Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure.

[Daniel Troeder <daniel@admin-box.com>]

[-- Attachment #1: Type: text/plain, Size: 2768 bytes --]

On 05/05/2010 10:42 AM, Stefan G. Weichinger wrote:
> Am 05.05.2010 10:00, schrieb Daniel Troeder:
> 
>> That is a message from cryptsetup. As you are using openssl to get 
>> the key, I think the problem might be there.
> 
> ok ....
> 
>> lvcreate -n crypttest -L 100M vg0 KEY=`tr -cd [:graph:] < 
>> /dev/urandom | head -c 79` echo $KEY | openssl aes-256-ecb > 
>> verysekrit.key openssl aes-256-ecb -d -in verysekrit.key # (aha :)
>>  openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher
>>  aes-cbc-plain --key-size 256 luksFormat /dev/vg0/crypttest
>> openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen 
>> /dev/vg0/crypttest decryptedtest cryptsetup luksClose crypttest #
>> (i couldn't close it... don't know why...)
>> 
>> The key that cryptsetup is given to decrypt the partition is
>> created by openssl from the file. Please check the output of $
>> openssl aes-256-ecb -d -in verysekrit.key under both kernel - it
>> should be identical.
> 
> At first, thank you for your time and work!
> 
> Tried that. I have to admit that I don't know the decryption
> password ... but as far as I understand it should be the same as the 
> unix-password of the user sgw. pam_mount.so should read it when I
> log in, correct?
Yes. Than pam_mount man page (http://linux.die.net/man/8/pam_mount) says so.
It's actually quite verbose on the topic.

> With this password I get a "bad decrypt" so this explains why it
> fails.
If you cannot decrypt your keyfile (with openssl) then you have just
lost any way to decrypt your partition!

But there is an idea in the man page of which I didn't think: did you
maybe change your users password? If so, you need to use the old pw to
decrypt the keyfile. If you can, then you can use the new pw to encrypt
the key again (make backups of the original file).

There is also the possibility your keyfile was corrupted somehow (file
system corruption?). Do you have a backup of the keyfile (and your data:)?

BTW: a LUKS encrypted partition can have 8 keys (in so called "key
slots"), so that you can add a "fallback key" the next time, which you
store at a trusted place.

Good luck,
Daniel

> Please let me repeat/point out that it is the same for 3 kernels 
> (2.6.32-r1, 2.6.33-r[12] ... ), so I should change the subject to
> stay correct ...
> 
>> BTW: You'll get your error message if you run: $ echo notmykey |
>> cryptsetup luksOpen /dev/vg0/crypttest decryptedtes
> 
> Yes, correct.
> 
> -
> 
> I really wonder what the reason is ... should I downgrade openssl?
> 
> Thanks Stefan
> 


-- 
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]