%20LUKS%20%ED%97%A4%EB%8D%94%EA%B0%80%20%EC%86%90%EC%83%81%EB%90%98%EC%96%B4%20%ED%97%A4%EB%8D%94%20%EB%B3%B5%EC%9B%90%EC%9D%B4%20%EC%9E%91%EB%8F%99%ED%95%98%EC%A7%80%20%EC%95%8A%EC%8A%B5%EB%8B%88%EB%8B%A4..png)
나는 온라인에서 찾을 수 있는 모든 것을 시도했다. 어제부터 연구시간 ;( 나는 내가 직면한 오류로 어려움을 겪는 사람을 제외하고는 아무도 찾지 못했습니다.GitLab(제가 받은 오류 코드는 -4가 아닌 -1이었습니다.),레딧또는2006년 메일링 리스트. 불필요한 세부사항을 제공했을 수도 있습니다. 죄송합니다!
이미 수십 개의 파일이 들어 있는 5TB WD 드라이브가 있습니다. Raspberry Pi 4를 사용하여 소형 NAS를 구축하기로 결정했습니다. 문제는 내가 원하는 것이다.BTRFS를 파일 시스템으로 사용하는 LUKS 암호화.당시 드라이브는 5TB 단일 파티션 EXT4였습니다.
드라이브를 2개의 파티션(메인 컴퓨터에서)으로 분할하고(2.3TB만 차지) 드라이브 크기가 절반인 LUKS 보호 BTRFS 파티션을 만들었습니다. 모든 것을 암호화된 BTRFS 파티션으로 이동하고 EXT4 부분을 제거하고 LUKS를 추가한 다음 암호화 후 BTRFS 파티션을 확장하여 전체 드라이브를 채우면 암호는 오랫동안 LUKS에 유효한 상태로 유지됩니다. LUKS 헤더를 백업하면 아무 일도 일어나지 않을 것이라고 생각했습니다. 5TB LUKS-BTRFS 파티션은 비밀번호로만 보호되며 다른 슬롯 등은 구성되지 않습니다. 이제 약 3주 후에 모든 장치(Artix-Linux x86_64, Linuxmint, Debian Aarch64, Parted Magic)에서 문제나 오류 코드 없이 드라이브를 잠금 해제하고 마운트할 수 있습니다.
Pi 4에 대해 제가 선택한 OS는 Raspbian OS가 아닌 Debian이었습니다. 제가 필요하다고 생각하는 커널의 암호화 API/기능이 부족했기 때문입니다.serpent-xts-plain64, 내 드라이브 암호화 비밀번호입니다.제가 사용하는 NAS 솔루션은오픈 미디어 라이브러리. 기본적으로 LUKS 볼륨 잠금 해제 등을 지원하지 않으므로 SSH를 통해 잠금을 해제하고 웹 UI에서 장치를 마운트하고 SMB 공유를 생성하고 하루 동안 연결하고 파일을 교환할 수도 있었습니다.
어느 날 잠에서 깨어났을 때 SMB 공유에 연결했는데 파일이 없다는 걸 알았습니다. ! lsblk드라이브가 마운트되지 않았으며 암호화가 꺼져 있음을 빠르게 나타냅니다. 지금 설치하는 것은 불가능합니다. 많은 배포판/커널, 아키텍처(aarch64 및 amd64)를 시도하고 GParted, KDE 자체 디스크 설치 프로그램 등을 사용하여 많은 시스템에 설치를 시도했지만 아무 것도 멈춘 것 같습니다. 흥미롭게도 비밀번호 변경을 사용할 수 있었고 cryptsetup luksChangeKey /dev/sdd1내 비밀번호가 성공적으로 수락된 다음 다른 비밀번호로 성공적으로 변경되었습니다(제가 알 수 있는 한, 헤더를 복원했을 때 이전 비밀번호는 유효했습니다). 이전에 말했듯이 사용 가능한 LUKS 헤더의 백업이 있습니다. 잘못된 헤더를 복원하면 상황이 더 복잡해질 수 있다고 들었기 때문에 이것이 올바른 파일이라는 것을 알고 있습니다.
드라이브를 해독하기 위해 바퀴를 다시 만들 필요가 없기를 바라지만, 필요한 경우 그렇게 할 것입니다. :/
내가 기억하는 한 내 내부에 있는 이 명령을 사용하여 luksFormat을 실행했습니다..zshrc:
cryptsetup -v luksFormat /dev/sdd1 --use-random --verify-passphrase --key-size=512 --hash=whirlpool --cipher=serpent-xts-plain64 --pbkdf=argon2id --type luks2
출력은 다음과 같습니다 cryptsetup --debug --verbose luksOpen /dev/sdd1 crypt.
❯ sudo cryptsetup --debug --verbose luksOpen /dev/sdd1 crypt
[sudo] password for user:
# cryptsetup 2.4.2 processing "cryptsetup --debug --verbose luksOpen /dev/sdd1 crypt"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sdd1.
# Trying to open and read device /dev/sdd1 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/sdd1.
# Crypto backend (OpenSSL 1.1.1l 24 Aug 2021) initialized in cryptsetup library version 2.4.2.
# Detected kernel Linux 5.15.8-zen1-1-zen x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/sdd1.
# Opening lock resource file /run/cryptsetup/L_8:49
# Verifying lock handle for /dev/sdd1.
# Device /dev/sdd1 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/sdd1
# Verifying locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:cd57d8cf3e5d6bd82e34925c05ac3f84114d564dc1535d443d6003847ede9c03 (on-disk)
# Checksum:cd57d8cf3e5d6bd82e34925c05ac3f84114d564dc1535d443d6003847ede9c03 (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/sdd1
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:1fa2c8c216bef143a6841c7e6d7b1e737b39a832e3e8067ce580b103673c67b6 (on-disk)
# Checksum:1fa2c8c216bef143a6841c7e6d7b1e737b39a832e3e8067ce580b103673c67b6 (in-memory)
# Device size 5000946236928, offset 16777216.
# Device /dev/sdd1 READ lock released.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Activating volume crypt using token (any type) -1.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Detected dm-ioctl version 4.45.0.
# Detected dm-crypt version 1.23.0.
# Device-mapper backend running with UDEV support enabled.
# dm status crypt [ opencount noflush ] [16384] (*1)
No usable token is available.
# Interactive passphrase entry requested.
Enter passphrase for /dev/sdd1:
# Activating volume crypt [keyslot -1] using passphrase.
# dm versions [ opencount flush ] [16384] (*1)
# dm status crypt [ opencount noflush ] [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Running keyslot key derivation.
# Reading keyslot area [0x47000].
# Acquiring read lock for device /dev/sdd1.
# Opening lock resource file /run/cryptsetup/L_8:49
# Verifying lock handle for /dev/sdd1.
# Device /dev/sdd1 READ lock taken.
# Reusing open ro fd on device /dev/sdd1
# Device /dev/sdd1 READ lock released.
# Verifying key from keyslot 0, digest 0.
# Loading key (64 bytes, type logon) in thread keyring.
# dm versions [ opencount flush ] [16384] (*1)
# dm status crypt [ opencount noflush ] [16384] (*1)
# Calculated device size is 9767440351 sectors (RW), offset 32768.
# DM-UUID is CRYPT-LUKS2-355457dcd03343349b2121f41f3e0a5c-crypt
# Udev cookie 0xd4de97d (semid 4) created
# Udev cookie 0xd4de97d (semid 4) incremented to 1
# Udev cookie 0xd4de97d (semid 4) incremented to 2
# Udev cookie 0xd4de97d (semid 4) assigned to CREATE task(0) with flags DISABLE_LIBRARY_FALLBACK (0x20)
# dm create crypt CRYPT-LUKS2-355457dcd03343349b2121f41f3e0a5c-crypt [ opencount flush ] [16384] (*1)
# dm reload (254:3) [ opencount flush securedata ] [16384] (*1)
device-mapper: reload ioctl on crypt (254:3) failed: Invalid argument
# Udev cookie 0xd4de97d (semid 4) decremented to 1
# Udev cookie 0xd4de97d (semid 4) incremented to 2
# Udev cookie 0xd4de97d (semid 4) assigned to REMOVE task(2) with flags DISABLE_LIBRARY_FALLBACK (0x20)
# dm remove crypt [ opencount flush securedata ] [16384] (*1)
# Uevent not generated! Calling udev_complete internally to avoid process lock-up.
# Udev cookie 0xd4de97d (semid 4) decremented to 1
# dm versions [ opencount flush ] [16384] (*1)
# dm status crypt [ opencount noflush ] [16384] (*1)
# Udev cookie 0xd4de97d (semid 4) decremented to 0
# Udev cookie 0xd4de97d (semid 4) waiting for zero
# Udev cookie 0xd4de97d (semid 4) destroyed
# Requesting keyring logon key for revoke and unlink.
# Releasing crypt device /dev/sdd1 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/sdd1.
# Unlocking memory.
Command failed with code -4 (wrong device or file specified).
출력 fdisk -l:
Disk /dev/sdd: 4.55 TiB, 5000947302400 bytes, 9767475200 sectors
Disk model: My Passport 2627
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: 2505C284-7B8A-4EAE-90CB-950187A84D57
Device Start End Sectors Size Type
/dev/sdd1 2048 9767475166 9767473119 4.5T Linux filesystem
luksDump도 긴급하게 필요합니다 cryptsetup luksDump /dev/sdd1.
❯ sudo cryptsetup luksDump /dev/sdd1
LUKS header information
Version: 2
Epoch: 5
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 355457dc-d033-4334-9b21-21f41f3e0a5c
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: serpent-xts-plain64
sector: 4096 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: serpent-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 5
Memory: 1048576
Threads: 4
Salt: 67 4b ad d5 89 b5 64 b7 b7 46 61 0f a4 9f cb be
52 90 11 99 8c c0 fb 81 be 6a d6 ac 58 f5 3c 12
AF stripes: 4000
AF hash: sha256
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: whirlpool
Iterations: 68985
Salt: d7 56 5e 8a d3 7c 7a 86 d3 fc b5 f8 d8 1e 6f 8d
b3 fd 04 34 e7 08 ab 9a 33 92 2f 08 96 4b ff 74
Digest: ed 9c d5 5f 0e df b3 f3 5b 71 95 09 9d f0 a8 b5
9c a5 02 cb d0 1f f7 7b 52 d2 24 29 ee b2 7b 3f
ed bc bd 1d f8 f7 bb 9f f7 c9 68 9b c9 be 86 66
8b 24 5a 3c b7 b2 3e 93 7e d0 42 7c 7e e1 6d ec
SMART 값 출력은 다음을 사용합니다 smartctl -a /dev/sdd.
❯ sudo smartctl -a /dev/sdd
smartctl 7.2 2020-12-30 r5155 [x86_64-linux-5.15.8-zen1-1-zen] (local build)
Copyright (C) 2002-20, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF INFORMATION SECTION ===
Model Family: Western Digital Elements / My Passport (USB, AF)
Device Model: WDC WD50NDZW-11MR8S1
Serial Number: WD-WXD1E995WRAF
LU WWN Device Id: 5 0014ee 211f0443e
Firmware Version: 02.01A02
User Capacity: 5,000,947,523,584 bytes [5.00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 2.5 inches
TRIM Command: Available, deterministic
Device is: In smartctl database [for details use: -P show]
ATA Version is: ACS-3 (minor revision not indicated)
SATA Version is: SATA 3.1, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Fri Dec 17 16:02:40 2021 CET
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
General SMART Values:
Offline data collection status: (0x82) Offline data collection activity
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 249) Self-test routine in progress...
90% of test remaining.
Total time to complete Offline
data collection: ( 2940) seconds.
Offline data collection
capabilities: (0x1b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
No Conveyance Self-test supported.
No Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data before entering
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 776) minutes.
SCT capabilities: (0x30b5) SCT Status supported.
SCT Feature Control supported.
SCT Data Table supported.
SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x002f 200 200 051 Pre-fail Always - 2
3 Spin_Up_Time 0x0027 253 253 021 Pre-fail Always - 4808
4 Start_Stop_Count 0x0032 100 100 000 Old_age Always - 825
5 Reallocated_Sector_Ct 0x0033 200 200 140 Pre-fail Always - 0
7 Seek_Error_Rate 0x002e 200 200 000 Old_age Always - 0
9 Power_On_Hours 0x0032 098 098 000 Old_age Always - 1577
10 Spin_Retry_Count 0x0032 100 100 000 Old_age Always - 0
11 Calibration_Retry_Count 0x0032 100 100 000 Old_age Always - 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 321
192 Power-Off_Retract_Count 0x0032 200 200 000 Old_age Always - 176
193 Load_Cycle_Count 0x0032 198 198 000 Old_age Always - 6431
194 Temperature_Celsius 0x0022 119 098 000 Old_age Always - 33
196 Reallocated_Event_Count 0x0032 200 200 000 Old_age Always - 0
197 Current_Pending_Sector 0x0032 200 200 000 Old_age Always - 0
198 Offline_Uncorrectable 0x0030 200 200 000 Old_age Offline - 0
199 UDMA_CRC_Error_Count 0x0032 200 200 000 Old_age Always - 0
200 Multi_Zone_Error_Rate 0x0008 200 200 000 Old_age Offline - 1
SMART Error Log Version: 1
No Errors Logged
SMART Self-test log structure revision number 1
No self-tests have been logged. [To run self-tests, use: smartctl -t]
Selective Self-tests/Logging not supported
다음은 DMESG 출력입니다(간단히 말하면 dmesg문자 제한으로 인해 모든 콘텐츠를 게시할 수는 없습니다).
[ 46.940566] wlan0: associated
[ 46.989890] wlan0: Limiting TX power to 23 (23 - 0) dBm as advertised by 5c:49:79:56:19:f7
[ 50.007552] usb 2-6: new SuperSpeed USB device number 2 using xhci_hcd
[ 50.020426] usb 2-6: New USB device found, idVendor=1058, idProduct=2627, bcdDevice=40.08
[ 50.020439] usb 2-6: New USB device strings: Mfr=2, Product=3, SerialNumber=1
[ 50.020444] usb 2-6: Product: My Passport 2627
[ 50.020448] usb 2-6: Manufacturer: Western Digital
[ 50.020452] usb 2-6: SerialNumber: 575844314539393557524146
[ 50.664550] usb-storage 2-6:1.0: USB Mass Storage device detected
[ 50.665002] scsi host4: usb-storage 2-6:1.0
[ 50.665220] usbcore: registered new interface driver usb-storage
[ 50.676478] usbcore: registered new interface driver uas
[ 51.678278] scsi 4:0:0:0: Direct-Access WD My Passport 2627 4008 PQ: 0 ANSI: 6
[ 51.678667] scsi 4:0:0:1: Enclosure WD SES Device 4008 PQ: 0 ANSI: 6
[ 51.682041] sd 4:0:0:0: [sdd] Spinning up disk...
[ 51.703600] scsi 4:0:0:1: Wrong diagnostic page; asked for 1 got 8
[ 51.703603] scsi 4:0:0:1: Failed to get diagnostic page 0x1
[ 51.703605] scsi 4:0:0:1: Failed to bind enclosure -19
[ 52.701886] ......ready
[ 57.822064] sd 4:0:0:0: [sdd] Very big device. Trying to use READ CAPACITY(16).
[ 57.822250] sd 4:0:0:0: [sdd] 9767475200 512-byte logical blocks: (5.00 TB/4.55 TiB)
[ 57.822255] sd 4:0:0:0: [sdd] 4096-byte physical blocks
[ 57.822540] sd 4:0:0:0: [sdd] Write Protect is off
[ 57.822544] sd 4:0:0:0: [sdd] Mode Sense: 47 00 10 08
[ 57.823041] sd 4:0:0:0: [sdd] No Caching mode page found
[ 57.823048] sd 4:0:0:0: [sdd] Assuming drive cache: write through
[ 57.983930] sdd: sdd1
[ 57.985534] sd 4:0:0:0: [sdd] Attached SCSI disk
[ 57.985680] ses 4:0:0:1: Attached Enclosure device
[ 137.355239] nvidia-nvlink: Nvlink Core is being initialized, major device number 507
[ 137.355244] NVRM: The NVIDIA probe routine was not called for 1 device(s).
[ 137.356116] NVRM: This can occur when a driver such as:
NVRM: nouveau, rivafb, nvidiafb or rivatv
NVRM: was loaded and obtained ownership of the NVIDIA device(s).
[ 137.356117] NVRM: Try unloading the conflicting kernel module (and/or
NVRM: reconfigure your kernel without the conflicting
NVRM: driver(s)), then try loading the NVIDIA kernel module
NVRM: again.
[ 137.356118] NVRM: No NVIDIA devices probed.
[ 137.356296] nvidia-nvlink: Unregistered the Nvlink Core, major device number 507
[ 317.920451] device-mapper: table: 254:3: crypt: Device size is not multiple of sector_size feature
[ 317.920455] device-mapper: ioctl: error adding target to table
[ 2685.464145] raid6: skip pq benchmark and using algorithm avx2x4
[ 2685.464148] raid6: using avx2x2 recovery algorithm
[ 2685.468011] xor: automatically using best checksumming function avx
[ 2685.528254] Btrfs loaded, crc32c=crc32c-intel, zoned=yes, fsverity=yes
[ 2685.564424] JFS: nTxBlock = 8192, nTxLock = 65536
[ 2685.582407] NILFS version 2 loaded
[ 2685.676402] SGI XFS with ACLs, security attributes, realtime, scrub, repair, quota, no debug enabled
[ 2692.757592] sda: sda1 sda2 sda3 sda4
[ 2694.215474] sdd: sdd1
[ 2768.779512] device-mapper: table: 254:3: crypt: Device size is not multiple of sector_size feature
[ 2768.779536] device-mapper: ioctl: error adding target to table
[ 3123.484363] usb 2-6: USB disconnect, device number 2
[ 4886.654141] usb 2-6: new SuperSpeed USB device number 3 using xhci_hcd
[ 4886.667772] usb 2-6: New USB device found, idVendor=1058, idProduct=2627, bcdDevice=40.08
[ 4886.667776] usb 2-6: New USB device strings: Mfr=2, Product=3, SerialNumber=1
[ 4886.667778] usb 2-6: Product: My Passport 2627
[ 4886.667779] usb 2-6: Manufacturer: Western Digital
[ 4886.667780] usb 2-6: SerialNumber: 575844314539393557524146
[ 4886.669555] usb-storage 2-6:1.0: USB Mass Storage device detected
[ 4886.669800] scsi host4: usb-storage 2-6:1.0
[ 4887.692812] scsi 4:0:0:0: Direct-Access WD My Passport 2627 4008 PQ: 0 ANSI: 6
[ 4887.693055] scsi 4:0:0:1: Enclosure WD SES Device 4008 PQ: 0 ANSI: 6
[ 4887.694634] ses 4:0:0:1: Attached Enclosure device
[ 4887.695784] sd 4:0:0:0: [sdd] Spinning up disk...
[ 4887.696087] ses 4:0:0:1: Wrong diagnostic page; asked for 1 got 8
[ 4887.696090] ses 4:0:0:1: Failed to get diagnostic page 0x1
[ 4887.696092] ses 4:0:0:1: Failed to bind enclosure -19
[ 4888.716288] ......ready
[ 4893.836679] sd 4:0:0:0: [sdd] Very big device. Trying to use READ CAPACITY(16).
[ 4893.836793] sd 4:0:0:0: [sdd] 9767475200 512-byte logical blocks: (5.00 TB/4.55 TiB)
[ 4893.836795] sd 4:0:0:0: [sdd] 4096-byte physical blocks
[ 4893.837071] sd 4:0:0:0: [sdd] Write Protect is off
[ 4893.837072] sd 4:0:0:0: [sdd] Mode Sense: 47 00 10 08
[ 4893.837383] sd 4:0:0:0: [sdd] No Caching mode page found
[ 4893.837385] sd 4:0:0:0: [sdd] Assuming drive cache: write through
[ 4893.996397] sdd: sdd1
[ 4893.997502] sd 4:0:0:0: [sdd] Attached SCSI disk
[ 4951.411265] device-mapper: table: 254:3: crypt: Device size is not multiple of sector_size feature
[ 4951.411286] device-mapper: ioctl: error adding target to table
답변1
이는 파티션 장치 크기의 문제입니다.
귀하의 파티션은 홀수 개의 큰 512바이트 섹터( 9767473119표시된 섹터 fdisk)입니다. LUKS 헤더는 4096바이트 섹터를 사용하도록 설정되어 있습니다( sector: 4096 [bytes]그림 참조 cryptsetup luksDump). 이런 방식으로 파티션의 7개 섹터를 사용할 수 없습니다.
불행하게도 장치 매퍼 암호화 대상은 추가 섹터를 무시할 뿐만 아니라 취약하여 다음과 같은 오류 메시지가 나타납니다.
[ 8243.293778] device-mapper: table: 253:49: crypt: Device size is not multiple of sector_size feature (-EINVAL) [ 8243.293781] device-mapper: ioctl: error adding target to table
이 경우 파티션 크기를 8,512바이트 섹터의 배수인 4K 정렬로 설정해야 합니다. parted resizepart원하는 다른 파티션 도구를 사용하여 이 작업을 수행 할 수 있습니다 . 파티션의 시작 섹터가 변경되지 않는지 확인하십시오.