[dm-crypt] Unlocking volume using master key

[dm-crypt] Unlocking volume using master key

[anirudh takkallapally]

Hi,
    Here is my problem, i have an encrypted volume which is in locked state and
it has snapshots attached to it, the snapshots are Read Only snapshots. I took a
backup of the master key associated with the encrypted volume. 

I cannot use the master key to add a new passphrase since the the new passphrase
will only be there on the source volume but will not get propagated to the
snapshots. Wont be able to use the new passphrase to unlock my snapshots.

My question over here is How do we unlock an encrypted volume using the Master
key? this is without having to add a new passphrase.

I am currently using cryptsetup 1.2 and i am on kernel 2.6.39.3

Thanks and appreciate your help. 

Re: [dm-crypt] Unlocking volume using master key

[Milan Broz]

On 02/10/2012 09:11 PM, anirudh takkallapally wrote:
> My question over here is How do we unlock an encrypted volume using the Master
> key? this is without having to add a new passphrase.

Hm, this is interesting... it is possible through libcryptsetup API,
but cryptsetup CLI allows using --master-key-file only in
luksFormat and luksAddKey.

It should be easy to add, if you can add issue on project page
I will add it to next version (for luksOpen).

For now, I think the only "simple" shell solution is to not only
store master key, but whole mapping table
"dmsetup table --showkeys" and activate volume using
dmsetup create <name> --table "<stored table>"
(bypass LUKS completely - can be dangerous if wrongly used).
(in mapping table you can replace device to path to snapshot)

It is not ideal solution though...

Milan

Re: [dm-crypt] Unlocking volume using master key

[anirudh takkallapally]

Ok cool, thanks for the quick response.

i am compiling cryptsetup, so can i am guessing i will be able to call
libcryptsetup API.

int crypt_init_by_name(struct crypt_device **cd, const char *name);
to get the crypt_device.

And then use the below code to unlock the volume.

int crypt_activate_by_volume_key(struct crypt_device *cd,
        const char *name,
        const char *volume_key,
        size_t volume_key_size,
        uint32_t flags);
to unlock the volume?

Is this the way to do it and if yes what should be the default flags.

Thanks

Re: [dm-crypt] Unlocking volume using master key

[Milan Broz]

On 02/11/2012 12:21 AM, anirudh takkallapally wrote:
> Ok cool, thanks for the quick response.
>
> i am compiling cryptsetup, so can i am guessing i will be able to call
> libcryptsetup API.

It was quicker to implement it than explain:)
Try upstream git now, see this commit
http://code.google.com/p/cryptsetup/source/detail?r=d54204564519682881e9a125dd37e3c39502ebfa#

Basically, if you have volume key somewhere in file, you can not only
use it to format

cryptsetup luksFormat --master-key-file <vk_file> <device>

but you can also open device using it now

cryptsetup luksOpen --master-key-file <vk_file> <device> <mapped_name>


Obviously, you are responsible that VK is generated properly
(enough entropy etc) and that you store VK file safely
(anyone can map device using this file without passphrase knowledge).

Use at your own risk :-)

(I will release 1.4.2 version perhaps soon.)

Thanks,
Milan