dual boot – Recovering data from a LUKS partition

I’m pretty new to Linux and Ubuntu I don’t know a lot of things maybe some of the basic things but I was wondering if anyone could help or help explain how I could recover data from a LUKS encrypted partition that was deleted it’s on a 2tb hard drive which is cut into multiple partition and the one I’m trying to recover is 467gb in size

First thing I heard people do is clone the drive to help prevent anything bad happening what would be the best tool to use to do that I thought of Clonezilla is that a good option

Second thing is that I stopped using the hard drive immediately after I accidentally deleted it the LUKS partition

Third thing is how should I approach recovering data from this deleted partition

(Sorry if I left anything out I’m on mobile and I don’t know what exactly to put to help you help me)

Any help will be appreciated any at all

encryption – Linux LUKS encrypted root: fstrim always trims all empty space

I have a Manjaro system with a LUKS encrypted root filesystem on an NVME SSD. It is set up to decrypt / on boot via the kernel.

$ cat /proc/cmdline
initrd=amd-ucode.img initrd=initramfs-5.11-x86_64.img root=UUID=</dev/mapper/cryptroot UUID> rw cryptdevice=UUID=<SSD partition UUID>:cryptroot:allow-discards

$ cat /etc/fstab
# /dev/mapper/cryptroot
UUID=</dev/mapper/cryptroot UUID>       /               xfs             rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota        0 0

# /dev/nvme0n1p1
UUID=</boot UUID>          /boot           vfat            rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro   0 0

This all works, but recently I realised trim wasn’t enabled. I added :allow-discards to the kernel command line as you can see above. Now when I run fstrim -v /, every time it trims all of the free space even when there hasn’t been much filesystem activity:

$ sudo fstrim -v /
/: 540.8 GiB (580689911808 bytes) trimmed
$ sudo fstrim -v /
/: 540.8 GiB (580660371456 bytes) trimmed

Is this expected behaviour? My other SSDs (unencrypted) typically trim much less on an fstrim. dmsetup table shows the allow_discards option so trim should be enabled.

luks – Is the fastest open determined by preceeding key slots?

After installing LUKS (v1) devices with openSUSE LEap 15.2, it turned out that the iteration count was set so high that it takes more than 10 seconds for a successful decryption of the master key (bug reports exist on that).

So I added a second key slot using a much smaller iteration count.

However I wonder:
AFAIK after entering a pass phrase, luksOpen will try to decrypt the key slots in sequence, not in parallel, meaning that the first key slot determines the minimum waiting time until decryption succeeds.
Is that correct?

Note: When booting, I cannot specify parameters to select a specific key slot.
So the most likely solution would be swapping key slots, right?

luks – SecureBoot: PCR to use or not

I’m working on the hardening of a Debian Bullseye box.

At the moment, every works perfectly: SecureBoot enabled, “Admin” password for BIOS set, every partitions except EFI one are ciphered with Luks, i flashed my own keys and restrict boot option to my signed efi image holding kernel/initrd/cmdline and SecureBoot enabled.

Regarding the disk unlock, i implemented the following way:

The goal of the “relaxed” handle only sealed with PCR #0 is to ease update process:

  1. I store again my passphrase in handle 0x8100000 sealed only with PCR #0
  2. I generate and sign a new EFI app with my new kernel and initramfs
  3. I boot on updated image (PCR 1 to 7 may be broken because of changes)
  4. I revoke handle 0x81002000
  5. I store again my passphrase in handle 0x81002000 with updated PCR #0,1,2,3,4,5,6,7
  6. I revoke handle 0x81000000
  • Is the described implementation correct regarding the security looked up ?
  • Could i use more PCR than only #0 for my “relaxed”, update only key handle ? At that point, i only want to ensure that the booted package is signed with my key.
  • Regarding regular mode of operation, are PCR 0,1,2,3,4,5,6,7 are stable enought ? I don’t want one of them to randomly change value and broke my boot process…

bonus: any comprehensive mapping between PCR and stuff in the “real” world (kernel, keys, initramfs, boot process interruption, etc..) is welcomed !

TPM1.2, CentOS7 and LUKS – Decrypting `root` at Boot Without Passphrase

I want to configure a CentOS 7 system to automatically decrypt a LUKS encrypted root partition at boot, without prompting for a passphrase. This server is equipped with a TPM 1.2 chip, which I can store my key in.

The partition that contains my root logical volume is encrypted with LUKS:

# lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                             8:0    0 278.5G  0 disk
├─sda1                                          8:1    0     1G  0 part  /boot
└─sda2                                          8:2    0 277.5G  0 part
  └─luks-efd72338-f1b6-4a50-b826-d704642c293f 253:0    0 277.5G  0 crypt
    ├─vg_sda-lv_root                          253:1    0 273.5G  0 lvm   /
    └─vg_sda-lv_swap                          253:2    0     4G  0 lvm   (SWAP)
sr0                                            11:0    1  1024M  0 rom

The TPM chip is enabled and activated. The following packages are installed:

The tcsd service is running and enabled:

# systemctl status tcsd
● tcsd.service - TCG Core Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/tcsd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-03-17 16:42:35 UTC; 11min ago
 Main PID: 895 (tcsd)
   CGroup: /system.slice/tcsd.service
           └─895 /sbin/tcsd

The tpm_tis kernel driver was loaded:

# dmesg | grep tpm
(    0.430468) tpm_tis 00:05: 1.2 TPM (device-id 0xFE, rev-id 71)

The tpm_version command outputs the details of my module:

# tpm_version
  TPM 1.2 Version Info:
  Chip Version:        1.2.3.69
  Spec Level:          2
  Errata Revision:     3
  TPM Vendor ID:       WEC
  TPM Version:         01010000
  Manufacturer Info:   57454300

OK, so next step is figuring out how to store my key into the TPM 1.2 NVRAM and have logic added to my initramfs to can extract the key and decrypt the root partition. This is where I’m totally lost.

I found a project titled tpm-luks that sounded fairly promising, but not having much luck thus far. After compiling and installing, I ran through the directions to “add a new LUKS key to a key slot and the TPM”:

# tpm-luks -c -d /dev/sda2 -y
Enter a new TPM NV area password:
Re-enter the new TPM NV area password:
Successfully wrote 32 bytes at offset 0 to NVRAM index 0x4 (4).
You will now be prompted to enter any valid LUKS passphrase in order to store
the new TPM NVRAM secret in LUKS key slot 2:

Enter any existing passphrase:
Using NV index 4 for device /dev/sda2

The next step is using dracut to updated the initramfs, which doesn’t finish without some warning messages. I am honestly not sure how troublesome these warnings are.

# dracut /boot/initramfs-$(uname -r)-tpm-luks.img
/usr/lib/dracut/modules.d/90crypt-tpm/module-setup.sh: line 24: /var/tmp/dracut.nPJ0Jv/initramfs/etc/cmdline.d/90crypt.conf: No such file or directory
Failed to install module tpm_bios

Broadcast message from systemd-journald@mysystem (Wed 2021-03-17 18:05:06 UTC):

dracut(28567): Failed to install module tpm_bios


Message from syslogd@mysystem at Mar 17 18:05:06 ...
 dracut:Failed to install module tpm_bios

The next step is installing TrustedGRUB in order to seal the NVRAM to a PCR. I’m not sure if this is optional or not? I would like to use GRUB2 if possible. Either way, if it is not required, I’d like to see if this process works before worrying about sealing.

I then update the GRUB2 menu to boot the new initramfs.

If I reboot my system at this point, it now prompts for a “TPM NVRAM Password (/dev/sda2)” early on in boot. After entering It then continues to load CentOS without prompting for a LUKS passphrase. I think this is one step closer in the right direction, I just don’t know how to have it not prompt for the NVRAM password.

I’m wondering if anyone has any experience with this who can assist me with figuring this out. If there is an alternative way to do this (without tpm-luks) I would be willing to try that out as well.

encryption – Ubuntu 20.10 – move LUKS header to external device

I recently installed Ubuntu 20.10 to test the ZFS file system together with encryption. I discovered the system not only use the native ZFS encryption, but also encrypts the ZFS keys with LUKS (please correct me if I’m wrong).

What I’m trying to achieve is to decrypt the LUKS container with a key file and password at boot. If both are not present, it should not be possible to decrypt the container. Also I would like to keep the key file on external device. While LUKS currently doesn’t provide such a functionality, I found that moving the LUKS header to an external device is the closest solution to my problem. However, after 2 days of fighting, I still can’t figure out what’s wrong.

I was following the steps from this answer.

Steps I took after fresh Ubuntu 20.10 installation:

  1. Copying the existing LUKS header into USB drive

sudo cryptsetup luksHeaderBackup /dev/zd0 --header-backup-file=/dev/sdb

  1. Removing existing LUKS header from /dev/zd0

sudo cryptsetup erase /dev/zd0

  1. Adding the following entry to /etc/crypttab

keystore-rpool /dev/zd0 none luks,header=/dev/sdb

  1. Applying changes

sudo update-initramfs -u -k all

After all this, typing the right password for keystore-rpool at boot always fails to decrypt the volume. By typing few times the password I’m redirected to initramfs where I can mount manually the volume with commands

sudo cryptsetup open /dev/zd0 keystore-rpool –header=/dev/sdb
sudo mount /dev/mapper/keystore-rpool <somemountpoint>

I assume something may be wrong with the entry in /etc/crypttab, but I don’t know how to check it. Also I was grepping the whole system to find out the place, where system is opening the LUKS volume and mapping to /dev/mapper/keystore-rpool, to see exactly how the command looks, but couldn’t find anything. Where is it happening? Any hints how to solve this problem would be useful.

Is disk encryption (e. g. LUKS) reversed when having an encrypted disk image inside an encrypted partition with the same encryption password?

Let’s assume one has created an encrypted partition, e. g. with the LUKS standard. Then one creates a (virtual) disk image, e. g. for use by a virtual machine, containing an encrypted partition created by the same method and using the same encryption password. The disk image is stored inside the outer encrypted partition. I assume that a symmetric encryption is used.

Is it possible that the parts of the real disk which are occupied by the encrypted partion of the inside disk image are visible in plain text (or something close to that) as if no encryption was used (due to applying the same symmetric encryption method twice)?
If yes, in which particular configuration?

how to hide LUKS password prompt on boot? or how to hide “please unlock disk sdX_crypt” in text mode?

i have read all the internet – not found.
how to hide password prompt for boot LUKS encrypted (during installation) ubuntu (20.04 LTS)?

i have a multi-level security setup, and one part of that is just making bootloader my notebook to looks like dead, when turning on (empty black screen or something like BSOD). in windows veracrypt/truecrypt makes that perfectly. but i want migrate to ubuntu for more security possibilities (rest of parts of my setup).

i’m trying and testing now a lot of ways on VM, so even from A to Z method would be good.

not work or i can’t do that:

  1. installing grub on external device (wrong way)
  2. plymouth commands-options (i see effect= disabling single elements of password prompt screen)
  3. plymouth-manager i can’t install
  4. grub-customizer, similar to:
  5. manually grub files editing (removing “splash” from “quiet splash” – changing password prompt from GUI to CLI – the same effect takes:
  6. sudo rm plymouth

actions 4, 5 and 6 was almost good, but i want only to remove text “please unlock disk sdaX_crypt”