From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1O9kSg-0002OA-Kr for garchives@archives.gentoo.org; Wed, 05 May 2010 19:40:50 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A203BE06C0; Wed, 5 May 2010 19:39:36 +0000 (UTC) Received: from mx01.admin-box.com (mx01.admin-box.com [78.47.249.108]) by pigeon.gentoo.org (Postfix) with ESMTP id 4EEE8E06C0 for ; Wed, 5 May 2010 19:39:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx01.admin-box.com (Postfix) with ESMTP id AAB2931F02A2 for ; Wed, 5 May 2010 21:39:34 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx01.admin-box.com Received: from mx01.admin-box.com ([127.0.0.1]) by localhost (mx01.admin-box.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tO8X02KnUbr9 for ; Wed, 5 May 2010 21:39:21 +0200 (CEST) Received: from maya.local (e178060154.adsl.alicedsl.de [85.178.60.154]) (Authenticated sender: daniel@troeder.de) by mx01.admin-box.com (Postfix) with ESMTPSA id 7D9CE31F02A1 for ; Wed, 5 May 2010 21:39:21 +0200 (CEST) Message-ID: <4BE1C969.1010009@admin-box.com> Date: Wed, 05 May 2010 21:39:21 +0200 From: Daniel Troeder User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100411 Thunderbird/3.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure. References: <4BDFF195.9070404@xunil.at> <4BE05BA3.1000509@xunil.at> <4BE07570.7020305@xunil.at> <4BE090A5.9080804@admin-box.com> <4BE0F71D.7080907@xunil.at> <4BE125AB.1030105@admin-box.com> <4BE12F73.2080708@xunil.at> In-Reply-To: <4BE12F73.2080708@xunil.at> X-Enigmail-Version: 1.0.1 OpenPGP: id=BB9D4887; url=http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig7B13549F6B2D3D4F448E7A48" X-Archives-Salt: 343fc60d-89ff-440c-9059-002127d5e08c X-Archives-Hash: e9e9a051b00314fb43ed1ac33c421efa This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig7B13549F6B2D3D4F448E7A48 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 05/05/2010 10:42 AM, Stefan G. Weichinger wrote: > Am 05.05.2010 10:00, schrieb Daniel Troeder: >=20 >> That is a message from cryptsetup. As you are using openssl to get=20 >> the key, I think the problem might be there. >=20 > ok .... >=20 >> lvcreate -n crypttest -L 100M vg0 KEY=3D`tr -cd [:graph:] <=20 >> /dev/urandom | head -c 79` echo $KEY | openssl aes-256-ecb >=20 >> verysekrit.key openssl aes-256-ecb -d -in verysekrit.key # (aha :) >> openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher >> aes-cbc-plain --key-size 256 luksFormat /dev/vg0/crypttest >> openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen=20 >> /dev/vg0/crypttest decryptedtest cryptsetup luksClose crypttest # >> (i couldn't close it... don't know why...) >>=20 >> The key that cryptsetup is given to decrypt the partition is >> created by openssl from the file. Please check the output of $ >> openssl aes-256-ecb -d -in verysekrit.key under both kernel - it >> should be identical. >=20 > At first, thank you for your time and work! >=20 > Tried that. I have to admit that I don't know the decryption > password ... but as far as I understand it should be the same as the=20 > unix-password of the user sgw. pam_mount.so should read it when I > log in, correct? Yes. Than pam_mount man page (http://linux.die.net/man/8/pam_mount) says = so. It's actually quite verbose on the topic. > With this password I get a "bad decrypt" so this explains why it > fails. If you cannot decrypt your keyfile (with openssl) then you have just lost any way to decrypt your partition! But there is an idea in the man page of which I didn't think: did you maybe change your users password? If so, you need to use the old pw to decrypt the keyfile. If you can, then you can use the new pw to encrypt the key again (make backups of the original file). There is also the possibility your keyfile was corrupted somehow (file system corruption?). Do you have a backup of the keyfile (and your data:)= ? BTW: a LUKS encrypted partition can have 8 keys (in so called "key slots"), so that you can add a "fallback key" the next time, which you store at a trusted place. Good luck, Daniel > Please let me repeat/point out that it is the same for 3 kernels=20 > (2.6.32-r1, 2.6.33-r[12] ... ), so I should change the subject to > stay correct ... >=20 >> BTW: You'll get your error message if you run: $ echo notmykey | >> cryptsetup luksOpen /dev/vg0/crypttest decryptedtes >=20 > Yes, correct. >=20 > - >=20 > I really wonder what the reason is ... should I downgrade openssl? >=20 > Thanks Stefan >=20 --=20 PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=3D0xBB9D4887&op=3Dg= et # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 --------------enig7B13549F6B2D3D4F448E7A48 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvhyWkACgkQg3+4tbudSIdmUQCeLZLJTF3aTL31+TGBpZ/R34cY zmsAoI52ovSZW1I7FOfDUQ3YT498IW1V =D6Pa -----END PGP SIGNATURE----- --------------enig7B13549F6B2D3D4F448E7A48--