32

I have a Debian Wheezy server that's been running for a while with an encrypted drive. The password for the encrypted drive (/dev/sda5) was lost when my encrypted password file was corrupted.

I'd like to be able to reboot this server, but that will of course require that password. Since the drive is clearly in a decrypted state, is there a way to change the password without knowing the old one?

cryptsetup luksChangeKey /dev/sda5 requires the password of the volume.

I could of course rsync everything off and rebuild, but I'd like to avoid that. I looked through memory (#cat /dev/mem | less), but was unable to find it (which is a very good thing!).

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
Ethan
  • 433
  • 1
  • 4
  • 6
  • 2
    Hmmmm....What would be the point of having an encrypted filesystem if it was so easy to get access to it without the password. – mdpc Oct 13 '14 at 21:13
  • 9
    @mdpc: Your quip doesn't make sense. He ***has*** access to the filesystem, because he ***had*** the password when the server last booted. – G-Man Says 'Reinstate Monica' Oct 13 '14 at 21:18
  • 2
    Just because you HAD the password (and it got corrupted) does not invalidate my comment. In general if you forget the password for any type of encrypted material, it should be lost forever otherwise what was the point of encrypting it in the first place? – mdpc Oct 13 '14 at 21:20
  • 3
    @mdpc Present tense, he has current access to the filesystem. – phemmer Oct 13 '14 at 21:26
  • Same question on Super User: [Lost LUKS password, encrypted partition open](http://superuser.com/q/774834/354511) (not answered). – G-Man Says 'Reinstate Monica' Oct 14 '14 at 18:06

1 Answers1

44

Yes, you can do this by accessing the master key while the volume is decrypted.

The quick and dirty to add a new passphrase:

device=/dev/sda5
volume_name=foo
cryptsetup luksAddKey $device --master-key-file <(dmsetup table --showkeys $volume_name | awk '{ print $5 }' | xxd -r -p)

device and volume_name should be set appropriately.
volume_name is the name of the decrypted volume, the one you see in /dev/mapper.

Explanation:

LUKS volumes encrypt their data with a master key. Each passphrase you add simply stores a copy of this master key encrypted with that passphrase. So if you have the master key, you simply need to use it in a new key slot.

Lets tear apart the command above.

$ dmsetup table --showkeys $volume_name

This dumps a bunch of information about the actively decrypted volume. The output looks like this:

0 200704 crypt aes-xts-plain64 53bb7da1f26e2a032cc9e70d6162980440bd69bb31cb64d2a4012362eeaad0ac 0 7:2 4096

Field #5 is the master key.

 

$ dmsetup table --showkeys $volume_name | awk '{ print $5 }' | xxd -r -p

Not going to show the output of this as it's binary data, but what this does is grab the master key for the volume, and then convert it into raw binary data which is needed later.

 

$ cryptsetup luksAddKey $device --master-key-file <(...)

This is telling cryptsetup to add a new key to the volume. Normally this action requires an existing key, however we use --master-key-file to tell it we want to use the master key instead.
The <(...) is shell command substitution & redirection. It basically executes everything inside, sends the output to a pipe, and then substitutes the <(...) with a path to that pipe.

 

So the whole command is just a one-liner to condense several operations.

phemmer
  • 70,657
  • 19
  • 188
  • 223
  • I'm not sure if I'm doing something wrong but my LUKS doesn't show a string at all like the one you're showing in the example. It's a short little 9 digit number. Also mine shows as "linear 8:3". – slm Oct 13 '14 at 23:38
  • @slm If it's showing `linear`, then that's not an open LUKS volume (wrong value for `volume_name` in the provided command). An open LUKS volume will have `crypt` in the 3rd field. In `cryptsetup luksOpen /dev/foo bar`, the `volume_name` value would be `bar`. – phemmer Oct 14 '14 at 00:27
  • Got it now. There's a volume under `/dev/mapper` named `luks-.....`. That's the volume you need to be using, not the LVM, mapped logical volume. – slm Oct 14 '14 at 00:37
  • 1
    It seems that with recent versions of dmsetup the format of `dmsetup table` has changed. At least for me the master key is shown in column `$6`. – Karol Babioch Apr 11 '15 at 16:28
  • @KarolBabioch you probably did not specify the volume name? – frostschutz Apr 11 '15 at 17:01
  • On RHEL 6.x, you can't use /dev/mapper names. Instead, the volume name comes from /etc/crypttab – mellow-yellow May 23 '16 at 21:05
  • 1
    Note: This does not work with LUKS2. – Zulakis Jun 10 '20 at 06:13
  • @Zulakis That would be a good new question! :-) – phemmer Jun 10 '20 at 16:10