Archive for noviembre 2013

Rescatux Development: Detecting LUKS encrypted partitions

noviembre 30, 2013

I have been chatting in the rescatux irc channel with someone trying to recover its Grub. The special thing about his setup is that its root partition was a LUKS encrypted partition. I think he finally managed to recover his grub but we needed to fix a hard disk parse problem (to be fixed in Rescatux 0.31b5) and he needed to perform some commands in the command line interface.

These are some of the things you need in order to be able to access the LUKS encrypted partition as a non-encrypted partition. After these steps Rescapp script detects it ok and can do useful things with it like recovering Grub.

First of all we need cryptsetup package (Already added for inclusion in Rescatux 0.31b5).

Then I need to detect all the possible encrypted partitions. I have not managed to solve that one but I suppose that there would some cryptsomething command to so.

Then you need to lucksOpen it so that it can be seen unencrypted.

That’s made with something like:

cryptsetup luksOpen /dev/sda5 sda5_crypt

If you want to ask the passphrase to the user without using a CLI you can use zenity such as in:

zenity --entry --hide-text --text="Enter your passphrase:" \
| cryptsetup luksOpen /dev/sda5 sda5_crypt

Optionally if the partition is a VG member you need to activate it with:

vgchange -ay

And that’s it. You have probably:


ready to be used so that Rescapp uses it.

I have some questions:

  • If the Rescatux live cd has cryptsetup package installed by default would it try to luksopen it and ask the final user the passphrase at boot time?
  • How to detect which partitions are encrypted

It seems you can use:

cryptsetup luksDump /dev/sda5

and exit value gives you a clue if it’s a luks part or not.

  • Should I ask the user to decypher their partition when Rescapp starts or when a Gnu/Linux based option is used?

This encryption support will probably be implemented in Rescatux 0.32 or 0.33. In the meantime you can help me by answering these questions. 馃檪


Update. Final thoughts about talking again with Anonymous semicolon: When Rescapp starts we loop in every partition doing a luksDump. If someone of them has a luks partition then luksDump is going to exit 0. If one of them is luks then ask the user if he wants to uncypher on the fly their LUKS partitions so that Rescapp can use it.

So let’s suppose that the user answer Yes. If the user click on Cancel he is saying that he skips partition uncyphering on that specific partition. If it puts the password and command exits wrong … ask again for password … till all the partition are uncyphered. Then we run vgchange -ay just in case someone has LVM partitions on it (Check later if this is a good idea if we have LVM rescue tasks).

Finally we can add a button in a new Advanced menu (or something similar) in order to 芦Uncypher LUKS partitions on the fly禄 if the user decided to decypher them later.

The problem is if the user tries to decypher partitions twice. That might pose a problem so… maybe we should check for the uncyphered device first or maybe it’s not worth coding that corner use case code.

Anuncio publicitario