Recover LUKS After Removing the Key Accidentally Mar 7th 2021 Words: 240

Please do read this article first: How to recover lost LUKS key or passphrase

Background

I cannot stop doing stupid things, this time, I mistakenly removed the active LUKS key with cryptsetup luksRemoveKey command.

I setup my LUKS during OS installation by simply tick the “encryption” checkbox, so yes, I did not backup my LUKS header or keyfile.

When I dump the LUKS, it said slot 1 has a key, but whatever passphrase I tried, I cannot pass cryptsetup luksOpen --test-passphrase again.

It is clear that I have messed up badly. However, since my PC was still on with the decrypted LUKS mounted, there was still hope.

First, I took a shower to calm down.

Solution

Get current LUKS volume:

1
sudo dmsetup ls --target crypt
1
luks-3f73e406-400c-4d10-8d29-19133640601c       (254, 0)

Get master key of current decrypted volume, the long blob in colum 5 is the key in hex format:

1
sudo dmsetup table luks-3f73e406-400c-4d10-8d29-19133640601c --showkeys
1
0 217492111 crypt aes-xts-plain64 aead68d04015aad4ef314692e6d85394d5263b53c959aa5786cea18696b662a768391e073525f1aac93e64c4aa12317397fd3115a552dcb87d48dbebd5701477 0 259:6 4096

Convert the master key to binary format:

1
sudo dmsetup table --showkey /dev/mapper/luks-3f73e406-400c-4d10-8d29-19133640601c | awk '{print$5}' | xxd -r -p > ./master_key.bin

Add a new key use the master key file:

1
sudo cryptsetup luksAddKey /dev/nvme0n1p6 --master-key-file ./master_key.bin

Be smart and backup the LUKS header:

1
sudo cryptsetup luksHeaderBackup /dev/nvme0n1p6 --header-backup-file ./luks-header