[clug] Can't mount an encrupted backup file system

Ian Munsie darkstarsword at gmail.com
Thu Jun 14 20:18:19 MDT 2012

> # cryptsetup luksAddKey /dev/sdb1 backup
> Enter any passphrase:
> Verify passphrase:
> NO key available with this passphrase.

Have I missed something? Why are you trying to add a new key to an
existing partition (what luksAddKey does) on the new system? Can you
decrypt it with luksOpen and the old passphrase?

"NO key available with this passphrase." usually indicates that the
passphrase you entered does not match any that was used to encrypt the
partition - the passphrase it asked for is the old passphrase that the
device is already encrypted with, not a new passphrase. There is also
the possibility that you are entering the correct passphrase, but that
it has been mangled on one of the systems - does the passphrase
include any special characters that may be affected by the system
locale (e.g. accented or composed characters, Chinese characters,
etc.)? The final possibility (which LUKS was created to avoid, so this
would be a bug) is that the passphrase has been hashed differently on
each system - i.e, that each system produced a different result when
running SHA1 over the salted passphase.

> On previous occasions I wasn't even prompted for a passphrase so the
> update and/or 'modprobe sha256' command has moved me along slightly.

I'm not sure, your first message indicated that you were prompted for
a passphrase (although this was with the GUI tools, so they may behave

> Everything worked just nicely up to this point. I then plugged in the 1
> TB backup disk drive. As usual the "Enter a password to unlock the
> volume" window popped up stating that 'The device "1.0 TB Hard Disk"
> contains encrypted data on partition 1.'

luksAddKey needs to first decrypt the encryption key using the
provided passphrase (which is what failed here), then encrypts a
SECOND COPY of that same encryption key using the provided key file (a
file named "backup" from your command above), such that the file
"backup" can then be used to decrypt the partition instead of
providing a passphrase. It is intended to be able to create a backup
method of decrypting the device in case of a forgotten passphrase, as
a convenience factor (if the keyfile is stored on a USB stick for
instance), or for systems where decrypting the device needs to happen
automatically without user intervention (network key deployment, for

I think the suggestion of using luksAddKey in the thread was to add a
second way to decrypt the device on your old eeePC, then use that
second method to decrypt it on the new eeePC - that's not a bad idea
as it would rule out the possibility of the passphrase being mangled,
but re-reading the thread I think you have got a bit confused on how
to do this.

Before you try this, just try decryption the device on the new eeePC
with luksOpen after doing modprobe sha256.
If you still are unable to decrypt the device, this is how you would
try David's suggestion of luksAddKey:

ON THE OLD EEEPC (i.e where you can mount the device):

# dd if=/dev/urandom of=my_new_key_file bs=4k count=1
This creates a new "key file" that you now want to add as an
alternative method of decryption the device. This should display
something like:
> 1+0 records in
> 1+0 records out
> 4096 bytes (4.1 kB) copied, 0.000422697 s, 9.7 MB/s

# cryptsetup luksAddKey /dev/<device> my_new_key_file
This will prompt you for "any passphrase" - you actually need to enter
your old passphrase here. Don't worry, this is perfectly safe - your
old passphrase will still work after doing this, this just adds a
second method to decrypt the device. The output should look like:
> Enter any passphrase: <enter old passphrase here>

COPY my_new_key_file TO THE NEW EeePC - you will use it momentarily to
try to decrypt the drive instead of using the passphrase.

Now, ON THE NEW EEEPC (i.e. where you have not been able to mount the device):

# cryptsetup luksOpen /dev/<device> arbitrary_device_name --key-file
If successful there should be no output from this command (and it
should NOT prompt you for a passphrase). If there was an error, check
that my_new_key_file that you copied from the old EeePC is in the
current directory. If that didn't help let me know what the error was,
and also run dmesg|tail immediately after trying and paste the output
(which may include errors from the kernel).

If it was successful /dev/mapper/arbitrary_device_name should have
been created. Now, try mounting the contained filesystem with:
# mkdir /mnt/1tb
# mount /dev/mapper/arbitrary_device_name /mnt/1tb
# ls /mnt/1tb

If this works let me know and I'll show you how to create a new
passphrase to decrypt the device on the new EeePC so that it will work
from the GUI tools.


On the day *I* go to work for Microsoft, faint oinking sounds will be
heard from far overhead, the moon will not merely turn blue but
develop polkadots, and hell will freeze over so solid the brimstone
will go superconductive.
     -- Eric S. Raymond, 2005
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

More information about the linux mailing list