Btrfs를 사용하여 암호화된 SSD에서 Arch Linux를 실행하는 시스템이 있고 키 파일을 사용하여 해당 시스템에서 보조 암호화 HDD를 켰습니다. 키 파일의 비밀번호는 내 Keepass 데이터베이스와 다른 시스템의 이전 키 파일에도 저장됩니다. 이제 SSD에 XFS를 사용하여 Proxmox를 설치하고 다음 명령을 실행하는 비밀번호로 암호화된 HDD를 열려고 했습니다.
# cryptsetup open /dev/sdX1 $mapper-name
이것은 "이 비밀번호에 사용할 수 있는 키가 없습니다."
뭐가 문제 야? 비밀번호는 절대적으로 유효합니다. Manjaro Live 시스템에서도 부팅을 시도했지만 동일한 오류가 발생했습니다.
LUKS 헤더를 업데이트하기 위해 아래 튜토리얼을 따랐을 수도 있지만 확실하지 않습니다. https://mjg59.dreamwidth.org/66429.html
동일한 시스템에 있는 다른 디스크의 잠금을 쉽게 해제할 수도 있습니다.
LUKS 헤더에 대한 자세한 내용은 나중에 첨부하겠습니다.
편집하다:
sudo cryptsetup luksOpen --debug /dev/sdb1 disk
# cryptsetup 2.6.1 processing "cryptsetup luksOpen --debug /dev/sdb1 disk"
# Verifying parameters for command open.
# Running command open.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sdb1.
# Trying to open and read device /dev/sdb1 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/sdb1.
# Crypto backend (OpenSSL 3.1.1 30 May 2023 [default][legacy]) initialized in cryptsetup library version 2.6.1.
# Detected kernel Linux 6.1.30-1-MANJARO x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/sdb1.
# Opening lock resource file /run/cryptsetup/L_8:17
# Verifying lock handle for /dev/sdb1.
# Device /dev/sdb1 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/sdb1
# Verifying locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:e5cfc6dda22398807501ba54430599cad64b8d69c370427636e4da9d4b5695fb (on-disk)
# Checksum:e5cfc6dda22398807501ba54430599cad64b8d69c370427636e4da9d4b5695fb (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/sdb1
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:913b9d0d992b2b39071b1f6d6a82e4b6e8efcb27017e0be770eaea656c916fa1 (on-disk)
# Checksum:913b9d0d992b2b39071b1f6d6a82e4b6e8efcb27017e0be770eaea656c916fa1 (in-memory)
# Device size 4000785104896, offset 16777216.
# Device /dev/sdb1 READ lock released.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Activating volume disk using token (any type) -1.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Detected dm-ioctl version 4.47.0.
# Detected dm-crypt version 1.24.0.
# Device-mapper backend running with UDEV support enabled.
# dm status disk [ opencount noflush ] [16384] (*1)
No usable token is available.
# Interactive passphrase entry requested.
Enter passphrase for /dev/sdb1:
# Activating volume disk [keyslot -1] using passphrase.
# dm versions [ opencount flush ] [16384] (*1)
# dm status disk [ opencount noflush ] [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Running keyslot key derivation.
# Reading keyslot area [0x8000].
# Acquiring read lock for device /dev/sdb1.
# Opening lock resource file /run/cryptsetup/L_8:17
# Verifying lock handle for /dev/sdb1.
# Device /dev/sdb1 READ lock taken.
# Reusing open ro fd on device /dev/sdb1
# Device /dev/sdb1 READ lock released.
# Verifying key from keyslot 0, digest 0.
# Digest 0 (pbkdf2) verify failed with -1.
No key available with this passphrase.
# Interactive passphrase entry requested.
Enter passphrase for /dev/sdb1:
# Activating volume disk [keyslot -1] using passphrase.
# dm versions [ opencount flush ] [16384] (*1)
# dm status disk [ opencount noflush ] [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Running keyslot key derivation.
# Reading keyslot area [0x8000].
# Acquiring read lock for device /dev/sdb1.
# Opening lock resource file /run/cryptsetup/L_8:17
# Verifying lock handle for /dev/sdb1.
# Device /dev/sdb1 READ lock taken.
# Reusing open ro fd on device /dev/sdb1
# Device /dev/sdb1 READ lock released.
# Verifying key from keyslot 0, digest 0.
# Digest 0 (pbkdf2) verify failed with -1.
No key available with this passphrase.
# Interactive passphrase entry requested.
Enter passphrase for /dev/sdb1:
# Activating volume disk [keyslot -1] using passphrase.
# dm versions [ opencount flush ] [16384] (*1)
# dm status disk [ opencount noflush ] [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Running keyslot key derivation.
# Reading keyslot area [0x8000].
# Acquiring read lock for device /dev/sdb1.
# Opening lock resource file /run/cryptsetup/L_8:17
# Verifying lock handle for /dev/sdb1.
# Device /dev/sdb1 READ lock taken.
# Reusing open ro fd on device /dev/sdb1
# Device /dev/sdb1 READ lock released.
# Verifying key from keyslot 0, digest 0.
# Digest 0 (pbkdf2) verify failed with -1.
No key available with this passphrase.
# Releasing crypt device /dev/sdb1 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/sdb1.
Command failed with code -2 (no permission or bad passphrase).
그리고..
sudo cryptsetup luksDump /dev/sdb1
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 276a0c49-344d-452b-98e0-9aaad8cc93f5
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 4096 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 10
Memory: 1048576
Threads: 4
Salt: 0b 00 e6 b8 0d dd 0c 4f 14 e6 33 84 02 83 ba 12
66 40 4f 6d 15 65 f2 e0 c2 23 ef 73 03 0f af ac
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 275072
Salt: c0 b8 a4 2b e0 c0 f6 db 1f b5 c1 26 9b 8e 90 4f
7e 5f fc 40 e6 89 0e 00 92 21 d9 c2 b1 f9 91 f9
Digest: 43 58 b1 65 ba a3 84 0e bf 3b d5 06 e1 38 d9 47
2a 7f fa 00 52 75 07 69 e9 77 10 e3 a8 d5 a5 77