[clug] Can't mount an encrupted backup file system

jhock jhock at iinet.net.au
Sat Jun 16 01:33:33 MDT 2012 

On Fri, 2012-06-15 at 12:18 +1000, Ian Munsie wrote: 
> > # cryptsetup luksAddKey /dev/sdb1 backup
> > Enter any passphrase:
> > Verify passphrase:
> > NO key available with this passphrase.
> 
> Have I missed something? Why are you trying to add a new key to an
> existing partition (what luksAddKey does) on the new system? Can you
> decrypt it with luksOpen and the old passphrase?

I'm trying to add a passphrase to the new eeePC so that I can connect to
the 1Tb drive. I'm using the same passphrase that I used to encrypt the
1Tb drive. 

It all comes down to being unable to mount the 1Tb drive. When I plug it
into the usb drive a box pops up asking for the passphrase but when I
enter that passphrase into the box (box B see below) I get an error box
saying:

"Unable to mount 1.0 Tb Encrypted
 Error unlocking device: cryptsetup exited with exit code 255: no key
available with this passphrase."

Note that the box that pops up (box B) is different to that on the old
eeePC. However, if on the old eeePC I select the "cancel" button on the
the first pop up box (box A) the same box as on the new eeePC (box B)
pops up. If I enter the passphrase into this box I get a similar error.
IE. "Unable to mount 64 KB Unrecognised
Error unlocking device: cryptsetup exited with exit code 255: No key
available with this passphrase."

> 
> "NO key available with this passphrase." usually indicates that the
> passphrase you entered does not match any that was used to encrypt the
> partition - the passphrase it asked for is the old passphrase that the
> device is already encrypted with, not a new passphrase. 

Yes. I'm using the same passphrase but it isn't connecting to the 1Tb
drive (see above). That is why I'm trying to add a passphrase that is
the same as the passphrase on the 1Tb drive. Maybe this is not what I
should be doing but I don't know what to do to make the "key available
with this passphrase."

> There is also
> the possibility that you are entering the correct passphrase, but that
> it has been mangled on one of the systems - does the passphrase
> include any special characters that may be affected by the system
> locale (e.g. accented or composed characters, Chinese characters,
> etc.)? 

No. Just the standard numbers, capital and lower case English alphabet.
I have even typed the passphrase into a gedit window and cut and paste
it into the window asking for the passphrase for the 1Tb drive with no
success.

> 
> The final possibility (which LUKS was created to avoid, so this
> would be a bug) is that the passphrase has been hashed differently on
> each system - i.e, that each system produced a different result when
> running SHA1 over the salted passphase.
> 

I think that this might be the problem but I don't know how to fix it.

> 
> > On previous occasions I wasn't even prompted for a passphrase so the
> > update and/or 'modprobe sha256' command has moved me along slightly.
> 
> I'm not sure, your first message indicated that you were prompted for
> a passphrase (although this was with the GUI tools, so they may behave
> differently):

Yes. The gui asks for a passphrase when I plug the 1 Tb drive into 
the USB port. However the gui is box B and not box A.

Previously, before I did the modprobe sha256, trying to cryptsetup 
luksAddkey did *not* prompt me for a passphrase. Now that I have 
added the modprobe sha256 the cryptsetup luksAddKey command *does* ask
me for a passphrase. I thought that this was an advancement.

> > Everything worked just nicely up to this point. I then plugged in the 1
> > TB backup disk drive. As usual the "Enter a password to unlock the
> > volume" window popped up stating that 'The device "1.0 TB Hard Disk"
> > contains encrypted data on partition 1.'
> 
> 
> 
> 
> luksAddKey needs to first decrypt the encryption key using the
> provided passphrase (which is what failed here), then encrypts a
> SECOND COPY of that same encryption key using the provided key file (a
> file named "backup" from your command above), such that the file
> "backup" can then be used to decrypt the partition instead of
> providing a passphrase. It is intended to be able to create a backup
> method of decrypting the device in case of a forgotten passphrase, as
> a convenience factor (if the keyfile is stored on a USB stick for
> instance), or for systems where decrypting the device needs to happen
> automatically without user intervention (network key deployment, for
> example).
> 
> I think the suggestion of using luksAddKey in the thread was to add a
> second way to decrypt the device on your old eeePC, then use that
> second method to decrypt it on the new eeePC - that's not a bad idea
> as it would rule out the possibility of the passphrase being mangled,
> but re-reading the thread I think you have got a bit confused on how
> to do this.
> 
> Before you try this, just try decryption the device on the new eeePC
> with luksOpen after doing modprobe sha256.
> 

Didn't work. I enter the passphrase used to encrypt the 1 Tb drive but 
I get the error "No key available with this passphrase.

> If you still are unable to decrypt the device, this is how you would
> try David's suggestion of luksAddKey:
> 
> ON THE OLD EEEPC (i.e where you can mount the device):
> 
> # dd if=/dev/urandom of=my_new_key_file bs=4k count=1
> This creates a new "key file" that you now want to add as an
> alternative method of decryption the device. This should display
> something like:
> > 1+0 records in
> > 1+0 records out
> > 4096 bytes (4.1 kB) copied, 0.000422697 s, 9.7 MB/s

Yes. It looks just like that.

> # cryptsetup luksAddKey /dev/<device> my_new_key_file
> This will prompt you for "any passphrase" - you actually need to enter
> your old passphrase here. Don't worry, this is perfectly safe - your
> old passphrase will still work after doing this, this just adds a
> second method to decrypt the device. The output should look like:
> > Enter any passphrase: <enter old passphrase here>

I still get the error "No key available with this passphrase.".

> COPY my_new_key_file TO THE NEW EeePC - you will use it momentarily to
> try to decrypt the drive instead of using the passphrase.
> 
> 
> Now, ON THE NEW EEEPC (i.e. where you have not been able to mount the device):
> 
> # cryptsetup luksOpen /dev/<device> arbitrary_device_name --key-file
> my_new_key_file

I get the same error "No key available with this passphrase.".

> If successful there should be no output from this command (and it
> should NOT prompt you for a passphrase). If there was an error, check
> that my_new_key_file that you copied from the old EeePC is in the
> current directory. If that didn't help let me know what the error was,
> and also run dmesg|tail immediately after trying and paste the output
> (which may include errors from the kernel).

key file is in /root/

> If it was successful /dev/mapper/arbitrary_device_name should have
> been created. 


No. The keyfile is not in the /dev/mapper directory. There is only 
a "control" file.

I now wait for more instructions to overcome this error.

Thanks.

John

> Now, try mounting the contained filesystem with:
> # mkdir /mnt/1tb
> # mount /dev/mapper/arbitrary_device_name /mnt/1tb
> # ls /mnt/1tb
> 
> If this works let me know and I'll show you how to create a new
> passphrase to decrypt the device on the new EeePC so that it will work
> from the GUI tools.
> 
> Cheers,
> -Ian
>

More information about the linux mailing list