(可能)LUKS 标头已损坏,恢复标头不起作用

(可能)LUKS 标头已损坏,恢复标头不起作用

我尝试了网上能找到的一切。从昨天开始的研究时间;( 我发现没有人为我所面临的错误而苦苦挣扎,除了GitLab(我收到的错误代码是 -1 而不是 -4),红迪网或者这个 2006 年的邮件列表 我可能会提供不必要的细节,抱歉!

我有一个 5 TB WD 驱动器,其中已经有数十个文件。决定用 Raspberry Pi 4 构建一个小型 NAS。问题是我想要LUKS加密,以BTRFS作为文件系统;当时该驱动器是 5 TB 单分区 EXT4。

我将驱动器分成 2 个分区(在我的主计算机上)(仅占用 2.3 TB),创建一个受 LUKS 保护的 BTRFS 分区,驱动器大小为一半:将所有内容移动到加密的 BTRFS 分区,删除 EXT4 部分,增加 LUKS,打开加密,然后扩大 BTRFS 分区以填充整个驱动器,密码短语在很长一段时间内仍然对 LUKS 有效。我以为当我有 LUKS 标头备份时就不会发生任何事情。 5 TB LUKS-BTRFS 分区仅受密码保护,未配置其他插槽等。我现在能够解锁驱动器并挂载它,大约 3 周后,我的所有设备(Artix-Linux x86_64、Linuxmint、Debian Aarch64、Parted Magic)上都没有出现任何问题和错误代码。

我为 Pi 4 选择的操作系统是 Debian,而不是 Raspbian OS,因为它的内核中缺少我认为需要的加密 API/功能serpent-xts-plain64,我的驱动器加密密码。我使用的 NAS 解决方案是开放媒体库。它本身不支持解锁 LUKS 卷等,因此我通过 SSH 解锁它,从 Web UI 安装设备,创建 SMB 共享,甚至能够连接和交换文件一天。

有一天,当我醒来时,我发现当我连接到 SMB 共享时没有文件?!快速lsblk表明驱动器未安装,并且加密已关闭。现在安装它是不可能的,尝试了许多发行版/内核、体系结构(aarch64 和 amd64),尝试在许多系统上使用 GParted、KDE ​​自己的磁盘安装程序等进行安装,但没有,我猜我被卡住了。有趣的是,我能够使用 更改密码cryptsetup luksChangeKey /dev/sdd1,它很高兴地接受了我的密码,然后成功地将其更改为其他内容(据我所知,当我恢复标头时,旧密码是有效的)。就像我之前说过的,我有可用的 LUKS 标头备份,这是我知道的正确文件,因为我听说恢复错误的标头会使事情变得更加复杂。

我希望我不必重新发明轮子来解密驱动器,但如果有必要,我会这样做:/

据我记得我使用此命令执行了 luksFormat,它在我的内部.zshrc

cryptsetup -v luksFormat /dev/sdd1 --use-random --verify-passphrase --key-size=512 --hash=whirlpool --cipher=serpent-xts-plain64 --pbkdf=argon2id --type luks2

这是输出cryptsetup --debug --verbose luksOpen /dev/sdd1 crypt

❯ sudo cryptsetup --debug --verbose luksOpen /dev/sdd1 crypt
[sudo] password for user: 
# cryptsetup 2.4.2 processing "cryptsetup --debug --verbose luksOpen /dev/sdd1 crypt"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sdd1.
# Trying to open and read device /dev/sdd1 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/sdd1.
# Crypto backend (OpenSSL 1.1.1l  24 Aug 2021) initialized in cryptsetup library version 2.4.2.
# Detected kernel Linux 5.15.8-zen1-1-zen x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/sdd1.
# Opening lock resource file /run/cryptsetup/L_8:49
# Verifying lock handle for /dev/sdd1.
# Device /dev/sdd1 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/sdd1
# Verifying locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:cd57d8cf3e5d6bd82e34925c05ac3f84114d564dc1535d443d6003847ede9c03 (on-disk)
# Checksum:cd57d8cf3e5d6bd82e34925c05ac3f84114d564dc1535d443d6003847ede9c03 (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/sdd1
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:1fa2c8c216bef143a6841c7e6d7b1e737b39a832e3e8067ce580b103673c67b6 (on-disk)
# Checksum:1fa2c8c216bef143a6841c7e6d7b1e737b39a832e3e8067ce580b103673c67b6 (in-memory)
# Device size 5000946236928, offset 16777216.
# Device /dev/sdd1 READ lock released.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Activating volume crypt using token (any type) -1.
# dm version   [ opencount flush ]   [16384] (*1)
# dm versions   [ opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.45.0.
# Detected dm-crypt version 1.23.0.
# Device-mapper backend running with UDEV support enabled.
# dm status crypt  [ opencount noflush ]   [16384] (*1)
No usable token is available.
# Interactive passphrase entry requested.
Enter passphrase for /dev/sdd1: 
# Activating volume crypt [keyslot -1] using passphrase.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm status crypt  [ opencount noflush ]   [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Running keyslot key derivation.
# Reading keyslot area [0x47000].
# Acquiring read lock for device /dev/sdd1.
# Opening lock resource file /run/cryptsetup/L_8:49
# Verifying lock handle for /dev/sdd1.
# Device /dev/sdd1 READ lock taken.
# Reusing open ro fd on device /dev/sdd1
# Device /dev/sdd1 READ lock released.
# Verifying key from keyslot 0, digest 0.
# Loading key (64 bytes, type logon) in thread keyring.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm status crypt  [ opencount noflush ]   [16384] (*1)
# Calculated device size is 9767440351 sectors (RW), offset 32768.
# DM-UUID is CRYPT-LUKS2-355457dcd03343349b2121f41f3e0a5c-crypt
# Udev cookie 0xd4de97d (semid 4) created
# Udev cookie 0xd4de97d (semid 4) incremented to 1
# Udev cookie 0xd4de97d (semid 4) incremented to 2
# Udev cookie 0xd4de97d (semid 4) assigned to CREATE task(0) with flags DISABLE_LIBRARY_FALLBACK         (0x20)
# dm create crypt CRYPT-LUKS2-355457dcd03343349b2121f41f3e0a5c-crypt [ opencount flush ]   [16384] (*1)
# dm reload   (254:3) [ opencount flush securedata ]   [16384] (*1)
device-mapper: reload ioctl on crypt (254:3) failed: Invalid argument
# Udev cookie 0xd4de97d (semid 4) decremented to 1
# Udev cookie 0xd4de97d (semid 4) incremented to 2
# Udev cookie 0xd4de97d (semid 4) assigned to REMOVE task(2) with flags DISABLE_LIBRARY_FALLBACK         (0x20)
# dm remove crypt  [ opencount flush securedata ]   [16384] (*1)
# Uevent not generated! Calling udev_complete internally to avoid process lock-up.
# Udev cookie 0xd4de97d (semid 4) decremented to 1
# dm versions   [ opencount flush ]   [16384] (*1)
# dm status crypt  [ opencount noflush ]   [16384] (*1)
# Udev cookie 0xd4de97d (semid 4) decremented to 0
# Udev cookie 0xd4de97d (semid 4) waiting for zero
# Udev cookie 0xd4de97d (semid 4) destroyed
# Requesting keyring logon key for revoke and unlink.
# Releasing crypt device /dev/sdd1 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/sdd1.
# Unlocking memory.
Command failed with code -4 (wrong device or file specified).

的输出fdisk -l

Disk /dev/sdd: 4.55 TiB, 5000947302400 bytes, 9767475200 sectors
Disk model: My Passport 2627
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: 2505C284-7B8A-4EAE-90CB-950187A84D57

Device     Start        End    Sectors  Size Type
/dev/sdd1   2048 9767475166 9767473119  4.5T Linux filesystem

luksDump,也急需;输出cryptsetup luksDump /dev/sdd1

❯ sudo cryptsetup luksDump /dev/sdd1
LUKS header information
Version:        2
Epoch:          5
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           355457dc-d033-4334-9b21-21f41f3e0a5c
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: serpent-xts-plain64
        sector: 4096 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     serpent-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  5
        Memory:     1048576
        Threads:    4
        Salt:       67 4b ad d5 89 b5 64 b7 b7 46 61 0f a4 9f cb be 
                    52 90 11 99 8c c0 fb 81 be 6a d6 ac 58 f5 3c 12 
        AF stripes: 4000
        AF hash:    sha256
        Area offset:290816 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
        Hash:       whirlpool
        Iterations: 68985
        Salt:       d7 56 5e 8a d3 7c 7a 86 d3 fc b5 f8 d8 1e 6f 8d 
                    b3 fd 04 34 e7 08 ab 9a 33 92 2f 08 96 4b ff 74 
        Digest:     ed 9c d5 5f 0e df b3 f3 5b 71 95 09 9d f0 a8 b5 
                    9c a5 02 cb d0 1f f7 7b 52 d2 24 29 ee b2 7b 3f 
                    ed bc bd 1d f8 f7 bb 9f f7 c9 68 9b c9 be 86 66 
                    8b 24 5a 3c b7 b2 3e 93 7e d0 42 7c 7e e1 6d ec

SMART 值输出使用smartctl -a /dev/sdd

❯ sudo smartctl -a /dev/sdd
smartctl 7.2 2020-12-30 r5155 [x86_64-linux-5.15.8-zen1-1-zen] (local build)
Copyright (C) 2002-20, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Model Family:     Western Digital Elements / My Passport (USB, AF)
Device Model:     WDC WD50NDZW-11MR8S1
Serial Number:    WD-WXD1E995WRAF
LU WWN Device Id: 5 0014ee 211f0443e
Firmware Version: 02.01A02
User Capacity:    5,000,947,523,584 bytes [5.00 TB]
Sector Sizes:     512 bytes logical, 4096 bytes physical
Rotation Rate:    5400 rpm
Form Factor:      2.5 inches
TRIM Command:     Available, deterministic
Device is:        In smartctl database [for details use: -P show]
ATA Version is:   ACS-3 (minor revision not indicated)
SATA Version is:  SATA 3.1, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is:    Fri Dec 17 16:02:40 2021 CET
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status:  (0x82) Offline data collection activity
                                        was completed without error.
                                        Auto Offline Data Collection: Enabled.
Self-test execution status:      ( 249) Self-test routine in progress...
                                        90% of test remaining.
Total time to complete Offline 
data collection:                ( 2940) seconds.
Offline data collection
capabilities:                    (0x1b) SMART execute Offline immediate.
                                        Auto Offline data collection on/off support.
                                        Suspend Offline collection upon new
                                        command.
                                        Offline surface scan supported.
                                        Self-test supported.
                                        No Conveyance Self-test supported.
                                        No Selective Self-test supported.
SMART capabilities:            (0x0003) Saves SMART data before entering
                                        power-saving mode.
                                        Supports SMART auto save timer.
Error logging capability:        (0x01) Error logging supported.
                                        General Purpose Logging supported.
Short self-test routine 
recommended polling time:        (   2) minutes.
Extended self-test routine
recommended polling time:        ( 776) minutes.
SCT capabilities:              (0x30b5) SCT Status supported.
                                        SCT Feature Control supported.
                                        SCT Data Table supported.

SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE
  1 Raw_Read_Error_Rate     0x002f   200   200   051    Pre-fail  Always       -       2
  3 Spin_Up_Time            0x0027   253   253   021    Pre-fail  Always       -       4808
  4 Start_Stop_Count        0x0032   100   100   000    Old_age   Always       -       825
  5 Reallocated_Sector_Ct   0x0033   200   200   140    Pre-fail  Always       -       0
  7 Seek_Error_Rate         0x002e   200   200   000    Old_age   Always       -       0
  9 Power_On_Hours          0x0032   098   098   000    Old_age   Always       -       1577
 10 Spin_Retry_Count        0x0032   100   100   000    Old_age   Always       -       0
 11 Calibration_Retry_Count 0x0032   100   100   000    Old_age   Always       -       0
 12 Power_Cycle_Count       0x0032   100   100   000    Old_age   Always       -       321
192 Power-Off_Retract_Count 0x0032   200   200   000    Old_age   Always       -       176
193 Load_Cycle_Count        0x0032   198   198   000    Old_age   Always       -       6431
194 Temperature_Celsius     0x0022   119   098   000    Old_age   Always       -       33
196 Reallocated_Event_Count 0x0032   200   200   000    Old_age   Always       -       0
197 Current_Pending_Sector  0x0032   200   200   000    Old_age   Always       -       0
198 Offline_Uncorrectable   0x0030   200   200   000    Old_age   Offline      -       0
199 UDMA_CRC_Error_Count    0x0032   200   200   000    Old_age   Always       -       0
200 Multi_Zone_Error_Rate   0x0008   200   200   000    Old_age   Offline      -       1

SMART Error Log Version: 1
No Errors Logged

SMART Self-test log structure revision number 1
No self-tests have been logged.  [To run self-tests, use: smartctl -t]

Selective Self-tests/Logging not supported

这是 DMESG 输出(简单来说dmesg,由于字符限制无法发布所有内容):

[   46.940566] wlan0: associated
[   46.989890] wlan0: Limiting TX power to 23 (23 - 0) dBm as advertised by 5c:49:79:56:19:f7
[   50.007552] usb 2-6: new SuperSpeed USB device number 2 using xhci_hcd
[   50.020426] usb 2-6: New USB device found, idVendor=1058, idProduct=2627, bcdDevice=40.08
[   50.020439] usb 2-6: New USB device strings: Mfr=2, Product=3, SerialNumber=1
[   50.020444] usb 2-6: Product: My Passport 2627
[   50.020448] usb 2-6: Manufacturer: Western Digital
[   50.020452] usb 2-6: SerialNumber: 575844314539393557524146
[   50.664550] usb-storage 2-6:1.0: USB Mass Storage device detected
[   50.665002] scsi host4: usb-storage 2-6:1.0
[   50.665220] usbcore: registered new interface driver usb-storage
[   50.676478] usbcore: registered new interface driver uas
[   51.678278] scsi 4:0:0:0: Direct-Access     WD       My Passport 2627 4008 PQ: 0 ANSI: 6
[   51.678667] scsi 4:0:0:1: Enclosure         WD       SES Device       4008 PQ: 0 ANSI: 6
[   51.682041] sd 4:0:0:0: [sdd] Spinning up disk...
[   51.703600] scsi 4:0:0:1: Wrong diagnostic page; asked for 1 got 8
[   51.703603] scsi 4:0:0:1: Failed to get diagnostic page 0x1
[   51.703605] scsi 4:0:0:1: Failed to bind enclosure -19
[   52.701886] ......ready
[   57.822064] sd 4:0:0:0: [sdd] Very big device. Trying to use READ CAPACITY(16).
[   57.822250] sd 4:0:0:0: [sdd] 9767475200 512-byte logical blocks: (5.00 TB/4.55 TiB)
[   57.822255] sd 4:0:0:0: [sdd] 4096-byte physical blocks
[   57.822540] sd 4:0:0:0: [sdd] Write Protect is off
[   57.822544] sd 4:0:0:0: [sdd] Mode Sense: 47 00 10 08
[   57.823041] sd 4:0:0:0: [sdd] No Caching mode page found
[   57.823048] sd 4:0:0:0: [sdd] Assuming drive cache: write through
[   57.983930]  sdd: sdd1
[   57.985534] sd 4:0:0:0: [sdd] Attached SCSI disk
[   57.985680] ses 4:0:0:1: Attached Enclosure device
[  137.355239] nvidia-nvlink: Nvlink Core is being initialized, major device number 507
[  137.355244] NVRM: The NVIDIA probe routine was not called for 1 device(s).
[  137.356116] NVRM: This can occur when a driver such as: 
               NVRM: nouveau, rivafb, nvidiafb or rivatv 
               NVRM: was loaded and obtained ownership of the NVIDIA device(s).
[  137.356117] NVRM: Try unloading the conflicting kernel module (and/or
               NVRM: reconfigure your kernel without the conflicting
               NVRM: driver(s)), then try loading the NVIDIA kernel module
               NVRM: again.
[  137.356118] NVRM: No NVIDIA devices probed.
[  137.356296] nvidia-nvlink: Unregistered the Nvlink Core, major device number 507
[  317.920451] device-mapper: table: 254:3: crypt: Device size is not multiple of sector_size feature
[  317.920455] device-mapper: ioctl: error adding target to table
[ 2685.464145] raid6: skip pq benchmark and using algorithm avx2x4
[ 2685.464148] raid6: using avx2x2 recovery algorithm
[ 2685.468011] xor: automatically using best checksumming function   avx       
[ 2685.528254] Btrfs loaded, crc32c=crc32c-intel, zoned=yes, fsverity=yes
[ 2685.564424] JFS: nTxBlock = 8192, nTxLock = 65536
[ 2685.582407] NILFS version 2 loaded
[ 2685.676402] SGI XFS with ACLs, security attributes, realtime, scrub, repair, quota, no debug enabled
[ 2692.757592]  sda: sda1 sda2 sda3 sda4
[ 2694.215474]  sdd: sdd1
[ 2768.779512] device-mapper: table: 254:3: crypt: Device size is not multiple of sector_size feature
[ 2768.779536] device-mapper: ioctl: error adding target to table
[ 3123.484363] usb 2-6: USB disconnect, device number 2
[ 4886.654141] usb 2-6: new SuperSpeed USB device number 3 using xhci_hcd
[ 4886.667772] usb 2-6: New USB device found, idVendor=1058, idProduct=2627, bcdDevice=40.08
[ 4886.667776] usb 2-6: New USB device strings: Mfr=2, Product=3, SerialNumber=1
[ 4886.667778] usb 2-6: Product: My Passport 2627
[ 4886.667779] usb 2-6: Manufacturer: Western Digital
[ 4886.667780] usb 2-6: SerialNumber: 575844314539393557524146
[ 4886.669555] usb-storage 2-6:1.0: USB Mass Storage device detected
[ 4886.669800] scsi host4: usb-storage 2-6:1.0
[ 4887.692812] scsi 4:0:0:0: Direct-Access     WD       My Passport 2627 4008 PQ: 0 ANSI: 6
[ 4887.693055] scsi 4:0:0:1: Enclosure         WD       SES Device       4008 PQ: 0 ANSI: 6
[ 4887.694634] ses 4:0:0:1: Attached Enclosure device
[ 4887.695784] sd 4:0:0:0: [sdd] Spinning up disk...
[ 4887.696087] ses 4:0:0:1: Wrong diagnostic page; asked for 1 got 8
[ 4887.696090] ses 4:0:0:1: Failed to get diagnostic page 0x1
[ 4887.696092] ses 4:0:0:1: Failed to bind enclosure -19
[ 4888.716288] ......ready
[ 4893.836679] sd 4:0:0:0: [sdd] Very big device. Trying to use READ CAPACITY(16).
[ 4893.836793] sd 4:0:0:0: [sdd] 9767475200 512-byte logical blocks: (5.00 TB/4.55 TiB)
[ 4893.836795] sd 4:0:0:0: [sdd] 4096-byte physical blocks
[ 4893.837071] sd 4:0:0:0: [sdd] Write Protect is off
[ 4893.837072] sd 4:0:0:0: [sdd] Mode Sense: 47 00 10 08
[ 4893.837383] sd 4:0:0:0: [sdd] No Caching mode page found
[ 4893.837385] sd 4:0:0:0: [sdd] Assuming drive cache: write through
[ 4893.996397]  sdd: sdd1
[ 4893.997502] sd 4:0:0:0: [sdd] Attached SCSI disk
[ 4951.411265] device-mapper: table: 254:3: crypt: Device size is not multiple of sector_size feature
[ 4951.411286] device-mapper: ioctl: error adding target to table

答案1

这是分区设备大小的问题。

您的分区是奇数个 512 字节的大扇区(9767473119扇区如 所示fdisk)。您的 LUKS 标头设置为使用 4096 字节扇区(sector: 4096 [bytes]如 所示cryptsetup luksDump)。这样分区上就有 7 个扇区无法使用。

不幸的是,设备映射器 crypt 目标不仅会忽略多余的扇区,还会受到攻击,从而导致出现以下错误消息:

[ 8243.293778] device-mapper: table: 253:49: crypt: Device size is not multiple of sector_size feature (-EINVAL)
[ 8243.293781] device-mapper: ioctl: error adding target to table

在这种情况下,您必须将分区大小设置为 4K 对齐,即 8 512 字节扇区的倍数。您可以使用parted resizepart您选择的任何其他分区工具来完成此操作。只需确保分区的起始扇区不变即可。

相关内容