• 0 Posts
  • 3 Comments
Joined 1 year ago
cake
Cake day: October 20th, 2023

help-circle
  • Success! I have a working key file…

    root@ubuntu:/home/ubuntu/Downloads# cryptsetup -v luksOpen /dev/sda3 luks-01 --key-file ./key-file.key
    No usable token is available.
    Warning: keyslot operation could fail as it requires more than available memory.
    Key slot 1 unlocked.
    Command successful.
    root@ubuntu:/home/ubuntu/Downloads# cryptsetup -v luksOpen /dev/sda4 luks-02 --key-file ./key-file.key
    No usable token is available.
    Warning: keyslot operation could fail as it requires more than available memory.
    Key slot 1 unlocked.
    Command successful.
    

    Success on the first volume, which I picked as first because it was only 53M in size. Mounted it to /mnt… And guess what I found inside it?

    root@ubuntu:/home/ubuntu/Downloads# ls -l /mnt/device/private-keys-v1/
    total 4
    -rw------- 1 root root 2459 Oct 18 18:29 O8CbAEpnfm7jGKkMqnokmdMBlE1oV6Xma_bUNudlshDYPxE4aJNhbhiGnF360Ze4
    

    That is a key, but not connected to either LUKS container there… I dumped the headers of both LUKS. There are 2 key-slots, and the key translated from the recovery key is in slot one of both containers, The second key-slot's key must be the TPM's key, which is unknown if that is stored anywhere except the TPM…

    But is shouldn't matter now… Because that key-file did work to add a new passphrase to both LUKS containers.

    Thank you @Skull giver.


  • @Skull giver – I mentioned this above, but couldn't link it to you.

    I like the code but the go run recover.go 2> key.text does not redirect the key to a file. It does not get input of the recovery key, so errors. Could you please add a few lines to write it directly to that file, instead of displaying it? (or output to both?)

    As someone thought, what is displayed onscreen is jibberish, because console cannot display raw hex characters… I'm thinking the LUKS key in the keyslot is raw or hex.

    As I now know, it is translated. And we can get the recovery key (hopefully) translated the other way around…

    If I can just find the valid key value, and write it to a file, then I can help @inchbinjasokreativ to write it back to his TPM. I've already written a BASH script to do that, but am just missing that key-file. I have the problem replicated to a VM, so can test it on that first.


  • As you can see by my UserName, I am the person who filed that Bug as a danger to users… Specifically brought up by @ichbinsokreativ, me trying to help him…

    Thank you Skull giver for the golang code, I had to debug your code, to get it to run, because of the forum transposing HTML char codes for some characters… Unfortunatley, displaying the result onto console displays 'jibberish', as you thought might happen. Console cannot display raw hex characters.

    Redirecting the output as you posted doesn't work, as the script then doesn't get the input of the recovery key, so errors.

    I have a request… I know a lot of languages, but GO isn't one of them. Please… Could you please add a few lines to write the result directly to a file called recovery.key? Then if raw or hex, it would get to a key-file… Then I can test if that is going to work to add additional keys to the LUKS containers, and to be able to help people re-enroll the TPM key.

    If you could, they we would have a recovery work-around.

    Yes. They did something similar for past ZFS encryptions i their canned installs, but used native ZFS encryption, with a locked encrytped keyfile stored within a LUKS container, that had to be unlocked and mounted before unlocking the ZFS pools. Sometimes I don't follow the logic behind some things.

    It seems like they often add complication to what should be simpler.