无法将 LUKS 密钥添加到加密交换中

无法将 LUKS 密钥添加到加密交换中

由于某种原因,我无法将密钥添加到我的加密交换中。

我的/etc/crypttab

swap_crypt /dev/disk/by-partuuid/c4f049d5-ae21-44d6-b753-6e72b7e21770 none luks,swap,discard,keyscript=decrypt_keyctl
root_crypt UUID=26f3c181-e041-47f2-929b-de631a2f1d3f none luks,discard,keyscript=decrypt_keyctl

因此要识别这些磁盘:

# ls -l /dev/disk/by-partuuid/c4f049d5-ae21-44d6-b753-6e72b7e21770
lrwxrwxrwx 1 root root 15 Mar  5 22:34 /dev/disk/by-partuuid/c4f049d5-ae21-44d6-b753-6e72b7e21770 -> ../../nvme0n1p7
# blkid |grep 26f3c181-e041-47f2-929b-de631a2f1d3f
/dev/nvme0n1p8: UUID="26f3c181-e041-47f2-929b-de631a2f1d3f" TYPE="crypto_LUKS" PARTUUID="b178ae44-cf49-4dce-b7b5-293c9c0bb9c7"

所以我知道我的交换已打开/dev/nvme0n1p7并且我的根已打开/dev/nvme0n1p8

现在,当我尝试添加 root 密钥时:

# cryptsetup luksAddKey /dev/nvme0n1p8
Enter any existing passphrase:

然而,对于交换来说,一切正常:

# cryptsetup luksAddKey /dev/nvme0n1p7

它就退出了。更多信息:

# cryptsetup luksAddKey -v --debug /dev/nvme0n1p7
# cryptsetup 2.0.2 processing "cryptsetup luksAddKey -v --debug /dev/nvme0n1p7"
# Running command luksAddKey.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/nvme0n1p7.
# Trying to open and read device /dev/nvme0n1p7 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/nvme0n1p7.
# Crypto backend (gcrypt 1.8.1) initialized in cryptsetup library version 2.0.2.
# Detected kernel Linux 5.0.0-050000-generic x86_64.
# Loading LUKS2 header.
# Opening lock resource file /run/cryptsetup/L_259:7
# Acquiring read lock for device /dev/nvme0n1p7.
# Verifying read lock handle for device /dev/nvme0n1p7.
# Device /dev/nvme0n1p7 READ lock taken.
# Trying to read primary LUKS2 header at offset 0.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 8192.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 16384.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 32768.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 65536.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 131072.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 262144.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 524288.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 1048576.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 2097152.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# Trying to read secondary LUKS2 header at offset 4194304.
# Opening locked device /dev/nvme0n1p7
# Veryfing locked device handle (bdev)
# LUKS2 header read failed (-22).
# Device /dev/nvme0n1p7 READ lock released.
# Releasing crypt device /dev/nvme0n1p7 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).

知道问题是什么吗?

答案1

如果加密交换不打算用作休眠恢复设备,则通常使用随机生成的密钥进行初始化,该密钥不会永久存储在任何地方。这提供了相当有力的保证,一旦系统正确关闭,任何分析交换区域内容的取证尝试都将毫无用处。

由于一旦加密设备关闭,RAM 中此类非持久密钥的唯一副本将作为正常关闭的一部分被主动清零,因此在完全关闭后从 RAM 内容恢复密钥的任何尝试也将毫无用处。

crypttab您包含该选项的事实swap表明该方案可能正在使用:该swap选项导致在初始化加密后cryptsetup运行,只有当交换分区的现有内容不可读的乱码时才需要......即用不同的非持久密钥。mkswap/dev/mapper/swap_crypt

使用systemdinit 系统时,该keyscript=选项可能会被忽略,并systemd使用 的 cryptsetup 帮助程序,具体取决于您的 Linux 发行版所做的选择。详情请参阅man systemd-cryptsetup-generator和。man [email protected]

答案2

所以我最终自己解决了这个问题。对于遇到此问题的任何人,请确保运行时cryptsetup status /dev/mapper/<device>类型是LUKS1而不是PLAIN。 Ubuntu 安装程序默认设置不正确,因此标准 LUKS 命令无法在该设备上运行。由于它是交换,我能够正确地重新创建加密,现在一切顺利。

相关内容