I'm trying to setup a couple of LUKS-encrypted partitions to be mounted after boot-time on a new Ubuntu server which was installed with LVM on top of software RAID. After running cryptsetup luksFormat
, the LUKS header is clearly visible on the volume. After running any flavor of mkfs, the header is overwritten (which does not happen on other systems that were setup without LVM), and cryptsetup will no longer recognize the device as a LUKS device.
# cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/dm-1
WARNING!
========
This will overwrite data on /dev/dm-1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
# hexdump -C /dev/dm-1|head -n5
00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 63 62 63 2d 65 73 73 69 |........cbc-essi|
00000030 76 3a 73 68 61 32 35 36 00 00 00 00 00 00 00 00 |v:sha256........|
00000040 00 00 00 00 00 00 00 00 73 68 61 31 00 00 00 00 |........sha1....|
# cryptsetup luksOpen /dev/dm-1 web2-var
# mkfs.ext4 /dev/mapper/web2-var
[..snip..]
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
# hexdump -C /dev/dm-1|head -n5
# cryptsetup luksClose /dev/mapper/web2-var
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000400 00 40 5d 00 00 88 74 01 66 a0 12 00 17 f2 6d 01 |.@]...t.f.....m.|
00000410 f5 3f 5d 00 00 00 00 00 02 00 00 00 02 00 00 00 |.?].............|
00000420 00 80 00 00 00 80 00 00 00 20 00 00 00 00 00 00 |......... ......|
# cryptsetup luksOpen /dev/dm-1 web2-var
Device /dev/dm-1 is not a valid LUKS device.
I have also tried mkfs.ext2 with the same result. Based on setups I've done successfully on Debian and Ubuntu (but not LVM or Ubuntu 12.04), it's hard to see why this is failing.
If the device is really named
/dev/web2/var
, then this implies to me that you are using LVM and the encrypted volume is thevar
logical volume inside theweb2
volume group. That means there is already a device named/dev/mapper/web2-var
as well and cryptsetup is probably not overwriting it when you tell it to unlock the volume. Thus, you're formatting the original volume, not the decrypted volume.I'm not sure why you're not getting an error from cryptsetup though. You may want to file a bug on it. Or at least check if it's automatically renaming the unlocked device to
/dev/mapper/web2-var2
or the like.In the meantime, give the decrypted volume a new name. Try