[Whonix-devel] [dm-crypt] Troubleshooting: Header Conversion to argon2id

procmem procmem at riseup.net
Wed Sep 12 17:21:00 CEST 2018 


Milan Broz:
> On 12/09/18 06:16, procmem wrote:
>> Ondrej Kozina:
>>> On 09/11/2018 07:09 PM, procmem wrote:
>>>> Hi, I went ahead and tested the commands recommended by Milan for
>>>> converting headers to use the better pbkdf algo. Unfortunately I'm
>>>> running into an obscure error and wanted your advice on how to solve it.
>>>>
>>>> Please see the output of the command with --debug
>>>>
>>> Hi,
>>>
>>> luksConvertKey command works only on LUKS2 keyslots. Looking at debug
>>> output it seems your device is not LUKS2 type.
>>>
>>> Regards
>>> Ondrej
>>
>> Now that I think about it this can't be the reason because the header is
>> LUKS2 when using cryptsetup 2.0 and above - which is the version
>> included in Debian Testing/Buster.
> 
> No, header is not always LUKS2 by default, cryptsetup 2.0.x luksFormat still uses LUKS1
> format by default. Do not mix version of utility and version of LUKS metadata format.
> 
> Anyway, it seems that there is no LUKS header on the device at all, or it is somehow
> corrupted, all commands then must fail of course.
> 
> Can you please paste output of "blkid -p <device>" and "cryptsetup luksDump --debug <device>" ?
> 
> m.
> 



Summary: OK. Looks like I was manipulating the wrong device. It is vda5
not vda1 that has the header. The header is version 1. Conversion to v2
still fails however.





blkid -p /dev/vda5
/dev/vda5: VERSION="1" UUID="fd28a001-e2a1-46dc-8e6c-99f0a55b1851"
TYPE="crypto_LUKS" USAGE="crypto" PART_ENTRY_SCHEME="dos"
PART_ENTRY_UUID="860c80ea-05" PART_ENTRY_TYPE="0x83"
PART_ENTRY_NUMBER="5" PART_ENTRY_OFFSET="501760"
PART_ENTRY_SIZE="104353792" PART_ENTRY_DISK="254:0"


***


cryptsetup luksDump --debug /dev/vda5
# cryptsetup 2.0.4 processing "cryptsetup luksDump --debug /dev/vda5"
# Running command luksDump.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/vda5.
# Trying to open and read device /dev/vda5 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/vda5.
# Crypto backend (gcrypt 1.8.3) initialized in cryptsetup library
version 2.0.4.
# Detected kernel Linux 4.17.0-3-amd64 x86_64.
# PBKDF pbkdf2, hash sha256, time_ms 2000 (iterations 0), max_memory_kb
0, parallel_threads 0.
# Reading LUKS header of size 1024 from device /dev/vda5
# Key length 64, device size 104353792 sectors, header size 4036 sectors.
LUKS header information for /dev/vda5

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      92 88 0b 12 d8 87 59 a4 01 25 08 a9 54 df 70 31 ac 31 8b 6f
MK salt:        7d 75 4b 38 2c ce 04 ba be 99 81 c7 18 4e d9 ea
                04 c3 70 16 6e 7b f3 74 92 c2 a5 da c8 86 8f 57
MK iterations:  64503
UUID:           fd28a001-e2a1-46dc-8e6c-99f0a55b1851

Key Slot 0: ENABLED
        Iterations:             1007276
        Salt:                   82 dd 05 76 f7 39 41 45 c9 a4 a6 f3 b4
a4 50 a5
                                f8 00 3a cb bd e1 ff 00 39 cb 74 b2 f2
1a 0a e9
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
# Releasing crypt device /dev/vda5 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.


***


cryptsetup convert /dev/vda5 --type luks2 --debug
# cryptsetup 2.0.4 processing "cryptsetup convert /dev/vda5 --type luks2
--debug"
# Running command convert.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/vda5.
# Trying to open and read device /dev/vda5 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/vda5.
# Crypto backend (gcrypt 1.8.3) initialized in cryptsetup library
version 2.0.4.
# Detected kernel Linux 4.17.0-3-amd64 x86_64.
# PBKDF pbkdf2, hash sha256, time_ms 2000 (iterations 0), max_memory_kb
0, parallel_threads 0.
# Reading LUKS header of size 1024 from device /dev/vda5
# Key length 64, device size 104353792 sectors, header size 4036 sectors.

WARNING!
========
This operation will convert /dev/vda5 to LUKS2 format.


Are you sure? (Type uppercase yes): YES
# Converting LUKS device to type LUKS2
# Max size: 2097152, LUKS1 (full) header size 2068480 , required shift:
28672
# DM-UUID is CRYPT-LUKS1-fd28a001e2a146dc8e6c99f0a55b1851-
Cannot convert device /dev/vda5 which is still in use.
# Releasing crypt device /dev/vda5 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -5 (device already exists or device is busy).

More information about the Whonix-devel mailing list