Is it possible to determine which luks slot has been used to unlock an encrypted partition?2019 Community Moderator ElectionDetemine which luks slot a passphrase is inTrying to understand LUKS encryptionLUKS: encrypted device is much smaller than its host partitionUnlock LUKS encrypted Debian root with key file on boot partitionUnlock LUKS partition using keyfile without root access?luks encrypted root partition and swiss keyboardDetemine which luks slot a passphrase is inExtend a LUKS encrypted partition to fill diskCheck LUKS container has not been truncatedPartition still encrypted with luks after wipefsProvide password to udisks to unlock LUKS-encrypted device
When is the exact date for EOL of Ubuntu 14.04 LTS?
What is the purpose of using a decision tree?
Make a Bowl of Alphabet Soup
Derivative of an interpolated function
Why can't I get pgrep output right to variable on bash script?
Checking @@ROWCOUNT failing
Can you describe someone as luxurious? As in someone who likes luxurious things?
Not hide and seek
Should I warn a new PhD Student?
How would a solely written language work mechanically
Why do Radio Buttons not fill the entire outer circle?
Should I be concerned about student access to a test bank?
Air travel with refrigerated insulin
How do you say "Trust your struggle." in French?
Turning a hard to access nut?
Is this saw blade faulty?
"Marked down as someone wanting to sell shares." What does that mean?
How to get directions in deep space?
Why is "la Gestapo" feminine?
Should a narrator ever describe things based on a character's view instead of facts?
What should be the ideal length of sentences in a blog post for ease of reading?
Extract substring according to regexp with sed or grep
What properties make a magic weapon befit a Rogue more than a DEX-based Fighter?
Center page as a whole without centering each element individually
Is it possible to determine which luks slot has been used to unlock an encrypted partition?
2019 Community Moderator ElectionDetemine which luks slot a passphrase is inTrying to understand LUKS encryptionLUKS: encrypted device is much smaller than its host partitionUnlock LUKS encrypted Debian root with key file on boot partitionUnlock LUKS partition using keyfile without root access?luks encrypted root partition and swiss keyboardDetemine which luks slot a passphrase is inExtend a LUKS encrypted partition to fill diskCheck LUKS container has not been truncatedPartition still encrypted with luks after wipefsProvide password to udisks to unlock LUKS-encrypted device
I'm in a (bad) situation where I have multiple correct passwords and used luks slots, but I can't tell which password belongs to which slot
Decryption (during startup thanks to crypttab) works well, but I can't tell which slot has been used. In order to rationalize this situation, is there a way to determine which luks slot has been used?
From this question I've read:
If you've forgotten one of the passphrases then you can only find which slot it's in by elimination, and if you've forgotten two of the passphrases then there's no way to tell which is which (otherwise the passphrase hash would be broken).
... so I'm a bit afraid of testing each slot for each password, even if I haven't found any reference of broken passphrase hashes in the man page.
Nota: luckily the first luks slot is known, so I might back up on my feet by resetting the others.
luks
asked 16 hours ago
ratnozratnoz
628
add a comment |
I'm in a (bad) situation where I have multiple correct passwords and used luks slots, but I can't tell which password belongs to which slot
Decryption (during startup thanks to crypttab) works well, but I can't tell which slot has been used. In order to rationalize this situation, is there a way to determine which luks slot has been used?
From this question I've read:
If you've forgotten one of the passphrases then you can only find which slot it's in by elimination, and if you've forgotten two of the passphrases then there's no way to tell which is which (otherwise the passphrase hash would be broken).
... so I'm a bit afraid of testing each slot for each password, even if I haven't found any reference of broken passphrase hashes in the man page.
Nota: luckily the first luks slot is known, so I might back up on my feet by resetting the others.
luks
asked 16 hours ago
ratnozratnoz
628
add a comment |
I'm in a (bad) situation where I have multiple correct passwords and used luks slots, but I can't tell which password belongs to which slot
Decryption (during startup thanks to crypttab) works well, but I can't tell which slot has been used. In order to rationalize this situation, is there a way to determine which luks slot has been used?
From this question I've read:
If you've forgotten one of the passphrases then you can only find which slot it's in by elimination, and if you've forgotten two of the passphrases then there's no way to tell which is which (otherwise the passphrase hash would be broken).
... so I'm a bit afraid of testing each slot for each password, even if I haven't found any reference of broken passphrase hashes in the man page.
Nota: luckily the first luks slot is known, so I might back up on my feet by resetting the others.
luks
asked 16 hours ago
ratnozratnoz
628
I'm in a (bad) situation where I have multiple correct passwords and used luks slots, but I can't tell which password belongs to which slot
Decryption (during startup thanks to crypttab) works well, but I can't tell which slot has been used. In order to rationalize this situation, is there a way to determine which luks slot has been used?
From this question I've read:
If you've forgotten one of the passphrases then you can only find which slot it's in by elimination, and if you've forgotten two of the passphrases then there's no way to tell which is which (otherwise the passphrase hash would be broken).
... so I'm a bit afraid of testing each slot for each password, even if I haven't found any reference of broken passphrase hashes in the man page.
Nota: luckily the first luks slot is known, so I might back up on my feet by resetting the others.
luks
luks
asked 16 hours ago
ratnozratnoz
628
asked 16 hours ago
ratnozratnoz
628
asked 16 hours ago
ratnozratnoz
628
asked 16 hours ago
ratnozratnoz
628
asked 16 hours ago
ratnozratnoz
628
628
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The open LUKS container does not tell which keyslot it was opened with. So no, you can't determine later which slot "has been used".
However, if you know a valid key or passphrase, you can determine which slot it is located in, for example by re-running cryptsetup open with --test-passphrase, --key-slot or --verbose options.
Normal operation (not very informative):
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: first
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: second
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: third
Verbose operation (tells you which keyslot was used):
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: first
Key slot 0 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: second
Key slot 1 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: third
Key slot 2 unlocked.
Command successful.
Specific keyslot operation (only accepts key stored in this slot):
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: first
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: second
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: third
Normally the verbose mode is informative enough, however specifying the key slot directly can be useful when looking for duplicate passphrases (same key stored in two separate slots). It's also faster to test only one slot vs. going through all of them (optimizing LUKS open speed is a different topic, though).
answered 15 hours ago
frostschutzfrostschutz
27.5k15689
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f507174%2fis-it-possible-to-determine-which-luks-slot-has-been-used-to-unlock-an-encrypted%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The open LUKS container does not tell which keyslot it was opened with. So no, you can't determine later which slot "has been used".
However, if you know a valid key or passphrase, you can determine which slot it is located in, for example by re-running cryptsetup open with --test-passphrase, --key-slot or --verbose options.
Normal operation (not very informative):
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: first
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: second
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: third
Verbose operation (tells you which keyslot was used):
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: first
Key slot 0 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: second
Key slot 1 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: third
Key slot 2 unlocked.
Command successful.
Specific keyslot operation (only accepts key stored in this slot):
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: first
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: second
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: third
Normally the verbose mode is informative enough, however specifying the key slot directly can be useful when looking for duplicate passphrases (same key stored in two separate slots). It's also faster to test only one slot vs. going through all of them (optimizing LUKS open speed is a different topic, though).
answered 15 hours ago
frostschutzfrostschutz
27.5k15689
add a comment |
The open LUKS container does not tell which keyslot it was opened with. So no, you can't determine later which slot "has been used".
However, if you know a valid key or passphrase, you can determine which slot it is located in, for example by re-running cryptsetup open with --test-passphrase, --key-slot or --verbose options.
Normal operation (not very informative):
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: first
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: second
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: third
Verbose operation (tells you which keyslot was used):
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: first
Key slot 0 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: second
Key slot 1 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: third
Key slot 2 unlocked.
Command successful.
Specific keyslot operation (only accepts key stored in this slot):
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: first
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: second
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: third
Normally the verbose mode is informative enough, however specifying the key slot directly can be useful when looking for duplicate passphrases (same key stored in two separate slots). It's also faster to test only one slot vs. going through all of them (optimizing LUKS open speed is a different topic, though).
answered 15 hours ago
frostschutzfrostschutz
27.5k15689
add a comment |
The open LUKS container does not tell which keyslot it was opened with. So no, you can't determine later which slot "has been used".
However, if you know a valid key or passphrase, you can determine which slot it is located in, for example by re-running cryptsetup open with --test-passphrase, --key-slot or --verbose options.
Normal operation (not very informative):
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: first
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: second
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: third
Verbose operation (tells you which keyslot was used):
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: first
Key slot 0 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: second
Key slot 1 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: third
Key slot 2 unlocked.
Command successful.
Specific keyslot operation (only accepts key stored in this slot):
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: first
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: second
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: third
Normally the verbose mode is informative enough, however specifying the key slot directly can be useful when looking for duplicate passphrases (same key stored in two separate slots). It's also faster to test only one slot vs. going through all of them (optimizing LUKS open speed is a different topic, though).
answered 15 hours ago
frostschutzfrostschutz
27.5k15689
The open LUKS container does not tell which keyslot it was opened with. So no, you can't determine later which slot "has been used".
However, if you know a valid key or passphrase, you can determine which slot it is located in, for example by re-running cryptsetup open with --test-passphrase, --key-slot or --verbose options.
Normal operation (not very informative):
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: first
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: second
# cryptsetup open --test-passphrase luks.img
Enter passphrase for foobar.img: third
Verbose operation (tells you which keyslot was used):
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: first
Key slot 0 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: second
Key slot 1 unlocked.
Command successful.
# cryptsetup --verbose open --test-passphrase luks.img
Enter passphrase for foobar.img: third
Key slot 2 unlocked.
Command successful.
Specific keyslot operation (only accepts key stored in this slot):
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: first
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: second
No key available with this passphrase.
# cryptsetup open --tries 1 --test-passphrase --key-slot 2 luks.img
Enter passphrase for luks.img: third
Normally the verbose mode is informative enough, however specifying the key slot directly can be useful when looking for duplicate passphrases (same key stored in two separate slots). It's also faster to test only one slot vs. going through all of them (optimizing LUKS open speed is a different topic, though).
answered 15 hours ago
frostschutzfrostschutz
27.5k15689
edited 12 hours ago
answered 15 hours ago
frostschutzfrostschutz
27.5k15689
answered 15 hours ago
frostschutzfrostschutz
27.5k15689
answered 15 hours ago
frostschutzfrostschutz
27.5k15689
27.5k15689
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f507174%2fis-it-possible-to-determine-which-luks-slot-has-been-used-to-unlock-an-encrypted%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
