LUKS keyfile not working "No key available with this passphrase."

[matthew02]

Hi everyone!

I have an HP Proliant server that I recently changed from Ubuntu Server LTS to Proxmox. That server has some LUKS encrypted drives that I'm no longer able to unlock. They are 4x2Gb WD Reds that are block-level encrypted and then pooled through Btrfs in a RAID6 configuration. These drives were originally encrypted within that Ubuntu system nearly seven years ago and they have unlocked fine ever since. I've also been able to unlock them from an Arch live USB when I have needed to. That Ubuntu install is now gone, and I can no longer unlock the drives in either Arch or Proxmox. I've always unlocked them non-interactively (usually automatically at boot) using a key file. That key file is the only key ever used for these drives and it occupies the only used key slot. I'm trying to figure out what happened and if there is any solution. At this point, I suspect it may have something to do with differing ciphers, but I'm not knowledgeable enough about those details to work it out on my own. I do have backups, but they are quite inconvenient and I would very much prefer to work this out if possible. Thanks for any help any of you may be able to offer.

Here is some output from my system that may be helpful. As a new user, I'm unable to link the URLs. I'm sorry for the inconvenience.

# blkid
gist.github.com/matthew02/d2db3aeee30d7f813607cf62131528d5

# cryptsetup isLuks -v /dev/sda
Command successful.

# cryptsetup open --type luks --key-file mykeyfile /dev/sda sdavault
No key available with this passphrase.

# cryptsetup open --type luks --verbose --debug --key-file /tmp/key /dev/sda sdavault
gist.github.com/matthew02/8dabfb69d37f95fc29ef5b4d6b5cddbb

# cryptsetup luksDump /dev/sda
gist.github.com/matthew02/cbfb17869dabf6d7f39dae83a34ca36b

# cryptsetup benchmark
gist.github.com/matthew02/77360f1a7013f174b9b5005b90801156

# cat /proc/crypto
gist.github.com/matthew02/abb88475392933f837570d0479e29c71

 

[Stoiko Ivanov]

hmm - I have a few LUKS devices which were encrypted comparatively recently (i.e. 1.5 years ago) and they seem to have the same cipherspecs (aes xts-plain64 and sha1) - and can unlock them without problem with stretch...

However there were a few depracations with luks - so you might want to try an older live-CD (maybe debian wheezy or jessie) - and see if this helps.
* else - the output would suggest that the keyfile does not contain the correct key - make sure it is the proper file (and that it did not get damaged)
* do you have the /etc/crypttab from the old installation?

Hope this helps and fingers crossed!

 

[matthew02]

Thanks Stoiko! I'm going to try an older live image.

I believe the key file is still fine -- the md5sum checks out.

I don't have the old crypttab. I rsynced that Ubuntu install before wiping it, but it's stored on those disks. I didn't expect to have any trouble unlocking them.

Would you mind posting the output of cat /proc/crypto from your system? If yours shows the same ciphers as mine, then it probably means it's not a cipher issue.

 

[matthew02]

Actually, I believe I have confirmed that it's not a problem with missing ciphers. As a last ditch effort, I'm going to truncate the key file one byte at a time and try the resulting key. I doubt anything was appended to the key file, but just in case...

 

[Stoiko Ivanov]

Actually, I believe I have confirmed that it's not a problem with missing ciphers. As a last ditch effort, I'm going to truncate my key file one byte at a time and try the resulting key.

You could also try appending a '\n' to the keyfile - but if it's the same file that worked before it seems strange