using hexedit.
No idea whether this can be done easier, but this approach
worked in an experiment I did.
Then you can use that file with "luksFormat --master-key-file ..."
and, given all other parameters are the same (not the salt, just
the parameters passed on the old luksFormat call) you should then
be able to open the device again.
Safety precaution 1: Make a backup of the first 100MB of
the disk if something goes wrong.
Safety precaution 2: Do a normal "cryptsetup luksDump <device>"
after you get the master key, just in case some parameters are
not the defaults or this container was created with an
cryptsetup with different defaults.
Note: You may have some filesystem damage on inside the
container, depending on what type of "initialization"
was done.
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Extract master key from running system
2011-07-28 5:04 ` Arno Wagner
@ 2011-07-28 7:14 ` Milan Broz
2011-07-30 18:42 ` Arno Wagner
0 siblings, 1 reply; 4+ messages in thread
From: Milan Broz @ 2011-07-28 7:14 UTC (permalink / raw)
To: dm-crypt
On 07/28/2011 07:04 AM, Arno Wagner wrote:
> I have to admit that there is no info in the FAQ because when I wrote
> that I did not have time to find out. In the mean time I have had
> an opportunity to do so, so I should probably update the FAQ. First,
> I think trying to dump will not create additional damage. Here is what
> works on my machine:
>
> cryptsetup luksDump --dump-master-key
For luksDump you need valid LUKS header.
btw I added script which tries to extract master key automatically
fro active device and prepares cryptsetup parameters.
http://code.google.com/p/cryptsetup/source/browse/trunk/misc/luks-header-from-active
The steps there are quite straightforward.
Milan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Extract master key from running system
2011-07-28 7:14 ` Milan Broz
@ 2011-07-30 18:42 ` Arno Wagner
0 siblings, 0 replies; 4+ messages in thread
From: Arno Wagner @ 2011-07-30 18:42 UTC (permalink / raw)
To: dm-crypt
I just added a link to the script by Milan and
an explanation on how to do this manually to the
FAQ.
Arno
On Thu, Jul 28, 2011 at 09:14:01AM +0200, Milan Broz wrote:
> On 07/28/2011 07:04 AM, Arno Wagner wrote:
> > I have to admit that there is no info in the FAQ because when I wrote
> > that I did not have time to find out. In the mean time I have had
> > an opportunity to do so, so I should probably update the FAQ. First,
> > I think trying to dump will not create additional damage. Here is what
> > works on my machine:
> >
> > cryptsetup luksDump --dump-master-key
>
> For luksDump you need valid LUKS header.
>
> btw I added script which tries to extract master key automatically
> fro active device and prepares cryptsetup parameters.
>
> http://code.google.com/p/cryptsetup/source/browse/trunk/misc/luks-header-from-active
>
> The steps there are quite straightforward.
>
> Milan
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-07-30 18:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-28 3:07 [dm-crypt] Extract master key from running system Brian
2011-07-28 5:04 ` Arno Wagner
2011-07-28 7:14 ` Milan Broz
2011-07-30 18:42 ` Arno Wagner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox