LUKS passphrase doesn't work
One day, when I turned on the computer, my passphrase for home part /dev/sda7 doesn’t worked (I am 147% absolutely sure, that I was writing right pass)! After three times of tries, I have rebooted computer via force shutdown and tried to enter the same pass. That didn’t worked. Then instead of default boot “Boot arch” I have chosen “Boot arch with Linux linux”. And it helped me. I was working all day and after turned off computer. But at the next boot, this trick didn’t help me. Even choosing of “Boot arch with Linux linux (initramfs fallback)” (I have only 3 chooses of boot). Then I decided to boot from Ubuntu LiveUSB. sudo cryptsetup luksOpen /dev/sda7 home saying: No key available with this passphrase.
I have tried to execute sudo cryptsetup --verbose repair /dev/sda7, which said No known problems detected for LUKS header.. I have compiled and executed official cryptsetup tool https://gitlab.com/cryptsetup/cryptsetup/tree/master/misc/keyslot_checker for checking keyslot. It said the same information about keyslots, that saying luksDump.
$ sudo cryptsetup
LUKS header information for /dev/sda7
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 256
MK digest: fc 18 49 fe 3a 4e d4 11 b9 6f 0c c7 1d 54 0a 8d 44 01 86 36
MK salt: 5e 59 c8 fc f2 a9 10 b9 bf 7c 68 4b e4 a5 8e 00
5a f9 c7 66 f9 5b 02 ff e7 59 e4 fd 43 f2 dc b5
MK iterations: 249500
UUID: cc2f71c3-f0d9-4642-bf59-87bff4f60b54
Key Slot 0: ENABLED
Iterations: 1996099
Salt: 3e 60 e7 14 02 95 89 c0 c2 bf 8d 61 bb 99 13 aa
9d 9a c4 7d d4 41 78 ee 76 b0 48 b4 ed b0 ff a8
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
All of that looks like everything is ok. Like header and all partition was not damaged. I have no idea why passphrase doesn’t fit. All I can say is that I am fully upgrading my system (via sudo pacman -Syyu) everyday. And probably at one day somehow upgrade caused this consequences.
If there is corruption in the LUKS header (more than just a single byte), it’s pretty much impossible to recover.
The LUKS header does not have a checksum for its key material, so – if it’s damaged in any way, the cryptsetup luksDump will look same as always, but your passphrase simply won’t work anymore. If you’re unable to make the passphrase work, it’s not possible to rule out corruption.
You could check it out with hexdump (manual approach to keyslot checker):
hexdump -C -n 132096 foobar.img | less
00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 78 74 73 2d 70 6c 61 69 |........xts-plai|
... 0x00000->0x01000 should be mixed text, zero and random ...
00001000 9f 27 7a 46 8b c7 0e 09 00 82 2d 66 a7 4b b7 76 |.'zF......-f.K.v|
00001010 7a 01 ed 65 91 d0 96 af 3c f1 85 0d 64 48 81 e7 |z..e....<...dH..|
00001020 3a 00 0d d1 23 e0 95 d2 8e 42 34 4d e2 74 c4 d6 |:...#....B4M.t..|
... 0x01000->0x20400 should be 128K of random only ...
000203d0 b6 04 f6 34 08 64 10 3f 4e b7 c4 21 e6 d8 da 56 |...4.d.?N..!...V|
000203e0 0e eb 53 ce d2 a6 94 f0 92 7b 11 4b c1 96 9f 17 |..S......{.K....|
000203f0 94 88 b4 cd 36 a5 e1 b2 e9 ba 27 f3 85 7d cb 3f |....6.....'..}.?|
00020400
The first segment is what luksDump shows, only parts of it are random. The range 00001000..00020400 is the key material for Key Slot 0, this should look random throughout, if there is any segment of that zeroed out or otherwise distinctly lacking in randomness (like a wild plain text string appearing), the header is corrupt.
If you’re not using the US layout, try that and whatever layout you usually use. Keyboard layout problems are also a common reason for passphrases to stop working. In this case it helps to add the same passphrase multiple times (one for each layout) so LUKS will accept it, regardless which layout is currently active.