[dm-crypt] LUKS device failure after Cryptsetup upgrade

[dm-crypt] LUKS device failure after Cryptsetup upgrade

[Maxime Alves]

[-- Attachment #1: Type: text/plain, Size: 926 bytes --]

Hi,

I just upgraded my Gentoo distribution, and now I can't open my Luks-encrypted
LMV volume. I spent almost a year without rebooting/upgrading and don't really
know what could have caused this error.

Cryptsetup was upgraded from 2.2.1 to 2.3.2, but I did not reboot since it was
version 1.7.5, so maybe I was still using the 1.7.5 through libvirt.


Sadly, I did NOT backup before upgrading my Gentoo distro, thinking that there
would be no big problem upgrading my system. The volume was unmounted, and is
used only in a virtual machine ran by libvirt/kvm. I realized the device was
not unlockable when I restarted my hypervisor and my VM.

I tried to use a SystemRescue iso to open the device, with cryptsetup 1.7.x . I
could repair the volume, but after that impossible to open it with my old
passphrase.

Thanks for reading,
Maxime


Here are some informations I gathered after the advices of some people of
#gentoo.


[-- Attachment #2: repair --]
[-- Type: text/plain, Size: 1576 bytes --]

## REPAIR

f00 /mnt/storage # cryptsetup repair --debug ./mail-20210131-old
# cryptsetup 2.3.2 processing "cryptsetup repair --debug ./mail-20210131-old"
# Running command repair.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device ./mail-20210131-old.
# Trying to open and read device ./mail-20210131-old with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device ./mail-20210131-old.
# Crypto backend (OpenSSL 1.1.1i  8 Dec 2020) initialized in cryptsetup library version 2.3.2.
# Detected kernel Linux 4.14.83-gentoo-xxxx-std-ipv6-64 x86_64.
# PBKDF pbkdf2-sha256, time_ms 2000 (iterations 0).
# Reading LUKS header of size 1024 from device ./mail-20210131-old
# Invalid stripes count 1 in keyslot 4.
LUKS keyslot 4 is invalid.
WARNING: Device ./mail-20210131-old already contains a 'dos' partition signature.

WARNING!
========
Really try to repair LUKS device header?

Are you sure? (Type 'yes' in capital letters): YES
# Trying to repair any crypt type from device ./mail-20210131-old.
# Reading LUKS header of size 1024 from device ./mail-20210131-old
# Reusing open ro fd on device ./mail-20210131-old
# Invalid stripes count 1 in keyslot 4.
LUKS keyslot 4 is invalid.
Non standard keyslots alignment, manual repair required.
# Releasing crypt device ./mail-20210131-old context.
# Releasing device-mapper backend.
# Closing read only fd for ./mail-20210131-old.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).


[-- Attachment #3: hexdump --]
[-- Type: text/plain, Size: 3006 bytes --]

## HEXDUMP

f00 /mnt/storage # hexdump -C -n 4096 ./mail-20210131-old
00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  78 74 73 2d 70 6c 61 69  |........xts-plai|
00000030  6e 36 34 00 00 00 00 00  00 00 00 00 00 00 00 00  |n64.............|
00000040  00 00 00 00 00 00 00 00  73 68 61 32 35 36 00 00  |........sha256..|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 10 00 00 00 00 40  |...............@|
00000070  17 36 b2 d3 46 d2 62 85  49 2d 67 3d 20 ed 07 26  |.6..F.b.I-g= ..&|
00000080  37 4a ac 0e 87 3a bb 2a  44 e4 60 6b 2d 4b 8d 68  |7J...:.*D.`k-K.h|
00000090  3b 37 5e 49 9a 16 c2 fd  4e b4 a7 f6 15 e5 87 45  |;7^I....N......E|
000000a0  ec cd 85 0e 00 01 ae aa  31 38 64 35 32 64 33 33  |........18d52d33|
000000b0  2d 62 34 66 63 2d 34 35  30 37 2d 38 62 30 65 2d  |-b4fc-4507-8b0e-|
000000c0  63 65 66 64 39 35 61 36  61 61 61 38 00 00 00 00  |cefd95a6aaa8....|
000000d0  00 ac 71 f3 00 0f 23 f8  16 8b 75 b3 0e 89 06 b2  |..q...#...u.....|
000000e0  1a a5 ac ba 43 ee 34 d9  db 93 1d e6 b6 b2 84 a4  |....C.4.........|
000000f0  4c cb 81 ed 48 0f 49 23  00 00 00 08 00 00 0f a0  |L...H.I#........|
00000100  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120  00 00 00 00 00 00 00 00  00 00 02 00 00 00 0f a0  |................|
00000130  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 00 00 00 00  00 00 03 f8 00 00 0f a0  |................|
00000160  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  00 00 00 00 00 00 00 00  00 00 05 f0 00 00 0f a0  |................|
00000190  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001b0  00 00 00 00 00 00 00 00  00 00 07 e8 00 00 00 01  |................|
000001c0  01 00 83 0f ff ff 3f 00  00 00 71 ff 3f 01 00 00  |......?...q.?...|
000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000210  00 00 00 00 00 00 00 00  00 00 0b d8 00 00 0f a0  |................|
00000220  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000230  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000240  00 00 00 00 00 00 00 00  00 00 0d d0 00 00 0f a0  |................|
00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001000

[-- Attachment #4: Type: text/plain, Size: 135 bytes --]

_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt

Re: [dm-crypt] LUKS device failure after Cryptsetup upgrade

[Milan Broz]

Hi,

We maintain strict backward compatibility, so there should be
no problem during any upgrade.

But you have apparently corrupted LUKS header here, reading from the debug log:

  # Invalid stripes count 1 in keyslot 4.
  LUKS keyslot 4 is invalid.

  LUKS keyslot 4 is invalid.
  Non standard keyslots alignment, manual repair required.

it seems there is some corruption in metadata area, but because
there is some non-standard data alignment, cryptsetup code will
*not* repair this automatically.

If the corruption is *only* in the unused keyslot metadata, this should
be easily recoverable, just automatic repair is not possible.
(But if the corruption is in the used keyslot area also, your data is lost!)

If you can send me (privately, not to the list) first 4096 bytes from your LUKS device LV
(this should contain only metadata, no private keyslot material), I can try to fix it.

Use dd (and send me luks.img file):
dd if=<your LUKS volume/LV> of=luks.img bs=4096 count=1 iflag=direct

In any case, be sure to backup existing LUKS header though!

(If not possible through cryptsetup because of invalid header, just dd first 4MB of disk area).

Milan

On 31/01/2021 17:48, Maxime Alves wrote:
> Hi,
> 
> I just upgraded my Gentoo distribution, and now I can't open my Luks-encrypted
> LMV volume. I spent almost a year without rebooting/upgrading and don't really
> know what could have caused this error.
> 
> Cryptsetup was upgraded from 2.2.1 to 2.3.2, but I did not reboot since it was
> version 1.7.5, so maybe I was still using the 1.7.5 through libvirt.
> 
> 
> Sadly, I did NOT backup before upgrading my Gentoo distro, thinking that there
> would be no big problem upgrading my system. The volume was unmounted, and is
> used only in a virtual machine ran by libvirt/kvm. I realized the device was
> not unlockable when I restarted my hypervisor and my VM.
> 
> I tried to use a SystemRescue iso to open the device, with cryptsetup 1.7.x . I
> could repair the volume, but after that impossible to open it with my old
> passphrase.
> 
> Thanks for reading,
> Maxime
> 
> 
> Here are some informations I gathered after the advices of some people of
> #gentoo.
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
> 
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt