Transfer masterkey.gpg to RHEL 6/7 system. JA0ECQMClT4LaE+j9PNg0lYBM0QAV1jOEPVIZuEhOnB2iStT+51BTzMxlg99uu9LįmynvHQZ71M/0JXoEpBmEvJUXS0NB1deTCFfNb7BDGuYQZDKSCunQo/F0o2m1l5x The master key can be extracted, converted to binary, and piped directly to luksAddKey with the following command cryptsetup luksAddKey -master-key-file | awk '' | gpg -aco masterkey.gpg -force-mdc -cipher-algo aes256 The master key is the hex string in the 5th column however, to use it with cryptsetup luksAddkey -master-key-file, it must be converted to binary cryptstor /dev/mapper/luks-ec013cf7-ad72-4dcf-8a1e-0548016a3e2c ext4 rw,relatime,seclabel,data=orderedĮxtract the LUKS master key and use it to add a new keyīe careful with the master key - it allows full access to the device dmsetup table -showkeys dev/mapper/vdc-decrypted on /opt type xfs (rw,relatime,seclabel,attr2,inode64,noquota) If there are multiple LUKS devices on system, use lsblk, findmnt, df, mount, or /etc/fstab to determine the right device If system has only ever had one LUKS device, go to next step The first column is the map filename ( ) without the /dev/mapper/ prefixįind desired open map in above output and make note of its name ( ) This command will only show open maps to LUKS-encrypted devices dmsetup ls -target cryptĮxample: # dmsetup ls -target crypt Instead, the disk itself will need to be closed and moved to a RHEL 6 or RHEL 7 machine. (RHEL 5 caveat: root can extract the master key to a file however, cryptsetup in RHEL 5 doesn't support reading the master key to add a new key. If the system is still up and the device is currently opened (unlocked), root can use the master key to add a new key See: How to add a passphrase, key, or keyfile to an existing LUKS device If so, that other passphrase/keyfile could be used to add a new key If more than one key slot is enabled, perhaps someone else has a valid key. Use the device name from the previous step cryptsetup luksDump /dev/ | grep Key.SlotĮxample: # cryptsetup luksDump /dev/vdb1 | grep Key.Slot Inspect the LUKS header to see how many key-slots are populated
This command will only show LUKS devices blkid -t TYPE=crypto_LUKS -o deviceĮxample: # blkid -t TYPE=crypto_LUKS -o device LUKS allows for up to 8 keys (derived from passphrases or files) per device
(A) Are any other passphrases or keyfiles available?
It is not possible to recover the master key of LUKS2 devices because the key is stored in the kernel directly. This solution only works with LUKS1 devices. How can I recover my data if forgot luks password ?.
0 kommentar(er)
