Hi I’m having an issue whereby I can no-longer open/unlock a LUKS partition on a RL8_8 installation after a dnf update upgraded it to RL8_10.
This install has been booting and unlocking just fine for years until now!
There are two key slots in use, the first slot is a passphrase, the second an on-disk key file.
Both methods of unlocking have worked perfectly up until a recent upgrade from 8.8 to 8.10 and a reboot.
The passphrase is know good, has been both typed, and copy-pasted via ssh, there are no keymap issues or strange characters.
The on-disk key file has not been modified in anyway, and has worked fine in the past with /etc/crypttab
I’ve tried rolling back the dnf updates (although I can only roll back so-far), rebooting into older kernels, and rebuilding the initramfs with dracut -f.
I’m not able to test with a live-usb distro at the moment due to the machine being in a remote office.
Any wisdom is appreciated, I attach some info below:
cat /etc/redhat-release
Rocky Linux release 8.10 (Green Obsidian)
/etc/crypttab
# <target name> <source device> <key-file> <options>
unencrypted-home UUID=9ef38ae0-6dcf-4ed3-bba7-99c271590d90 /root/.encrypted-disk-keys/.md0-luks.keyfile nofail
journalctl -b | grep -E crypt|luks
$ journalctl -b | grep -E crypt\|luks
Nov 19 18:20:29 highlander.<domain redacted> kernel: cryptd: max_cpu_qlen set to 1000
Nov 19 18:20:29 highlander.<domain redacted> kernel: Key type encrypted registered
Nov 19 18:20:29 highlander.<domain redacted> kernel: Freeing unused decrypted memory: 2036K
Nov 19 18:20:44 highlander.<domain redacted> systemd[1]: Starting Cryptography Setup for unencrypted-home...
Nov 19 18:20:45 highlander.<domain redacted> systemd-cryptsetup[1104]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90.
Nov 19 18:20:49 highlander.<domain redacted> systemd-cryptsetup[1104]: Failed to activate with key file '/root/.encrypted-disk-keys/.luks.keyfile'. (Key data incorrect?)
Nov 19 18:23:16 highlander.<domain redacted> sudo[3235]: bytecode : TTY=pts/1 ; PWD=/home/bytecode ; USER=root ; COMMAND=/sbin/modprobe dm-crypt
Nov 19 18:23:20 highlander.<domain redacted> sudo[3351]: bytecode : TTY=pts/1 ; PWD=/home/bytecode ; USER=root ; COMMAND=/sbin/cryptsetup luksOpen UUID=9ef38ae0-6dcf-4ed3-bba7-99c271590d90 unencrypted-home --key-file /root/.encrypted-disk-keys/.luks.keyfile
Unlocking now fails with keyfile:
sudo cryptsetup luksOpen UUID=9ef38ae0-6dcf-4ed3-bba7-99c271590d90 decrypted-data --key-file /root/.luks-keys/.luks.keyfile
No key available with this passphrase.
Unlocking fails with manually typed passphrase:
$ sudo cryptsetup luksOpen UUID=9ef38ae0-6dcf-4ed3-bba7-99c271590d90 decrypted-data
Enter passphrase for /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90:
No key available with this passphrase.
Enter passphrase for /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90:
No key available with this passphrase.
Enter passphrase for /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90:
No key available with this passphrase
Kernels
sudo dnf list --showduplicates kernel
Installed Packages
kernel.x86_64 4.18.0-348.23.1.el8_5
kernel.x86_64 4.18.0-513.11.1.el8_9
kernel.x86_64 4.18.0-553.22.1.el8_10
kernel.x86_64 4.18.0-553.27.1.el8_10
Available Packages
kernel.x86_64 4.18.0-553.el8_10 baseos
kernel.x86_64 4.18.0-553.5.1.el8_10 baseos
kernel.x86_64 4.18.0-553.8.1.el8_10 baseos
kernel.x86_64 4.18.0-553.16.1.el8_10 baseos
kernel.x86_64 4.18.0-553.22.1.el8_10 baseos
kernel.x86_64 4.18.0-553.27.1.el8_10 baseos
cryptsetup --version
$ cryptsetup --version
cryptsetup 2.3.7
dm_crypt mods
lsmod | grep crypt
crypto_user 16384 0
dm_crypt 49152 0
dm_mod 155648 14 dm_crypt,dm_log,dm_mirror
cryptsetup --debug luksDump (with redacted salts)
# cryptsetup 2.3.7 processing "cryptsetup --debug luksDump UUID=9ef38ae0-6dcf-4ed3-bba7-99c271590d90"
# Running command luksDump.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90.
# Trying to open and read device /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90.
# Crypto backend (OpenSSL 1.1.1k FIPS 25 Mar 2021) initialized in cryptsetup library version 2.3.7.
# Detected kernel Linux 4.18.0-513.11.1.el8_9.x86_64 x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90.
# Opening lock resource file /run/cryptsetup/L_9:127
# Verifying lock handle for /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90.
# Device /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90
# Veryfing locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:a52750216882e160570eaa8e3fe5bae67b4b212adfc842c248315a696ccce598 (on-disk)
# Checksum:a52750216882e160570eaa8e3fe5bae67b4b212adfc842c248315a696ccce598 (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:575a4d0be10b409c6a737c06b9a321d2c7ca7162e990679f6ad73284a440e4f6 (on-disk)
# Checksum:575a4d0be10b409c6a737c06b9a321d2c7ca7162e990679f6ad73284a440e4f6 (in-memory)
# Device size 8001300725760, offset 16777216.
# Device /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90 READ lock released.
# PBKDF argon2i, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
LUKS header information
Version: 2
Epoch: 4
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 9ef38ae0-6dcf-4ed3-bba7-99c271590d90
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 14
Memory: 1048576
Threads: 4
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 14
Memory: 1048576
Threads: 4
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
AF stripes: 4000
AF hash: sha256
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 396586
Salt: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
Digest: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
# Releasing crypt device /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/disk/by-uuid/9ef38ae0-6dcf-4ed3-bba7-99c271590d90.
# Unlocking memory.
Command successful.
Any help debugging this issue is much appreciated.
Thank you.
Edit:1 updated luks dump to have --debug info