LUKS is an encryption specifications for Linux used to encrypt disk partitions. The cryptsetup utility is usually used for that. After a partition is encrypted it can be opened for reading and writing after inputting a password or a keyfile.
Technical details
cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings. These include plain dm-crypt volumes and LUKS volumes. The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage.
So after a partition is encrypted it has a LUKS header with some
encryption metadata and a body. The header tells the program
(cryptsetup) how to decrypt the partition. If that header is damaged in
any way then trying to decrypt it using cryptsetup luksOpen /dev/sdx1
will print Device /dev/sdx1 is not a valid LUKS device. if the system
is up-to-date. On the server this happened the system was CentOS 7 with
cryptsetup version 2.0.3 (as opposed to 2.6.1) so when I tried to
decrypt it didn’t prompt for a password and didn’t print anything. After
upgrading the version following
this gitlab issue I got it to print that message so I had something to google.
Please test with last released and supported version (currently 2.5.0), we do not have resources to debug old versions, thanks.
A good bit of googling led me to
this thread on
the Arch Linux forums. They describe the steps needed to diagnose most
LUKS problems. One thing that was different in this case was the command
sudo dd if=/dev/sdx1 count=20 | hexdump -C printed only zeroes.
dd if=/dev/sdx1 count=20 | hexdump -C
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
20+0 records in
20+0 records out
10240 bytes (10 kB, 10 KiB) copied, 0.00229011 s, 4.5 MB/sTesting with a larger block count count=2050 showed that the first
2030 or so blocks were completely wiped. This meant that the LUKS header
and possibly some of the data are gone. This could still be fixed with a
header backup file using
cryptsetup luksHeaderRestore <device> --header-backup-file <file>.
Unfortunately, there was no header backup file so the only solution was to restore a backup of the entire partition.
Utilities used
Encrypt a partition
Open a LUKS volume and create a decrypted mapping at
/dev/mapper/target
Close a mapping
Print the hexadecimal representation of a file
Get the first 20 blocks of data from a partition and pipe them to hexdump to display their hexadecimal representation