You are not logged in.
Pages: 1
Hello,
I recently got my LUKS encrypted root partition working properly with Arch Linux and now want to make it more secure.
I converted the partition from LUKS1 to LUKS2 and it still boots. However, when trying to convert the key to Argon2id and change the passphrase (while booted into the Arch install USB), I get the following error.
# Acquiring write lock for device /dev/sdb3.
# Opening lock resource file /run/cryptsetup/L_8:19
# Verifying lock handle for /dev/sdb3.
# Device /dev/sdb3 WRITE lock taken.
# Checking context sequence id matches value stored on disk.
# Reusing open ro fd on device /dev/sdb3
# Opening locked device /dev/sdb3
# Verifying locked device handle (bdev)
Cannot wipe device /dev/sdb3.I am able to create and delete keys in the other keyslots, but it seems that keyslot 0 cannot be deleted or modified.
After looking into this further, I discovered that the area length of keyslot 0 is 18 exabytes.
Below is my luksDump.
LUKS header information
Version: 2
Epoch: 6
Metadata area: 16384 [bytes]
Keyslots area: 8355840 [bytes]
UUID: f4b4e102-43ef-4329-a86f-218d5b066b5d
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 8388608 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 1952654
Salt: 6b 56 a5 b8 80 16 f8 db 51 21 a3 49 6a 64 65 5f
d5 eb 0f b1 73 d6 40 96 3a 48 7b 7b 47 00 7d ae
AF stripes: 4000
AF hash: sha256
Area offset:290816 [bytes]
Area length:18446744073709293568 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 90145
Salt: 31 4b d6 2a 88 79 29 85 28 64 1d 38 fa 1b dc ce
83 20 30 e1 83 18 24 40 7b bf c6 5a a1 45 2a 51
Digest: 33 cf c5 80 8e 29 01 ce 5d 3f d3 d2 88 30 e2 2d
cc 32 e7 51 My current plan is to fully decrypt the partition and reencrypt it. Let me know if you think there is a better course of action.
-cobalt32
Offline
Which commands did you use exactly? Consider reporting a bug because that looks very strange.
If you delete the last remaining keyslot you won't be able to open it anymore and the data is lost unless you have a header backup. Backup the header and add another key while you're still able just in case...
if in doubt, full backup of all data (but you should have one of those, anyway)
Last edited by frostschutz (2022-06-13 17:32:31)
Offline
For the error I posted, I ran the following. (only posted the relevant part of the debug)
cryptsetup luksConvertKey /dev/sdb3 --key-slot 0 --pbkdf argon2id --verbose --debugAnd yes, I made sure to create a second key when attempting to delete keyslot 0. Deleted the second key to try and convert it back to LUKS1, but that failed as well.
luksRemoveKey, luksKillSlot, luksConvertKey, and luksChangeKey result in the same "cannot wipe device" error.
I will submit a bug report on the GitLab page.
Offline
Pages: 1