| 1 |
On 05/05/2010 10:42 AM, Stefan G. Weichinger wrote: |
| 2 |
> Am 05.05.2010 10:00, schrieb Daniel Troeder: |
| 3 |
> |
| 4 |
>> That is a message from cryptsetup. As you are using openssl to get |
| 5 |
>> the key, I think the problem might be there. |
| 6 |
> |
| 7 |
> ok .... |
| 8 |
> |
| 9 |
>> lvcreate -n crypttest -L 100M vg0 KEY=`tr -cd [:graph:] < |
| 10 |
>> /dev/urandom | head -c 79` echo $KEY | openssl aes-256-ecb > |
| 11 |
>> verysekrit.key openssl aes-256-ecb -d -in verysekrit.key # (aha :) |
| 12 |
>> openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher |
| 13 |
>> aes-cbc-plain --key-size 256 luksFormat /dev/vg0/crypttest |
| 14 |
>> openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen |
| 15 |
>> /dev/vg0/crypttest decryptedtest cryptsetup luksClose crypttest # |
| 16 |
>> (i couldn't close it... don't know why...) |
| 17 |
>> |
| 18 |
>> The key that cryptsetup is given to decrypt the partition is |
| 19 |
>> created by openssl from the file. Please check the output of $ |
| 20 |
>> openssl aes-256-ecb -d -in verysekrit.key under both kernel - it |
| 21 |
>> should be identical. |
| 22 |
> |
| 23 |
> At first, thank you for your time and work! |
| 24 |
> |
| 25 |
> Tried that. I have to admit that I don't know the decryption |
| 26 |
> password ... but as far as I understand it should be the same as the |
| 27 |
> unix-password of the user sgw. pam_mount.so should read it when I |
| 28 |
> log in, correct? |
| 29 |
Yes. Than pam_mount man page (http://linux.die.net/man/8/pam_mount) says so. |
| 30 |
It's actually quite verbose on the topic. |
| 31 |
|
| 32 |
> With this password I get a "bad decrypt" so this explains why it |
| 33 |
> fails. |
| 34 |
If you cannot decrypt your keyfile (with openssl) then you have just |
| 35 |
lost any way to decrypt your partition! |
| 36 |
|
| 37 |
But there is an idea in the man page of which I didn't think: did you |
| 38 |
maybe change your users password? If so, you need to use the old pw to |
| 39 |
decrypt the keyfile. If you can, then you can use the new pw to encrypt |
| 40 |
the key again (make backups of the original file). |
| 41 |
|
| 42 |
There is also the possibility your keyfile was corrupted somehow (file |
| 43 |
system corruption?). Do you have a backup of the keyfile (and your data:)? |
| 44 |
|
| 45 |
BTW: a LUKS encrypted partition can have 8 keys (in so called "key |
| 46 |
slots"), so that you can add a "fallback key" the next time, which you |
| 47 |
store at a trusted place. |
| 48 |
|
| 49 |
Good luck, |
| 50 |
Daniel |
| 51 |
|
| 52 |
> Please let me repeat/point out that it is the same for 3 kernels |
| 53 |
> (2.6.32-r1, 2.6.33-r[12] ... ), so I should change the subject to |
| 54 |
> stay correct ... |
| 55 |
> |
| 56 |
>> BTW: You'll get your error message if you run: $ echo notmykey | |
| 57 |
>> cryptsetup luksOpen /dev/vg0/crypttest decryptedtes |
| 58 |
> |
| 59 |
> Yes, correct. |
| 60 |
> |
| 61 |
> - |
| 62 |
> |
| 63 |
> I really wonder what the reason is ... should I downgrade openssl? |
| 64 |
> |
| 65 |
> Thanks Stefan |
| 66 |
> |
| 67 |
|
| 68 |
|
| 69 |
-- |
| 70 |
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get |
| 71 |
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 |
Archives