Cloning crypto_LUKS volume (for the day that I remember the password!)

Questions about SNMP, Power, System, Logs, disk, & RAID.
Post Reply
morockin
New here
Posts: 2
Joined: Sat Nov 28, 2020 12:03 am

Cloning crypto_LUKS volume (for the day that I remember the password!)

Post by morockin » Sat Nov 28, 2020 12:24 am

Greetings everyone, long time lurker here but first time poster. Sadly, my first post is part of a frustrating situation (surprise surprise!).

Short story:

- Had a 4 bay QNAP, hardware failure (wouldn't power on), so I bought a new 9-bay unit.
- Put the 4 drives from the old QNAP into the new unit and... nothing...
- Tried all the GUI system options to restore the previous array (Raid 5), no luck
- Switched to the trust command line (via SSH) and was able to fix the partition tables, rebuild the array (using madam) and identify the LUKS partition (thanks to much of the guidance I found digging around this forum
- After getting everything up and running, I had trouble getting the LUKS partition to mount, did some more digging, and realized that it was a crypto_LUKS volume (I had forgotten that I had enabled encryption when setting up the original array)
- Now, I am trying to mount crypto_LUKS volume and have two problems:

1. It seems like there may actually be two logical volumes that contain my data, tp1 or lv1, I am not sure which one I should be mounting. Here is the readout of lvdisplay:

Code: Select all

--- Logical volume ---
  LV Name                tp1
  VG Name                vg1
  LV UUID                oLwYMf-EcbY-l1N0-sPFS-Vi7S-i1yJ-fQczt6
  LV Write Access        read/write
  LV Creation host, time NAS067324, 2018-07-15 22:34:47 -0400
  LV Pool metadata       tp1_tmeta
  LV Pool data           tp1_tierdata_0
  LV Status              available
  # open                 2
  LV Size                16.14 TiB
  Allocated pool data    99.99%
  Allocated pool chunks  33849344
  Allocated metadata     1.61%
  Current LE             4231433
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     6144
  Block device           252:6
   
  --- Logical volume ---
  LV Path                /dev/vg1/lv1
  LV Name                lv1
  VG Name                vg1
  LV UUID                Y3lBli-GA48-FY0s-IJUI-9MuT-Coba-njezio
  LV Write Access        read/write
  LV Creation host, time NAS067324, 2018-07-15 22:35:43 -0400
  LV Pool name           tp1
  LV Status              available
  # open                 0
  LV Size                16.14 TiB
  Mapped size            100.00%
  Mapped sectors         34661728256
  Current LE             4231168
  Segments               1
  Allocation             inherit
  Read ahead sectors     8192
  Block device           252:8
Which one should I be mounting with cryptsetup?

2. I have been trying to mount both tp1 and lv1 using the command "cryptsetup luksOpen /dev/vg1/tp1 VAULT" but I keep getting the error "No key available with this passphrase." Obviously, I am assuming that I simple forgot my password, although that is surprising since this was only a few years ago. I've been going through all the passwords that I used historically and trying them out (I have a running list on a sheet of paper next to my laptop), but, if I am simply SOL on the password front, I have this question: Can I clone the logical volume (assuming I can figure out the right one to clone) to a backup drive and trying and mount it again later? In other words, is it possible to image/dd-write the unmounted logical volume to an external drive? To make things more complicated, if I can image/copy, I only have an empty 14tb external, will it be a problem that I am trying to image a 16.14 tb volume to a 14tb drive (is compression a possibility?).

If I can copy/clone the logical volume (that I can't mount because of the lost password) then I can at least wipe the drives and get my new unit up and running, and hope that someday I can remember the password so I can mount that old array/volume and recover some important files.

If you got this far, thank you for reading and a BIG thanks to any ideas or suggestions.

Mousetick
Been there, done that
Posts: 588
Joined: Thu Aug 24, 2017 10:28 pm

Re: Cloning crypto_LUKS volume (for the day that I remember the password!)

Post by Mousetick » Sat Nov 28, 2020 2:17 am

1. tp1 is the storage pool, lv1 is the volume on tp1. So you'd want to work with lv1.
2. QNAP encodes the passphrase supplied by the user in the UI, before it's used with cryptsetup. So even if you remember the correct passphrase, it will not be recognized by cryptsetup because it has not been encoded. You can use the following command to encode the passphrase(s) you remember, using 'foobar' as an example:

Code: Select all

# /sbin/storage_util --encrypt_pwd pwd=foobar
Encrypted passwd is:$1$YCCaQNAP$11Ny1/mqEz2frukTALsHp/
Then use the resulting encoded string as the passphrase for cryptsetup luksOpen.
3. If #2 still doesn't work, and you want to use the dd command to create an image of the encrypted volume to be saved on a smaller drive, you could try to pipe the output of the dd command to a good compressor (e.g. /bin/xz). Failing that, you'll need a destination drive of sufficient capacity. Once you have created the image, you can access it from another Linux system by using a loop device. But keep in mind, you still need to go through #2 to generate the encoded passphrase for decrypting.

See also: Mount QNAP encrypted volume

morockin
New here
Posts: 2
Joined: Sat Nov 28, 2020 12:03 am

Re: Cloning crypto_LUKS volume (for the day that I remember the password!)

Post by morockin » Sat Nov 28, 2020 11:22 am

Mousetick, that was f'ing brilliant, THANK YOU! I encoded the passphrase (to be honest, I still had to go halfway through my list of guesses), tried to mount lv1 and IT WORKED! Now I am running e2fsck_64 to try and repair the filesystem in the *hope* that my files are still accessible!


Mousetick wrote:
Sat Nov 28, 2020 2:17 am
1. tp1 is the storage pool, lv1 is the volume on tp1. So you'd want to work with lv1.
2. QNAP encodes the passphrase supplied by the user in the UI, before it's used with cryptsetup. So even if you remember the correct passphrase, it will not be recognized by cryptsetup because it has not been encoded. You can use the following command to encode the passphrase(s) you remember, using 'foobar' as an example:

Code: Select all

# /sbin/storage_util --encrypt_pwd pwd=foobar
Encrypted passwd is:$1$YCCaQNAP$11Ny1/mqEz2frukTALsHp/
Then use the resulting encoded string as the passphrase for cryptsetup luksOpen.
3. If #2 still doesn't work, and you want to use the dd command to create an image of the encrypted volume to be saved on a smaller drive, you could try to pipe the output of the dd command to a good compressor (e.g. /bin/xz). Failing that, you'll need a destination drive of sufficient capacity. Once you have created the image, you can access it from another Linux system by using a loop device. But keep in mind, you still need to go through #2 to generate the encoded passphrase for decrypting.

See also: Mount QNAP encrypted volume

Post Reply

Return to “System & Disk Volume Management”