search

OpenMediaVault-Plugin-Developers / openmediavault-luksencryption

LUKS encryption plugin for OpenMediaVault
28 stars 3 forks source link

Failed to delete LUKS2 header (omv5) #28

Open subzero79 opened 5 years ago

subzero79 commented 5 years ago

Again same as issue #26 luks2 dumps the output differently from luks1, this fails to parse the header offset. This makes dd fails as there is no count value argument

LUKS1

LUKS header information for /dev/vdg

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      fa 51 65 84 10 6b 1d 5b fe 1e 2d 52 58 48 a8 ef 4c 1a ae 33 
MK salt:        92 4f c5 93 9e fe dc ea f9 82 c1 1e dc 5d 54 57 
                6d 0f 72 87 a2 9b cc f4 20 ec 89 5d 96 ee 61 88 
MK iterations:  86231
UUID:           2c0a2db2-f14a-45e0-a0c2-1278581cecfd

Key Slot 0: ENABLED
    Iterations:             1388842
    Salt:                   69 e2 69 b3 41 1d 12 14 e8 68 1c 5e 87 2f 6f 9d 
                            ee 36 7f 32 9f e9 97 7d a4 3d fa 9a a4 aa a0 be 
    Key material offset:    8
    AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

LUKS2

LUKS header information
Version:        2
Epoch:          4
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           ada57cad-239d-43da-aee8-6d35c0c88c6c
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
    offset: 16777216 [bytes]
    length: (whole device)
    cipher: aes-xts-plain64
    sector: 512 [bytes]

Keyslots:
  0: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
        Destroy the header by overwriting it
        $cmd = sprintf("dd if=/dev/urandom of=%s bs=512 count=%s",
            escapeshellarg($sd->getDeviceFile()),
            escapeshellarg($header_size));
        $process = new Process($cmd);
        $process->setRedirect2to1();
        $process->execute($output, $exitStatus);
    PBKDF:      argon2i
    Time cost:  4
    Memory:     438162
    Threads:    1
    Salt:       39 9b 6c b4 b6 15 82 31 8a d5 50 db 3d ac aa 2e 
                79 bc 05 f9 12 e3 3d 54 c1 b7 01 98 ee 52 c1 c1 
    AF stripes: 4000
    AF hash:    sha256
    Area offset:32768 [bytes]
    Area length:258048 [bytes]
    Digest ID:  0
  1: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      argon2i
    Time cost:  4
    Memory:     392461
    Threads:    1
    Salt:       09 ee 5b 21 c3 d4 9b 64 cb 45 5a 1e f7 64 c9 96 
                b7 65 1d 20 41 e7 4e 41 49 e1 a3 d8 ef c6 a5 cf 
    AF stripes: 4000
    AF hash:    sha256
    Area offset:290816 [bytes]
    Area length:258048 [bytes]
    Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
    Hash:       sha256
    Iterations: 87849
    Salt:       9f 75 b0 4d ad ce 7f 48 67 eb 63 7a e3 38 cc 65 
                a4 19 fd b0 78 0d 08 4d 0f ca 6c 10 c7 61 44 16 
    Digest:     b4 43 2e 61 9b a5 02 90 9e a8 81 b0 6e 1b 87 01 
                05 56 ab 81 12 8a 66 6d cf 76 b0 0f 65 bb 19 d6

For now just depending on the luks version will set header to 4KB for v1, and 16MB for luks2

This should go on remove method of luks container instance, feels like duplicate code since version is already gathered at getData(),

@ryecoaaron is there a way of calling the getData() function inside remove() ?

        $version = explode(':', 
                           preg_replace('/\s/', 
                                        '', 
                                        implode('', 
                                                preg_grep("/^Version:/", 
                                                $this->headerInfo))))[1];
        if ($version = 1) {
            $header_size = 4096;
        } else if ($version = 2) {
            $header_size = 16777216;
        }
ryecoaaron commented 5 years ago

@subzero79 Sure, $this->getData() since they are in the same class.

subzero79 commented 5 years ago

Just in case someone steps into the same error

Unable to remove encrypted device: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; dd if=/dev/urandom of='/dev/vdh' bs=512 count='' 2>&1' with exit code '1': dd: invalid number: ‘’
Error #0:
OMV\Exception: Unable to remove encrypted device: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; dd if=/dev/urandom of='/dev/vdh' bs=512 count='' 2>&1' with exit code '1': dd: invalid number: ‘’ in /usr/share/openmediavault/engined/rpc/luks.inc:440
Stack trace:
#0 [internal function]: OMVRpcServiceLuksMgmt->deleteContainer(Array, Array)
#1 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)
#2 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('deleteContainer', Array, Array)
#3 /usr/sbin/omv-engined(537): OMV\Rpc\Rpc::call('LuksMgmt', 'deleteContainer', Array, Array, 1)
#4 {main}