Re: LUKS - lost token?

Sat, 28 Oct 2023 19:21:44 -0700 

On 10/28/23 08:49, lejeczek via users wrote:

Hi guys.

I know this is most likely not best suited question for this list, but I'm 
hoping some experts might be able to help.

I have a LUKS device which had keyslot with pass-phrase removed and token for 
TPM keyslot removed too - I think this is the case, for none of my passphrase 
works and device is as below:

I hope there is a way to save & bring it back to live - device is open right 
now and I've access to filesystem, obviously goal would be to avoid re-format/crypt.

Is it possible to restore/recreate that lost token and/or add new Keyslot 
somehow? I have no header backup for this device.

-> $ cryptsetup luksDump /dev/nvme0n1p3

...

Yes, as long as the device is currently unlocked you can recover the master key from the 
kernel. You will need the name of the /dev/mapper entry for the unlocked device. If you 
don't know it, you can use "lsblk" to find it. For example (since I 
conveniently happen to have an encrypted nvme0n1p3):

    # lsblk /dev/nvme0n1p3
    nvme0n1p3            259:3    0   568G  0 part
    |...
    └─rl_omega3x-home    253:4    0    50G  0 lvm
      └─home-luks        253:7    0    50G  0 crypt /home

Then use "dmsetup" to display the encryption key:
    # dmsetup table home-luks --showkeys

That should yield a line that includes a long string of hex digits. That is the 
master key. Save that temporarily in a safe place since the key will be lost 
forever you reboot or the LUKS container is closed. Here is a one-liner that 
will use the 5th field in that dmsetup output directly to create a new key:

    # cryptsetup luksAddKey /dev/nvme0n1p3 --master-key-file <(dmsetup table 
home-luks --showkeys | awk '{print $5}' | xxd -r -p)

Once you've got that recovered, do use "cryptsetup luksHeaderBackup" to save 
that LUKS header somewhere so that you don't get into this position again. And do destroy 
that saved master key.

--
Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to