[SOLVED] Restore DM-Crypt Headers

dk_zero-cool · 09-06-2015, 10:01 AM

Hi.
I have a hard drive encrypted with DMCrypt/Luks without any outer partition table (sdx). Today I needed to format a small USB Pen but ended up writing a new dos partition table to the encrypted drive instead. For now there is no problem as the drive is unlocked and currently mounted. So I can still access the data on it. But blkid on the device now says PTTYPE="dos", so I am guessing that rebooting would be a bad idea. Is there any way to restore the luks headers to this device?

rknichols · 09-06-2015, 12:58 PM

You are correct that rebooting would be a very bad idea and would result in permanent loss of your data.

The relevant section of the Cryptsetup FAQ is 6.10.

Before doing anything else, I would get a printable representation of the master key from the device mapper and keep a paper copy.

Code:

# dmsetup table --target crypt --showkey /dev/mapper/some_name

  Typical result, broken into separate lines for readability:
  0 200704 crypt aes-cbc-essiv:sha256
  a1704d9715f73a1bb4db581dcacadaf405e700d591e93e2eaade13ba653d0d09
  0 7:0 4096

Make the obvious substitution for "some_name". The rest of the instructions are in that FAQ section. As long as you have that master key, you can recover from whatever happens to the LUKS header.

dk_zero-cool · 09-06-2015, 01:16 PM

Quote:

Originally Posted by rknichols

You are correct that rebooting would be a very bad idea and ...

Quick reply, thanks for that.
I piped the output of the command from your example into a file. I am guessing that I need to use the below command using that file? Just want to be sure before doing anything. I do have backup of everything since I always keep my desktop and laptop in sync, but coping takes time so fixing the headers would be so much easier.

Code:

cryptsetup luksFormat --master-key-file=<master-key-file> <luks device>

rknichols · 09-06-2015, 01:25 PM

Quote:

Originally Posted by dk_zero-cool

I am guessing that I need to use the below command using that file? Just want to be sure before doing anything. I do have backup of everything since I always keep my desktop and laptop in sync, but coping takes time so fixing the headers would be so much easier.

Code:

cryptsetup luksFormat --master-key-file=<master-key-file> <luks device>

Read the FAQ section. There is more to it than that. The FAQ contains a link to a script that you can download and run to automate the recovery process. Having a copy of that master key information somewhere not subject to accidental erasure (which is why I suggest paper) is just the ultimate backup for when the steps in the FAQ go wrong.

dk_zero-cool · 09-07-2015, 02:49 AM

Quote:

Originally Posted by rknichols

Read the FAQ section. There is more to it than that. The FAQ contains a link to a script that you can download and run to automate the recovery process. Having a copy of that master key information somewhere not subject to accidental erasure (which is why I suggest paper) is just the ultimate backup for when the steps in the FAQ go wrong.

Thanks a lot. This worked and you just saved me a lot of time

rknichols · 09-07-2015, 09:04 AM

Glad I got there in time. If you had a power failure or anything that caused a reboot, all would have been lost. You really should make a backup of the LUKS header and store it in a secure location. Sections 6.1 and 6.2 of the FAQ deal with that.

Also, anyone who gets ahold of that master key information you saved will always be able to unlock the encrypted volume, and changing a passphrase would not affect that. Make sure that can't happen. That information is far more sensitive than the backed-up LUKS header. To use the latter, you have to know or crack the passphrase. If you have the master key information, you're already in.

dk_zero-cool · 09-07-2015, 09:50 AM

Quote:

Originally Posted by rknichols

Glad I got there in time. If you had a power failure or anything that caused a reboot, all would have been lost. You really should make a backup of the LUKS header and store it in a secure location. Sections 6.1 and 6.2 of the FAQ deal with that.

I will. I'm just gonna make a usb disk with similar encryption and store it on that