Re: [dm-crypt] Passphrase stops working.

From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Passphrase stops working.
Date: Mon, 9 Jul 2012 09:10:06 +0200	[thread overview]
Message-ID: <20120709071006.GA16184@tansi.org> (raw)
In-Reply-To: <CAKRxpuuVHsFdO=qt18G=-LLqh90Nn9DHoTE694iMc5ar2f1Ung@mail.gmail.com>

First, this does not sound like a LUKS problem, but something
else.

Second, a second passphrase is basically worthless as "backup".
As described in the FAQ, what you need is a LUKS header backup.

Now, as you describe, this happened only after a while.
This indicated there is some conection to the data on the 
partition. 

One possibility is that you have the data not in the LUKS 
container, but overlayed with it. This would mean a) your 
data is not encrypted and b) at some time you overwrite 
the keyslot area with data, breaking the LUKS header. A possible 
other alternative is that you placed the RAID superblock in
the keyslot area, but that should only kill one passphrase.

The only other idea I have at this time is that you got the 
partition boders wrong when going to GPT and that somehow cause
other data to end up in the LUKS keyslot area. 

It cpould be something else entirely, of course.

Please give all commands you use, including raid creation
and mounting and a full partion table dump. You can also 
email me the LUKS header (see FAQ), and I can look  for 
corruption. This does not compromise your security if you 
do not use this header again or if the keyslots are not 
recoverable (or if you trust me to destroy the header after
I look at it).

Arno

On Sun, Jul 08, 2012 at 09:41:19PM -0700, Two Spirit wrote:
> I created a 4 drive RAID5 setup using mdadm and upgrading from 2TB drives
> to the new Hitachi 7200RPM 4TB drives. I can initially open my luks
> partition, but later can no longer access it.
> 
> I can no longer access my LUKS partition even tho I have the right
> passphrases. It was working and then at an unknown point in time loose
> access to LUKS. I've used the same procedures for upgrading from 500G to
> 1TB to 1.5TB to 2TB. After the first time this happened a week ago, I
> thought maybe there was some corruption so I added a 2nd Key as a backup.
> After the second time the LUKS became unaccessible, none of the keys worked.
> 
> I put LUKS on it using
> 
> cryptsetup -c aes -s 256 -y luksFormat /dev/md0
> 
> # cryptsetup luksOpen /dev/md0 md0_crypt
> Enter LUKS passphrase:
> Enter LUKS passphrase:
> Enter LUKS passphrase:
> Command failed: No key available with this passphrase.
> 
> The first time this happened while I was upgrading to 4TB drives, I thought
> it was a fluke, and ultimately had to recover from backups. I went an used
> luksAddKey to add a 2nd key as a backup. It happened again and I tried both
> passphrases, and neither worked. The only thing I'm doing differently this
> time around is that I've upgraded to 4TB drives which use GPT instead of
> fdisk.
> 
> The last time I had to even reboot the box was over 2 years ago.
> 
> I'm using ubuntu-8.04-server with kernel 2.6.24-29 and upgraded to
> -2.6.24-31, but that didn't fix the problem.

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 