How to recover after removing only LUKS key?

Question

In a stupid attempt to disable LUKS encryption, I have done

cryptsetup luksRemoveKey

to my only key. So now everytime I try to boot my Fedora-21, it asks for the passphrase but obviously does not recognize it, and says

Reached target System Initialization
Reached target Basic System

and that's it. Is there a way to recover from this or I have to reformat my hard disk?

cryptsetup luksAddKey

doesn't seem to work in this case.

score 6 · Answer 1 · edited Apr 13 '17 at 12:36

As the man page states, it's game over.

Removing the last passphrase makes the LUKS container permanently inaccessible.

That is, if you really removed the last key. Does cryptsetup luksDump show DISABLED for all key slots?

Normally cryptsetup prevents you from doing that, or at least asks for confirmation:

# cryptsetup luksRemoveKey foobar
Enter passphrase to be deleted: 

WARNING!
========
This is the last keyslot. Device will become unusable after purging this key.

Are you sure? (Type uppercase yes): NO, ABSOLUTELY NOT OKAY!

It does that unless it's in batch mode or reads the passphrase from a pipe.

Personally I feel it should prevent you even then, after all if you really wanted to make it inaccessible you could just as well use luksErase directly. But that's not how it seems to work.

It would be a different story if you either had a backup of the LUKS header, or if the LUKS container was still open. The backup of the LUKS header you could just restore or use with luksOpen --header thebackup.header.

For an open LUKS container, you could obtain the master key with dmsetup table --showkeys and build a new LUKS header out of that as shown in this answer (it obtains the master key a different way but it's the same concept).

This does not work with a mounted volume though - so if its your / mounted volume that does not work. — Manuel Manhart, Jul 30 '21 at 17:26

score 2 · Answer 2 · answered Feb 05 '15 at 00:35

From the cryptsetup manual:

Removing the last passphrase makes the LUKS container permanently inaccessible.

That's an inherent property of the design of LUKS. Each key slot contains the actual encryption key, wrapped by a key derived from the passphrase. If there is no slot left containing a wrapped key, then there is no copy of the key anymore.

I'm afraid you'll have to restore your data from a backup.

How to recover after removing only LUKS key?

2 Answers2