You are not logged in.
- Topics: Active | Unanswered
#1 2024-06-17 22:41:26
- Daloyce
- Member
- Registered: 2024-06-17
- Posts: 8
[SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
Hello, Arch Community.
My background
Before i describe my problem i would like to state my past experience with Linux issue fixing. I've been using a Linux system has main driver for about 2.5 years. In this journey i managed to:
Delete gdm will trying to install steam on manjaro (first distro i started after leaving ubuntu) and ending up only with a tty, which has not my fault since sudo pacman -Syu steam failed me completely
Fix grub after windows updates
configure and install a tilling window manager(Hyprland) and configuring all "support" software noly from the terminal, even writted my on bash scripts
Played alot with qemu
Messed around with docker for only curiosity
Lots of university projects
And my biggest achivement: i know how to leave vim
This is only to state i did mess around a lot by now, but i'm humble enough to still see my self has a noob.
The problem
Some 4 months ago, i resized my luks encrypted disk so that i could try QubesOS on my computer after i upgraded the RAM from 8GB to 16GB. I rezised the partition using parted command, but at the time i didn't knew that i shouldn't have done that without at least making a backup of the encryption headers 
.
So when i tried to enter arch my encryption password was not working it was giving the following error:
device-mapper: reload ioctl on luks (252:0) failed: Invalid argumentI've search about this error (after erasing qubes and rezised the disk to is latest size, but that didn't solve the problem) and found some posts about it but the solutions (when it has one) were not solving my problem, and most of them i couldn't even try because i couldn't decrypt my disk from a bootable device neither.
So after some digging around i found a blog post of how to backup the headers (Its was here that i found out that it was thing i should have know before i resized the disk) and found out i could add another decryption key. which i did for lack of better ideas.
When i try to decrypt the disk with the second key a new error apperead:
luks sector size not multiple of partition sizeSomething around this lines, i don't fully remember the text. But i'm sure i was giving this information.
This is a image of the only recovery tool that managed to decrypt the luks partition, UFS-EXplorer pro. But i was on free trial and can't recover files bigger that 768KB and some files that i've recovered are empty even they had information before, like some C project header files that i had.
But data recovery is not my main goal. The goal is to find a way to resize the disk so that it is multiple of the sector size. I belive the partition size that its showed on the computer is round values and not the accurate value which i need to calculate the correct partition end so i can try to decrypt the disk and hopefuly recover my system.
Can anyone point me to where i can get this information or if its possible at all to still recovery this system so i can focus on saving has much data has possible.
Thank you in adavance and sorry if i somehow break a rule in the post writting.
Last edited by Daloyce (2024-06-19 16:22:46)
Offline
#2 2024-06-18 00:09:18
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,550
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
if your luks header is set to use 4096 byte sectors (check with cryptsetup luksDump), then the partition must be multiple of 4096 bytes large (check with blockdev --getsize64 /dev/partition, or parted /dev/disk unit b print).
usually this is the case since everything is MiB aligned (both start and end) nowadays, but with parted it's easy to get it wrong by using the wrong units etc.
if the partition has an unaligned size then luks will refuse to use it at all.
Online
#3 2024-06-18 01:06:44
- Daloyce
- Member
- Registered: 2024-06-17
- Posts: 8
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
if your luks header is set to use 4096 byte sectors (check with cryptsetup luksDump), then the partition must be multiple of 4096 bytes large (check with blockdev --getsize64 /dev/partition, or parted /dev/disk unit b print).
usually this is the case since everything is MiB aligned (both start and end) nowadays, but with parted it's easy to get it wrong by using the wrong units etc.
if the partition has an unaligned size then luks will refuse to use it at all.
First and for most, thank you for helping.
Well i don't think my sector size is 4096 bytes, i belive it is 512 bytes. I've seen that a 4KB sector size is the optimal size. But i encrypted the disk while installing archlinux via the arch installation script, but i'm not sure though. i shoud use the logical or the physical?
$ parted /dev/sda unit b print
Model: ATA TOSHIBA MQ01ABD1 (scsi)
Disk /dev/sda: 1000204886016B
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1048576B 536870911B 535822336B fat32 EFI System Partition boot, esp
2 537919488B 1000204869119B 999666949632B primaryI will try resizing with this info and see if i get any luck. But the size i have there is already multiple of 512. UFS-explorer info says that i have 1952474510 sector, but 999666949632/512 = 1952474511. Maybe just removing 512 bytes will do the job. Since at the beginnig whe i was decrypting the partition it asked from were he should get luks encryption partion headers. i chose the LUKS metadata option. maybe some how he that was my device size in sector before hi did the resizing.
$ $ sudo parted /dev/sda
GNU Parted 3.6
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
Model: ATA TOSHIBA MQ01ABD1 (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1049kB 537MB 536MB fat32 EFI System Partition boot, esp
2 538MB 1000GB 999GB primary
(parted) resizepart 2
End? [1000GB]? 1000204868607B
(parted) print
Model: ATA TOSHIBA MQ01ABD1 (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1049kB 537MB 536MB fat32 EFI System Partition boot, esp
2 538MB 1000GB 1000GB primary$ sudo parted /dev/sda unit b print
Model: ATA TOSHIBA MQ01ABD1 (scsi)
Disk /dev/sda: 1000204886016B
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1048576B 536870911B 535822336B fat32 EFI System Partition boot, esp
2 537919488B 1000204868607B 999666949120B primarySo far so good
$ sudo cryptsetup luksOpen /dev/sda2 luks
Enter passphrase for /dev/sda2:
device-mapper: reload ioctl on luks (252:0) failed: Invalid argumentBut it didn't cut it . By my math this should have done the job
$ sudo cryptsetup open /dev/sda2 luksrecoverytarget --type luks
Enter passphrase for /dev/sda2:
device-mapper: reload ioctl on luksrecoverytarget (252:0) failed: Invalid argumentAlso tried the above command, but no luck
Have i done any mistake?
Luks dump output
$ sudo cryptsetup luksDump /dev/sda2
LUKS header information
Version: 2
Epoch: 4
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 94458d88-0ed8-4424-90d9-1578eb6f08a6
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 4096 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 10
Memory: 1048576
Threads: 2
Salt: 16 2f 20 7a fb 19 64 e1 d2 e7 01 48 4a 10 0a 81
c1 f8 f6 c6 14 0a 9e 28 a7 ff 3b a4 44 d3 9a 6b
AF stripes: 4000
AF hash: sha512
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 458293
Threads: 2
Salt: b7 71 79 5d c9 25 8d b1 d2 5d 8a bb 05 c9 42 f7
74 ae a8 f8 79 5e 4f c0 ad f6 f1 14 26 11 d6 32
AF stripes: 4000
AF hash: sha256
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha512
Iterations: 147271
Salt: 4e 4e 90 f5 00 16 e8 ce f6 43 48 bd 86 40 2b d2
5f 90 6b 62 61 d6 c7 7c 05 82 57 f5 6e f3 fe a6
Digest: ef a2 4e b7 bc fb d5 ab 1e 04 a5 fa 9e 45 03 76
e0 6b 45 83 cb cf 86 14 0e 6b 0c dd 0c 70 97 86
4b e0 d6 ed 2d 6a da e2 6d 26 c2 ea 26 9b 76 c9
95 4f 30 7c 88 77 41 14 68 49 9d 57 64 f4 1a 21 P.S: yep know shame on me by using the installation script, but was my first time installing arch so i felt safer doing it with the script, i just have left manjaro which was a pretty unstable experience compared with arch
Last edited by Daloyce (2024-06-18 01:13:44)
Offline
#4 2024-06-18 07:13:00
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,550
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
LUKS is using 'sector: 4096 [bytes]' as shown in luksDump.
Your partition size as shown by parted is not multiple of 4096.
You can try `resizepart 2 1953523711s` (max MiB-aligned size) or `resizepart 2 1953525127s` (max 4K-aligned size).
P.S: yep know shame on me by using the installation script
Not really... both parted and luks just make this a bit harder than it needs to be. LUKS/dm-crypt could easily ignore the last incomplete 4K sector instead of erroring out completely (and with such an unhelpful error message). parted could default to aligned partitions instead of resizing to odd values even when using user-friendly units.
You're not the first to run into this issue and won't be the last.
Online
#5 2024-06-18 11:14:56
- Daloyce
- Member
- Registered: 2024-06-17
- Posts: 8
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
My hopes got revived again , shouldn't have trusted ufs-explorer...
OK i have started with resizing the partition to full size again so i could see the end
$ sudo parted /dev/sda
GNU Parted 3.6
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
Model: ATA TOSHIBA MQ01ABD1 (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1049kB 537MB 536MB fat32 EFI System Partition boot, esp
2 538MB 1000GB 1000GB primary
(parted) resizepart 2
End? [1000GB]? '100%'
(parted) print
Model: ATA TOSHIBA MQ01ABD1 (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1049kB 537MB 536MB fat32 EFI System Partition boot, esp
2 538MB 1000GB 1000GB primary
(parted) q
Information: You may need to update /etc/fstab.Now with the new end point updated
$ sudo parted /dev/sda unit b print
Model: ATA TOSHIBA MQ01ABD1 (scsi)
Disk /dev/sda: 1000204886016B
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1048576B 536870911B 535822336B fat32 EFI System Partition boot, esp
2 537919488B 1000204869119B 999666949632B primaryI will calculate the closest size such that the partition size is multpliple of 4096B
999666949632/4096 = 244059313.875
so my closest size should be 244059313 x 4096 = 999666946048 bytes
[size] = [end] - [start] + 1 => [end] = [size] + [start] - 1
[end] = 999666946048 + 537919488 - 1 = 1000204865535
$ sudo parted /dev/sda
GNU Parted 3.6
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
Model: ATA TOSHIBA MQ01ABD1 (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1049kB 537MB 536MB fat32 EFI System Partition boot, esp
2 538MB 1000GB 999GB primary
(parted) resizepart 2
End? [1000GB]? 1000204865535B
Warning: Shrinking a partition can cause data loss, are you sure you want to
continue?
Yes/No? y
(parted) print
Model: ATA TOSHIBA MQ01ABD1 (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1049kB 537MB 536MB fat32 EFI System Partition boot, esp
2 538MB 1000GB 999GB primary
(parted) q
Information: You may need to update /etc/fstab.Resize done. Let me try to open the volume
$ sudo cryptsetup luksOpen /dev/sda2 luks
Enter passphrase for /dev/sda2:
Warning: keyslot operation could fail as it requires more than available memory.Hmm just got this new warning. but no error
And it worked!!!!!!!
OMG!!!!!
Thank you very much, wouldn't have done this without your help. I should have asked for help months ago. I'm a very "do everything by myself" person, shame on me. I can finally restart writing my master tesis again.
Again i'm very grateful for the help.
Really though i would lose this system. And most of my data with it.
Again so Grateful
P.S: Sorry for not copy & past your sugestion. 99.99% of the times i copy & past comands into the terminal without even looking straight at them, i would probably paste sudo rm -rf / if someone put it in a guide. But partion sizes that i didn't understand its where i stop 
. Whats the meaning of the 's' in thouse sizes?
P.P.S: How do i mark this post has SOLVED?
Last edited by Daloyce (2024-06-18 11:51:52)
Offline
#6 2024-06-18 12:28:17
- fmc000
- Member
- Registered: 2020-05-12
- Posts: 85
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
Edit the first post.
Linux user since 1996. Currently running Arch on an I7 11th gen laptop with root on zfs with zrepl.
Offline
#7 2024-06-18 12:28:49
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,550
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
's' means sector.
parted has odd behavior here... 100% is taken to use literally the last sector, no alignment. Even specifying 12345MiB (when I tested it) ended up botching the alignment (fine with mkpart but resizeparts ends up using off by 1 or 2 sectors, it's weird). So specifying a size in 's' sectors forces it to use the value you provide. It shouldn't be necessary... but what can you do.
The keyslot operation warning is a bit unusual, unless you went out of your way to set very high memory requirement for argon2 keyslot? Or this is on a very memory constrained machine?
There is no need to set excessive values. Requiring too much memory can trigger side effects, OOM conditions, and even lead to data loss if it ends up killing any processes.
Last edited by frostschutz (2024-06-18 12:29:38)
Online
#8 2024-06-18 13:14:02
- Daloyce
- Member
- Registered: 2024-06-17
- Posts: 8
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
The keyslot operation warning is a bit unusual, unless you went out of your way to set very high memory requirement for argon2 keyslot? Or this is on a very memory constrained machine?
Well my machine has 16GB at the moment. But i don't remember touching in such parameter. If that has been changed than maybe it was when i added the new decryption key, while copy & pasting the guide comand. And that error only appeared today, before it would give me only the error msg.
How could i change that?
So specifying a size in 's' sectors forces it to use the value you provide.
Thanky you for the inlightment 
I managed to backup all my data to my drive, so i'm well more comfortable.
I tried to boot in my system but it said the my file system had erros and that i had to run fsck manually with the provided UUID.
I booted using linux-zen. After fsck completed i try booting with standard linux kernel. And its stuck in deceyption and also my CapsLock key led light is blinking.
Should should i shutdown and try with linux-zen?
Well i got tired of waiting. So i just did that.
The CapsLock still blinks. Is this when i just accept the data recovery and reinstall the whole system?
Just verify form a usb bootable device that i can still mount my partition and the data there is ok. Can i fix this from the usb bootable device?
Last edited by Daloyce (2024-06-18 13:45:27)
Offline
#9 2024-06-18 14:07:08
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,550
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
Well, not sure what happened there. Run a memtest, just in case?
Online
#10 2024-06-18 18:59:00
- Daloyce
- Member
- Registered: 2024-06-17
- Posts: 8
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
Memtest resuslt. I all good i guess. My RAM is very new. Only has 5 moths of use.
Offline
#11 2024-06-18 19:10:10
- seth
- Member
- Registered: 2012-09-03
- Posts: 65,625
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
memtest86+ cycles are measured in days, not minutes - a single pass is close to meaningless.
However the filesystem seems corrupted and you might have to sanitize that offline.
Boot the install iso, open the luks containerand run an fsck on the partition.
Once that's finished mount it into /mnt and check
LC_ALL=C pacman --root=/mnt -Qkk | grep -v ', 0 altered files'You'll probably have to re-install some packages to fix the file corruptions.
If you cannot chroot into the filesystem or the system pacman doesn't work because its affected by the corruptions, use "--root=/mnt --cachedir=/mnt/var/cache/pacman/pkg" and the pacman version from the iso. The iso cannot be too old or you'll get keyring/signature problems.
If anything shows up w/ a broken or missing mtree, install it "--dbonly" first, otherwise you'll hit conflicting file errors.
Also make sure to not run partial updates, in doubt finish with an "-Syu"
Online
#12 2024-06-18 20:37:59
- Daloyce
- Member
- Registered: 2024-06-17
- Posts: 8
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
Thank you for the insight. Just to be sure i interpreted the information right before i worsen my situation.
if i understand right:
1- Boot from the Archlinux iso (which is from were i used the memtest), the iso in from was installed previous week, pretty sure Wednesday.
2 - Open LUKS containerand
cryptsetup luksOpen /dev/sda2 luks3- Run fsck on the partition(sda2 in my case)
sudo fsck -p /dev/sda24-"Mount it into /mnt" like this? Is the partition(sda2) or the disk(sda)?
sudo mount /dev/sda25- Verify to check for altered files.
LC_ALL=C pacman --root=/mnt -Qkk | grep -v ', 0 altered files'6- Try to chroot
arch-chroot /mnt7 - If it fails or pacman has been compromissed use the iso pacman
LC_ALL=C pacman --root=/mnt --cachedir=/mnt/var/cache/pacman/pkg -Qkk | grep -v ', 0 altered files'8 - "f anything shows up w/ a broken or missing mtree, install it "--dbonly" first,". Install the packages or reinstaling archlinux?
pacman --dbonly -Syu ??P.S: Sorry if my doubts seems obvious to many.
Last edited by Daloyce (2024-06-18 20:40:04)
Offline
#13 2024-06-18 21:13:16
- seth
- Member
- Registered: 2012-09-03
- Posts: 65,625
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
https://wiki.archlinux.org/title/Pacman … an_upgrade
1. the relevant partition would then become /dev/mapper/luks instead of /dev/sda2 for the subsequent steps
4. the partition, see above - and you'll have to specificy a mount target
7. you don't have to run the integrity check again, you want to fix the broken packages at this point
8. "-Syu" syncs and updates, but you need to explicitly re-install the broken packages that showed up in the -Qkk run
In doubt redirect the output into a file and paste that into 0x0.st
Online
#14 2024-06-18 22:15:37
- Daloyce
- Member
- Registered: 2024-06-17
- Posts: 8
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
LC_ALL=C pacman --root=/mnt -Qkk | grep -v ', 0 altered files' > out.txtGave me a very verbose output
Lots of 'No such file or directory'
Also encontered error about mtree
I've chroot in/mnt but not even a ls works so i'm updating the packaged with the iso pacman
I guess this is not supposed to look like this.
This is the coode i'm using to do the update
cat out.txt | pacman --root=/mnt --dbonly -Syuout.txt file has the following output
LC_ALL=C pacman --root=/mnt --cachedir=/mnt/var/cache/pacman/pkg -Qkk | grep -v ', 0 altered files' | awk -F ':' '{ print $1}' | grep -v 'backup file' | tr '/n' ' ' > out.txt Also tried to update 1 pkg at time but i'm finding very regulary dependancy brakes.
Is something wrong with my sintax?
Last edited by Daloyce (2024-06-19 01:34:43)
Offline
#15 2024-06-19 07:08:32
- seth
- Member
- Registered: 2012-09-03
- Posts: 65,625
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
This is the coode i'm using to do the update
You could "sort -u" it and don't have to map the newline, but
cat out.txt | pacman --root=/mnt --cachedir=/mnt/var/cache/pacman/pkg --dbonly -S -or
pacman --root=/mnt --cachedir=/mnt/var/cache/pacman/pkg --dbonly -S $(cat out.txt)1. the cachedir is really important here
2. you don't have to -yu --dbonly every package (you probably should not)
Pay attention to the output, you cannot update (broken) AUR packages this way, just remove them from the list as they're rather not system critical and you can later on rebuild them manually or using your aur helper.
Then
cat out.txt | pacman --root=/mnt --cachedir=/mnt/var/cache/pacman/pkg -S -
pacman --root=/mnt --cachedir=/mnt/var/cache/pacman/pkg -SyuThe segmentation increases the chance that hooks get (re-triggered) into a completely sanitized system where the other way round raises the chance that you update a package into the system before everything is functioning again (that rather should™ not happen but there's no downside to using a 3rd pass to update the system)
Online
#16 2024-06-19 13:41:27
- Daloyce
- Member
- Registered: 2024-06-17
- Posts: 8
Re: [SOLVED] Failed to decrypt LUKS2 encrypted disk after resizing
Well i managed to do all steps and when all the way to the last command, but will it was updating the system my computer shutdown, because i've a "adicted" battery, the pc needs to be connected to the power supply. I end up unintentionally removing the power supply with my feet, and the pc shutdown.
I entered the arch iso again and now:
LC_ALL=C pacman --root=/mnt --cachedir=/mnt/var/cache/pacman/pkg -Qkkis warning me about time mismatch and sha256 mismatch.
I though i would need to do the previous steps and when right to the system update
pacman --root=/mnt --cachedir=/mnt/var/cache/pacman/pkg -Syuwhich outputed
error: failed to synchronize all databases (unable to lock database)Right now i'm trying this guide
https://wiki.archlinux.org/index.php/Pa … 9.22_error
Pacman is working again, but it did not solved this issue.
I'm going reinstall arch. I will lose less time. All important data is save. Only going to lose save files of some games that i don't remeber the storie line anyway so is no factor to me.
A special thanks to frostschutz, Seth and fmc000.
P.S: I know... its funny for a arch user use "I will lose less time" has justification but i need my pc has na ally again
Last edited by Daloyce (2024-06-19 18:59:52)
Offline