-
-
Notifications
You must be signed in to change notification settings - Fork 152
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to open tomb - a troubleshooting journey with happy ending #311
Comments
mount fails, anything related in dmesg? can't tell if the tomb was correctly formatted and how, however you can use devices appearing in /dev/mapper just like normal volumes, to check their integrity. |
Dmesg does not say something related about the failed mounting of the tomb. In /dev/mapper only control appears, which is not a valid block device. (process:8007): Gtk-WARNING **: 16:28:15.941: Locale not supported by C library. (pinentry-gtk-2:8007): Gtk-WARNING **: 16:28:15.972: Unable to locate theme engine in module_path: "adwaita", (pinentry-gtk-2:8007): Gtk-WARNING **: 16:28:15.981: Unable to locate theme engine in module_path: "adwaita", |
I suspect is not a problem in tomb, you need to know what cryptsetup returns and if there are the filesystems needed (ext3/4). |
Where can I find the cryptsetup log? |
If you use your key in clear as indicated in Tomb's README you can get to the bare mount operation:
then you can start adding arguments to cryptsetup according to its manpage, to have a verbose output about its problems. I hope you find out, can't help any further than this. I also recommend testing all on another system just to be sure, for instance a liveCD like heads.dyne.org |
Thanks! |
The output of cryptsetup: |
How could the LUKS2 header be destroyed? This is a new hard drive which I only used for the backup. |
Is there any possibility to restore the LUKS2 header? I read that it is impossible to decrypt the tomb without the information out of the header but I still have a little bit hope. |
wow yes, you guess right the header is not there and cryptsetup seems to try reading at different offsets for repair. So that's the problem. Technically speaking and AFAIK the only thing you need from the header really is the |
Thanks for the explanation. I feel like doing something new every day. Yesterday I dealt the first time in more detail with encryption using dm_crypt, the next time I will have to dive deeper into the file system. |
using |
BTW your case confirms my plan to add a feature in tomb that makes a backup of the header, should call it "tombstone" perhaps. |
👍 Thank you very much. I will try it in the next time. |
That's why I love free (as in freedom) software: You can see how it works, where it fails, improve it and there's a great community around which helps you when you are in trouble. |
A few minutes ago I tried to open it on a Open SUSE Leap 42.3 system with self-compiled tomb 2.5 and you have 3 tries to guess why I posted a firework picture: |
Lovely, I'm happy for you. You also keep good nerves and never gave up. Feel free to keep this post alive, I think is an informative journey into troubleshooting. Ciao. |
Giving up was no alternative: In the tomb was stored the only backup of a broken hard drive with a programmer's, a pro-user's and a part-time hobby photographer's work of seven months. I will change my backup strategy. The backup in the tomb will not be my only backup in the future, I will put a second unencrypted backup on another drive. |
Does this mean LUKS2 is now supported? I am a bit confused as it is not mentioned in the docs and the few issues that mention LUKS2 are from a few years ago, e.g., #343. Does LUKS2 provide technical advantages over LUKS1 as far as security is concerned? Is LUKS2 the default in |
Tomb volumes are LUKS1 only. This is hardcoded around line 1263 of the tomb script
Most advantages are about integrity, some improvement to brute-force protection, see the LUKS2 FAQ
No is not default and no there is no way to use it up until now with Tomb 2.x series.
You are patching an old version of the tomb script since this fix is now included. There should be no danger in doing so, however keep an eye on KNOWN BUGS to see if anything has been happening that affects your setup.
As you like, its on my mind anyway, but with low priority. Since this change will introduce multiple incompatible formats, I'm also considering wider support for tc-play and veracrypt and this may all converge in a new major Tomb v3 release some day. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Problem
More or less important additional information:
Log
tomb [D] Identified caller: ___ (1000:985)
tomb [D] Tomb command: open _____
tomb [D] Caller: uid[1000], gid[985], tty[/dev/pts/1].
tomb [D] Temporary directory: /tmp/zsh
tomb . Commanded to open tomb _____
tomb [D] is_valid_tomb _____
tomb . Valid tomb file found: _____
tomb [D] load_key argument: / __ / __ /
tomb [D] load_key: / __ / __ /
tomb [D] is_valid_key
tomb . Key is valid.
tomb . Mountpoint not specified, using default: / __ / __ /
tomb (*) Opening ___ on / __ / __ /
tomb . This tomb is a valid LUKS encrypted device.
tomb . Cipher is "aes" mode "xts-plain64:sha256" hash "sha256"
tomb [D] dev mapper device: tomb.___.1522689414.loop0
tomb [D] Tomb key: / __ / __ /
tomb [D] Tomb name: ___ (to be engraved)
tomb . A password is required to use key / __ / __ /
tomb [D] asking password with tty=/dev/pts/1 lc-ctype=en_US.UTF8
tomb [D] using pinentry-gtk2
(process:1958): Gtk-WARNING **: 19:16:54.257: Locale not supported by C library.
Using the fallback 'C' locale.
(pinentry-gtk-2:1958): Gtk-WARNING **: 19:16:54.286: Unable to locate theme engine in module_path: "adwaita",
(pinentry-gtk-2:1958): Gtk-WARNING **: 19:16:54.294: Unable to locate theme engine in module_path: "adwaita",
tomb [D] get_lukskey
tomb [D] get_lukskey returns 0
tomb . Password OK.
tomb [E] Failure mounting the encrypted file.
The text was updated successfully, but these errors were encountered: