1 |
On 05/05/2010 10:42 AM, Stefan G. Weichinger wrote: |
2 |
> Am 05.05.2010 10:00, schrieb Daniel Troeder: |
3 |
> |
4 |
>> That is a message from cryptsetup. As you are using openssl to get |
5 |
>> the key, I think the problem might be there. |
6 |
> |
7 |
> ok .... |
8 |
> |
9 |
>> lvcreate -n crypttest -L 100M vg0 KEY=`tr -cd [:graph:] < |
10 |
>> /dev/urandom | head -c 79` echo $KEY | openssl aes-256-ecb > |
11 |
>> verysekrit.key openssl aes-256-ecb -d -in verysekrit.key # (aha :) |
12 |
>> openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher |
13 |
>> aes-cbc-plain --key-size 256 luksFormat /dev/vg0/crypttest |
14 |
>> openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen |
15 |
>> /dev/vg0/crypttest decryptedtest cryptsetup luksClose crypttest # |
16 |
>> (i couldn't close it... don't know why...) |
17 |
>> |
18 |
>> The key that cryptsetup is given to decrypt the partition is |
19 |
>> created by openssl from the file. Please check the output of $ |
20 |
>> openssl aes-256-ecb -d -in verysekrit.key under both kernel - it |
21 |
>> should be identical. |
22 |
> |
23 |
> At first, thank you for your time and work! |
24 |
> |
25 |
> Tried that. I have to admit that I don't know the decryption |
26 |
> password ... but as far as I understand it should be the same as the |
27 |
> unix-password of the user sgw. pam_mount.so should read it when I |
28 |
> log in, correct? |
29 |
Yes. Than pam_mount man page (http://linux.die.net/man/8/pam_mount) says so. |
30 |
It's actually quite verbose on the topic. |
31 |
|
32 |
> With this password I get a "bad decrypt" so this explains why it |
33 |
> fails. |
34 |
If you cannot decrypt your keyfile (with openssl) then you have just |
35 |
lost any way to decrypt your partition! |
36 |
|
37 |
But there is an idea in the man page of which I didn't think: did you |
38 |
maybe change your users password? If so, you need to use the old pw to |
39 |
decrypt the keyfile. If you can, then you can use the new pw to encrypt |
40 |
the key again (make backups of the original file). |
41 |
|
42 |
There is also the possibility your keyfile was corrupted somehow (file |
43 |
system corruption?). Do you have a backup of the keyfile (and your data:)? |
44 |
|
45 |
BTW: a LUKS encrypted partition can have 8 keys (in so called "key |
46 |
slots"), so that you can add a "fallback key" the next time, which you |
47 |
store at a trusted place. |
48 |
|
49 |
Good luck, |
50 |
Daniel |
51 |
|
52 |
> Please let me repeat/point out that it is the same for 3 kernels |
53 |
> (2.6.32-r1, 2.6.33-r[12] ... ), so I should change the subject to |
54 |
> stay correct ... |
55 |
> |
56 |
>> BTW: You'll get your error message if you run: $ echo notmykey | |
57 |
>> cryptsetup luksOpen /dev/vg0/crypttest decryptedtes |
58 |
> |
59 |
> Yes, correct. |
60 |
> |
61 |
> - |
62 |
> |
63 |
> I really wonder what the reason is ... should I downgrade openssl? |
64 |
> |
65 |
> Thanks Stefan |
66 |
> |
67 |
|
68 |
|
69 |
-- |
70 |
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get |
71 |
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 |