I originally installed Fedora on my old computer about F24, using an encrypted partition. I’m pretty sure I just used the corresponding F24 usb creator to build the system, and ticked the appropriate spot to encrypt the disk. It has always worked perfectly. However the old computer is now almost dead (run out of spare SSD blocks), so I can’t risk booting it unless absolutely essential. So I dd-ed a copy of the encrypted partition to an external drive. I have now installed Fedora 40 on a new machine, and want to recover information (mainly /home contents, some other files) from the backup drive. There were no errors during dd, and the partition looks OK (from lsblk):
The partition appears to have a valid LUKS header, with one key slot, which I assume corresponds to the disk passkey I created on the old system:
sudo cryptsetup luksDump /dev/nvme0n1p6
[sudo] password for rim:
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 798d4cea-a50a-4857-91a7-45f6be5505d1
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 1048576
Threads: 4
Salt: <omitted>
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 262144
Salt: <omitted>
Digest: <omitted>
However I am unable to decrypt the drive:
sudo cryptsetup luksOpen /dev/nvme0n1p6 oldlin
Enter passphrase for /dev/nvme0n1p6:
No key available with this passphrase.
There is no way I am mistyping the passphrase (I’ve used it thousands of times), so it looks like I have a complete misunderstanding of how this is supposed to function. Any suggestions? Please???
It does look like a good header, and the password you had is the one that is in that keyslot so you are right on that as well.
You would be reading from the device to recover files from it. Opening the luks container for you to clone the partition inside should not affect the drive at all. If you want to be extra safe, you could mount it as read-only and then clone the partition inside the container.
Although it sounds like you did all of this right so far. . .
Thanks Hammerhead, I must admit my biggest concern was whether Fedora did some additional salting (hidden from LUKS) in the encrypted disk creation/login process. If that’ s not the case, it’s really hard to figure out what could be going wrong. I’m quite certain I’m putting in the right password (i.e. the one I always used when booting the system), but just to make absolutely certain, I tried typing the password in a shell, then copy-pasting it to the LUKS passphrase input menu. So I could carefully check what I had typed. Same result!
I guess I’m now at the stage where, if it’s not a conceptual problem in my understanding of LUKS, I have to consider the extreme unlikely, like the possibility that there might have been an undetected disk read error when the block containing the encrypted password was copied.
Thanks for the advice about opening the flaky disk read-only, I didn’t think of that. Very nervous about it, I got the ‘5% left’ notification from gnome one day, next day it was 4%, then 3%, so I haven’t dared boot from that disk since.
Sorry Hammerhead, re-reading your comment led me to realise I had misinterpreted. So I think you’re suggesting booting the old machine from a liveusb, mounting the internal drive partition readonly, opening it with LUKS, then dd-ing the contents., right? Makes sense, I’ll try it. At least it means that the decryption is being done on the old machine, even if it’s not the old OS.
