Results 1 to 7 of 7

Thread: 12.10 full disk encryption - access to passphrase files if drive is changed to aux us

  1. #1
    Join Date
    Feb 2010
    Beans
    6

    12.10 full disk encryption - access to passphrase files if drive is changed to aux us

    I have completed an install of Ubuntu 12.10 and used the full disk encryption option.

    I normally take my old installation disk and mount it in a USB enclosure and then copy mail
    folders and other desired files to the new system disk.

    I wanted to see if this would still work when I have to retreive folders off of the the 12.10
    c/w full disk encryption option, so did a 2nd 12.10 install c/w full disk encryption and then tried
    to access the Home folder of the first install when the disk was mounted as an aux in a USB case.
    The aux drive shows up in the side bar as two volumes.... one locked and one not locked.

    The unlocked Volume has the Grub folder and other misc boot files. When the locked volume is accessed ,
    I am asked for a passphrase as shown in the screenshot.
    As shown in the 2nd screen shot the resulting message states Unable to mount 1000 GB Encrypted
    The unlocked device does not have a recognizable file system on it.
    The passphrase is accepted as correct but does not provide access.

    Am I expecting too much to access the Home files in this manner or just missing a step ?
    Attached Images Attached Images

  2. #2
    Join Date
    Feb 2010
    Location
    U.K.
    Beans
    782
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: 12.10 full disk encryption - access to passphrase files if drive is changed to au

    The full disk encryption uses LUKS. I have an external drive that is LUKS encrypted and below is how I go about accessing it, I'd imagine the same would work for an additional internal disk. I use this on a server install, so excuse the all command line approach.

    You will need to know the device name and partition number of the encrypted partition e.g /dev/sdb2 etc. for the drive. Substitute your device name as required in the below.

    Think of a suitable name for the mountpoint for your disk, in this example I use "securetoshiba".

    Where you see "georges2051" in the below, substitute your actual username on the machine you are on.

    1. Create and take ownership of the mount point:
    Code:
    sudo mkdir /media/securetoshiba
    sudo chown -R georges2051:georges2051 /media/securetoshiba
    2. Add an fstab entry for the device:
    Code:
    sudo nano /etc/fstab
    .... add these lines to the end then save and exit the editor:
    Code:
    # LUKS ext4 on toshiba usb drive
    /dev/mapper/securetoshiba     /media/securetoshiba        ext4    defaults,noauto 0 1
    If your encrypted drive is in a different format than ext4 then amend the above line accordingly.

    3. Create a couple of simple scripts for mounting and unmounting using whatever editor you like:

    mounttosh.sh
    Code:
    #!/bin/sh
    ## mount securetoshiba
    echo "Opening LUKS mapping"
    sudo cryptsetup luksOpen /dev/sdb1 securetoshiba
    echo "Mounting to /media/securetoshiba"
    sudo mount /media/securetoshiba
    umounttosh.sh
    Code:
    #!/bin/sh
    ## unmount securetoshiba
    echo "Unmounting /media/securetoshiba"
    sudo umount /media/securetoshiba
    echo "Closing LUKS mapping"
    sudo cryptsetup luksClose securetoshiba
    Set the properties of the two script files to be executable either using your GUI file explorer or using the chmod +x command.

    Then just run the mount script - you will first be prompted for your sudo password and then for the LUKS encryption passphrase. If successful your unencrypted files should now be accessible via /media/securetoshiba

    Just run the umount.sh script when you have finished with the encrypted drive.

    I don't claim that the above is a particularly slick way of achieving this, but it works for me

  3. #3
    Join Date
    Feb 2010
    Beans
    6

    Re: 12.10 full disk encryption - access to passphrase files if drive is changed to au

    Thank-you for the reply and advice.

    I managed to follow and adjust entries as you suggest and am just about there.
    In step 3 -- mounting, I was asked for the "passphrase" and it was accepted.

    Once the passphrase was accepted, the external USB sdb5 encryped partition changed from locked to unlocked, as
    viewed in the Ubuntu Disk Utility. It did also show as a folder in Media as "secureoldinstall" (I used that label in
    place of your "securetoshiba").

    However the 2nd command of Step 3 failed, as indicated in the following that I have copied from
    the Terminal Dialog:



    blue@blue-64:~$ sudo cryptsetup luksOpen /dev/sdb5 secureoldinstall
    Enter passphrase for /dev/sdb5:
    blue@blue-64:~$ sudo mount /media/secureoldinstall
    mount: wrong fs type, bad option, bad superblock on /dev/mapper/secureoldinstall,
    missing codepage or helper program, or other error
    In some cases useful info is found in syslog - try
    dmesg | tail or so

    blue@blue-64:~$


    I did change the fstab entry to ext2 as indicated in the Disk Utility for the device.


    Also I manually entered the Step 3 Mount Commands as I was getting hung up
    with the scripting.

    I have played around with both installs as the slave and seem to have hit a wall here.

  4. #4
    Join Date
    Feb 2010
    Location
    U.K.
    Beans
    782
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: 12.10 full disk encryption - access to passphrase files if drive is changed to au

    Try experimenting by using ext3 and ext4 in the fstab entry - worth a shot.

    Also have a look at the device's SMART data in Disk Utility to see if there is a significant amount of bad blocks or other errors. This is one disadvantage of full disk encryption - just a few errors in the wrong place and the entire volume can become inaccessible.

    When you say you did a second 12.10 install - was that to another partition on the same drive or to a separate drive?

    Also as suggested by the error message you get - after you try the mount command that fails what output does this command give:
    Code:
    dmesg | tail
    Last edited by cryptotheslow; October 30th, 2012 at 02:55 PM.

  5. #5
    Join Date
    Feb 2010
    Beans
    6

    Re: 12.10 full disk encryption - access to passphrase files if drive is changed to au

    Tried Ext2 , 3 & 4 same result.

    Each 12.10 installation is on a separate hard drive.

    Tried to access the non-booted drive both as usb and as internal.

    Drive Assessment shows one drive as good - no bad sectors,
    and the other as good - 100 bad sectors.

    It doesn't matter which drive I boot from, the others encrypted partition files are not
    accessible. The passphrase is asked for and accepted but it appears
    it does not see the file type properly. The non encrypted partition is viewable
    as soon as the secondary drive is available.

    I have copied the terminal dialog showing the passphrase is accepted and then
    fstab changed from ext2 , ext3 and ext4 and the results from the dmesg | tail
    for each.


    oct2012@oct2012-dell:~$ sudo mkdir /media/secureoldinstall
    [sudo] password for oct2012:

    oct2012@oct2012-dell:~$ sudo chown -R oct2012:ct2012 /media/secureoldinstall

    oct2012@oct2012-dell:~$ sudo nano /etc/fstab

    oct2012@oct2012-dell:~$ sudo cryptsetup luksOpen /dev/sdg5 secureoldinstall
    Enter passphrase for /dev/sdg5:

    oct2012@oct2012-dell:~$ dmesg | tail
    [ 49.530246] usb-storage 1-2:1.0: >Quirks match for vid 152d pid 2329: 8020
    [ 49.530316] scsi8 : usb-storage 1-2:1.0
    [ 57.589761] scsi 8:0:0:0: >Direct-Access ST310005 28AS PQ: 0 ANSI: 2 CCS
    [ 57.595163] sd 8:0:0:0: >Attached scsi generic sg7 type 0
    [ 57.595498] sd 8:0:0:0: >[sdg] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB)
    [ 57.597468] sd 8:0:0:0: >[sdg] Write Protect is off
    [ 57.597476] sd 8:0:0:0: >[sdg] Mode Sense: 34 00 00 00
    [ 57.598496] sd 8:0:0:0: >[sdg] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
    [ 57.628503] sdg: sdg1 sdg2 < sdg5 >
    [ 57.631241] sd 8:0:0:0: >[sdg] Attached SCSI disk

    oct2012@oct2012-dell:~$ sudo mount /media/secureoldinstall
    mount: wrong fs type, bad option, bad superblock on /dev/mapper/secureoldinstall,
    missing codepage or helper program, or other error
    In some cases useful info is found in syslog - try
    dmesg | tail or so

    oct2012@oct2012-dell:~$ dmesg | tail
    [ 49.530316] scsi8 : usb-storage 1-2:1.0
    [ 57.589761] scsi 8:0:0:0: >Direct-Access ST310005 28AS PQ: 0 ANSI: 2 CCS
    [ 57.595163] sd 8:0:0:0: >Attached scsi generic sg7 type 0
    [ 57.595498] sd 8:0:0:0: >[sdg] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB)
    [ 57.597468] sd 8:0:0:0: >[sdg] Write Protect is off
    [ 57.597476] sd 8:0:0:0: >[sdg] Mode Sense: 34 00 00 00
    [ 57.598496] sd 8:0:0:0: >[sdg] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
    [ 57.628503] sdg: sdg1 sdg2 < sdg5 >
    [ 57.631241] sd 8:0:0:0: >[sdg] Attached SCSI disk
    [ 626.143477] EXT2-fs (dm-0): error: can't find an ext2 filesystem on dev dm-0.


    oct2012@oct2012-dell:~$ sudo nano /etc/fstab
    oct2012@oct2012-dell:~$ sudo mount /media/secureoldinstall
    mount: wrong fs type, bad option, bad superblock on /dev/mapper/secureoldinstall,
    missing codepage or helper program, or other error
    In some cases useful info is found in syslog - try
    dmesg | tail or so
    oct2012@oct2012-dell:~$ dmesg | tail
    [ 57.589761] scsi 8:0:0:0: >Direct-Access ST310005 28AS PQ: 0 ANSI: 2 CCS
    [ 57.595163] sd 8:0:0:0: >Attached scsi generic sg7 type 0
    [ 57.595498] sd 8:0:0:0: >[sdg] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB)
    [ 57.597468] sd 8:0:0:0: >[sdg] Write Protect is off
    [ 57.597476] sd 8:0:0:0: >[sdg] Mode Sense: 34 00 00 00
    [ 57.598496] sd 8:0:0:0: >[sdg] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
    [ 57.628503] sdg: sdg1 sdg2 < sdg5 >
    [ 57.631241] sd 8:0:0:0: >[sdg] Attached SCSI disk
    [ 626.143477] EXT2-fs (dm-0): error: can't find an ext2 filesystem on dev dm-0.
    [ 685.295529] EXT3-fs (dm-0): error: can't find ext3 filesystem on dev dm-0.


    oct2012@oct2012-dell:~$ sudo nano /etc/fstab
    oct2012@oct2012-dell:~$ sudo mount /media/secureoldinstall
    mount: wrong fs type, bad option, bad superblock on /dev/mapper/secureoldinstall,
    missing codepage or helper program, or other error
    In some cases useful info is found in syslog - try
    dmesg | tail or so
    oct2012@oct2012-dell:~$ dmesg | tail
    [ 57.595163] sd 8:0:0:0: >Attached scsi generic sg7 type 0
    [ 57.595498] sd 8:0:0:0: >[sdg] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB)
    [ 57.597468] sd 8:0:0:0: >[sdg] Write Protect is off
    [ 57.597476] sd 8:0:0:0: >[sdg] Mode Sense: 34 00 00 00
    [ 57.598496] sd 8:0:0:0: >[sdg] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
    [ 57.628503] sdg: sdg1 sdg2 < sdg5 >
    [ 57.631241] sd 8:0:0:0: >[sdg] Attached SCSI disk
    [ 626.143477] EXT2-fs (dm-0): error: can't find an ext2 filesystem on dev dm-0.
    [ 685.295529] EXT3-fs (dm-0): error: can't find ext3 filesystem on dev dm-0.
    [ 721.514696] EXT4-fs (dm-0): VFS: Can't find ext4 filesystem
    oct2012@oct2012-dell:~$

  6. #6
    Join Date
    Feb 2010
    Location
    U.K.
    Beans
    782
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: 12.10 full disk encryption - access to passphrase files if drive is changed to au

    OK - let me get this straight in my head.

    You have two separate 12.10 installs on two separate drives, both using the full disk encryption option.

    Either drive will boot and function correctly when used as the boot device right? If so we know the encrypted partition(s) are not irrevocably damaged.

    Boot up using the first 12.10 install drive and let us know what output you get from these commands:
    Code:
    sudo fdisk -l /dev/sdg
    Code:
    mount -l
    Code:
    cat /etc/fstab
    That will confirm what filesystem the encrypted partition is using.

    Is there anything particular about the sata connection (presuming these are sata drives) you use when using a drive as the boot device? e.g. does your motherboard have onboard raid or soft-raid capability?

  7. #7
    Join Date
    Feb 2010
    Beans
    6

    Re: 12.10 full disk encryption - access to passphrase files if drive is changed to au

    Yes, correct about the two separate sata hard drives, both with full encryption.
    I did try doing a non-encrypted install on a drive, but when booted to that ,
    still gave same result when attempting to see the encrypted partition of the other drive.

    Both drives are back to being fully encrypted. Both drives function correctly
    when used as the boot device.

    Mother board has option of IDE or RAID or AHCI. I have it set for AHCI.

    Following are results from requested commands:

    oct2012pc@oct2012:~$ sudo fdisk -l /dev/sdg
    [sudo] password for oct2012pc:

    Disk /dev/sdg: 1000.2 GB, 1000204886016 bytes
    255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors
    Units = sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disk identifier: 0x000a1630

    Device Boot Start End Blocks Id System
    /dev/sdg1 * 2048 499711 248832 82 Linux swap / Solaris
    /dev/sdg2 501758 1953523711 976510977 5 Extended
    /dev/sdg5 501760 1953523711 976510976 82 Linux swap / Solaris


    oct2012pc@oct2012:~$ mount -l
    /dev/mapper/ubuntu-root on / type ext4 (rw,errors=remount-ro)
    proc on /proc type proc (rw,noexec,nosuid,nodev)
    sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
    none on /sys/fs/fuse/connections type fusectl (rw)
    none on /sys/kernel/debug type debugfs (rw)
    none on /sys/kernel/security type securityfs (rw)
    udev on /dev type devtmpfs (rw,mode=0755)
    devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
    tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
    none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
    none on /run/shm type tmpfs (rw,nosuid,nodev)
    none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
    /dev/sda1 on /boot type ext2 (rw)
    gvfsd-fuse on /run/user/oct2012pc/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,user=oct2012pc)
    /dev/sdg1 on /media/oct2012pc/a85da9cc-8a76-4759-bff8-0a1167eed36a type ext2 (rw,nosuid,nodev,uhelper=udisks2)


    oct2012pc@oct2012:~$ cat /etc/fstab
    # /etc/fstab: static file system information.
    #
    # Use 'blkid' to print the universally unique identifier for a
    # device; this may be used with UUID= as a more robust way to name devices
    # that works even if disks are added and removed. See fstab(5).
    #
    # <file system> <mount point> <type> <options> <dump> <pass>
    /dev/mapper/ubuntu-root / ext4 errors=remount-ro 0 1
    # /boot was on /dev/sda1 during installation
    UUID=1b337eef-19a5-46e1-97a3-8271301952e7 /boot ext2 defaults 0 2
    /dev/mapper/ubuntu-swap_1 none swap sw 0 0
    # LUKS ext2 on external old install usb drive
    /dev/mapper/secureoldinstall /media/secureoldinstall ext2 defaults,noauto 0 1
    oct2012pc@oct2012:~$

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •