2

I have a dd of a computer which has a LUKS-encrypted partition. I do not have the password but I do have a recovery key which would allow me to change the password through a GUI interface when the computer is booted. Unfortunately, I no longer have direct access to the source computer to reset the password.

What I wish to do is reset the password using the recovery key so I can then access the data. I can obviously dump the dd copy to a HDD and boot the system but is there a way to reset the LUKS password with the recovery key through a CLI? I am thinking the ideal scenario is to mount the DD and then reset the password.

forest
  • 64,616
  • 20
  • 206
  • 257
thefragileomen
  • 121
  • 2
  • 2
    What's the original OS? I can't seem to find a reference to a recovery key in luks. – user2313067 May 22 '17 at 16:07
  • Still can't find a reference to a recovery key. I see two possibilities : either it's a second key, or it's the master key. https://access.redhat.com/solutions/1543373 covers how to add a new password in both cases. If it's neither, someone with more knowledge of RHEL might be able to answer. – user2313067 May 22 '17 at 20:08
  • Is there anything else you want me to add to my answer? – forest May 20 '21 at 01:58

2 Answers2

1

For the partition which is encrypted with LUKS, you will need to get the offset for the partition as well as the logical sector size of the device. Using sfdisk together with a regex expression is useful for this. Assuming the partition number with LUKS is partition 2, and the image file is backup.img:

# set the partition number for LUKS and the image file
partdev=./backup.img
partnum=2

# get offset of partition, sector size, and the next free loop device
partoff=$(sfdisk -d $partdev | grep -oP "$partnum : start= .*\K[0-9]*")
secsize=$(stat -c %B $partdev)
loopdev=$(losetup -f)

# using these values, create a loop device, decrypt, and mount LUKS
losetup $loopdev -o $((partoff * secsize)) $partdev
cryptsetup luksOpen $loopdev backup_crypt
mount /dev/mapper/backup_crypt /mnt

You now have the decrypted filesystem available at /mnt. Do what you want with it. When you're finished, you need to unmount, close the LUKS device, and remove the loop device:

umount /mnt
cryptsetup luksClose backup_crypt
losetup -d $loopdev
forest
  • 64,616
  • 20
  • 206
  • 257
1

The the recovery key added as part of the Ubiquity update for Debian sounds similar to what's described here if it's one that is made during initial installation of the OS. If it is, in fact, similar or the same then the recovery key merely acted as another backup password taking up one of the other key slots and can thus be treated as a secondary password to add a new password.

But, if your goal was just to reset the password to access the data, you could just use the recovery key to access the data instead of using the recovery key to make a new one.

Back up

Make a backup of the LUKS header before making any changes so that if issues arise, it can easily be restored.

cryptsetup luksHeaderBackup /path/to/ddcomputer.img.dd --header-backup-file=/path/to/backupheader.luks

# the filename and file type for 'backupheader.luks' can be anything you wish
# and doesn't need to end in .luks

Since it's unclear if the recovery key you have is one that you type in one you would type in through the GUI interface that's described or if it's a key file instructions for both are provided separately.

Accessing the Data

If the recovery key is created similarly to how it is in Ubiquity use cryptsetup to unlock the image and then mount it for access

sudo cryptsetup luksOpen /path/to/ddofcomputer.img.dd decrypt_dd
Enter a passphrase for /path/to/ddofcomputer.img.dd: [Enter the recovery key]

# The 'decrypt_dd' is just the name used for mapping and can be changed
# Once decrypted, the image will be available at /dev/mapper/decrypt_dd

Cryptsetup will ask you for a passphrase whereby you can enter the recovery password to unlock it, then mount it and access it like normal

"Resetting" the password

However, if you still prefer to add a new password, you can do so with cryptsetup by adding a new key to a keyslot

sudo cryptsetup luksAddKey /path/to/ddcomputer.img

Enter any existing passphrase: [enter recovery key]
Enter new passphrase for key slot: [enter desired password]
Verify passphrase: [enter desired passsword again]

This will add a new password to the next available key slot which means the old password can still be used if needed. If you wanted to replace the previously existing password, you would need to specify the default key slot zero, using adding --key-slot=0 to the above command.

If the Recovery Key is a File

However if the recovery key is a file that is saved and is not just a text file containing the recovery password insidethen you can just designate the keyfile when using cryptsetup

sudo cryptsetup luksAddkey /path/to/ddcomputer.img --key-file=/path/to/recoverykey.file

Enter any existing passph...

If you run into issues because you only needed to mount the root partition or data partition then it's possible the system didn't recognize the image file as having LVM members.

Mounting an image.dd with LVM

To access the data it may be necessary to mount the system using the previously provided answer as described by forest, but a simpler and easier method would be to utilize kpartx which saves you from having to find the offset and all that.

# Installing kpartx
sudo apt-get install kpartx

# Integrate the volumes after using cryptsetup luksOpen in image file
sudo kpartx -a -v /path/to/ddcomputer.img.dd

# Checking the volumes appear 
ls -l /dev/mapper

# Fetch the mapped named for mounting
sudo lvscan

# Mount using found name of in lvscan (replacing decrypt_dd) at mountpoint /mnt
sudo mount /dev/mapper/decrypt_dd/root /mnt
Doedigo
  • 11
  • 3