Find the LUKS encryption key in a memory dump file of a Proxmox VM

  • Get the partitions from the VM's qcow2 file

ls -alh
-rw-r----- 1 root root 33G Jan 3 19:17 vm-102-disk-0.qcow2
-rw-r----- 1 root root 448M Jan 3 18:05 vm-102-state-luks.raw

modprobe nbd max_part=8
qemu-nbd --connect=/dev/nbd0 vm-102-disk-0.qcow2
fdisk -l

Device        Start      End  Sectors Size Type
/dev/nbd0p1    2048     4095     2048   1M BIOS boot
/dev/nbd0p2    4096  4198399  4194304   2G Linux filesystem
/dev/nbd0p3 4198400 67106815 62908416  30G Linux filesystem
  • Find the master key in the memory state dump of the VM with findaes

findaes vm-102-state-luks.raw
Searching vm-102-state-luks.raw
Found AES-256 key schedule at offset 0xb1428dc:
23 02 57 16 22 c1 d4 4f 13 09 00 fa 6c 63 e7 4c 84 91 e1 a3 c5 99 c9 ee 6a 17 cc c7 1f 01 21 f5
Found AES-256 key schedule at offset 0xb142cdc:
22 d2 a6 2e 48 b4 13 d9 4e 1b ed 0c 0b d0 ec 13 e6 39 02 ea 8f b1 dc 70 78 71 89 3f 67 76 a4 2f
Found AES-256 key schedule at offset 0xd97da7a:
38 f3 74 9a 2e 31 92 b0 b4 95 3f 91 c0 cf a7 b9 8b 3e e8 7e bd a0 88 c8 18 4d 8a b0 ee 83 76 66
Found AES-256 key schedule at offset 0xd97dc4a:
38 f3 74 9a 2e 31 92 b0 b4 95 3f 91 c0 cf a7 b9 8b 3e e8 7e bd a0 88 c8 18 4d 8a b0 ee 83 76 66
Found AES-256 key schedule at offset 0xd97deda:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
Found AES-256 key schedule at offset 0xd97e4ba:
d0 b1 91 2f 5b e4 1a c2 7b 96 2f 61 ad bd 25 7d 8a b7 fc 58 f6 99 07 77 dc bd bd b6 fa 18 5a 79
Found AES-256 key schedule at offset 0xd97f69a:
d0 b1 91 2f 5b e4 1a c2 7b 96 2f 61 ad bd 25 7d 8a b7 fc 58 f6 99 07 77 dc bd bd b6 fa 18 5a 79
Found AES-256 key schedule at offset 0xd97f92a:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
Found AES-256 key schedule at offset 0xd9898ac:
31 31 1a 7b 47 92 f6 b8 d5 a4 c2 fb f7 cb a5 ff 5a 28 4d 3b d5 d8 7e 63 fa 8a d0 73 86 79 e3 15
Found AES-256 key schedule at offset 0xd989a7c:
31 31 1a 7b 47 92 f6 b8 d5 a4 c2 fb f7 cb a5 ff 5a 28 4d 3b d5 d8 7e 63 fa 8a d0 73 86 79 e3 15
Found AES-256 key schedule at offset 0xd989d0c:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

  • In this case the first 2 matches combined are the master key (2x 256 bits = 512 bits key length)

This may not always be the case. Your best bet is to find two 256 bit keys with successive memory addresses.

  • Copy the combined key to a textfile

echo "2302571622c1d44f130900fa6c63e74c8491e1a3c599c9ee6a17ccc71f0121f522d2a62e48b413d94e1bed0c0bd0ec13e63902ea8fb1dc707871893f6776a42f"
> masterkey.txt

  • Convert masterkey to binary format

xxd -r -p masterkey.txt masterkey.bin

  • Open luks volume

cryptsetup --master-key-file masterkey.bin luksOpen /dev/nbd0p3 myluks

  • Open LVM and mount the VM's filesystem

mkdir /mnt/myluks
vgscan --mknodes
Found volume group "ubuntu-vg" using metadata type lvm2

mount /dev/mapper/ubuntu--vg-ubuntu--lv /mnt/myluks
ls -alh /mnt/myluks/
total 2,1G
drwxr-xr-x 19 root root 4,0K Jan 3 18:03 .
drwxr-xr-x 6 root root 4,0K Jan 3 19:15 ..
lrwxrwxrwx 1 root root 7 Aug 9 13:53 bin -> usr/bin
drwxr-xr-x 2 root root 4,0K Jan 3 17:57 boot
drwxr-xr-x 4 root root 4,0K Aug 9 13:56 dev
drwxr-xr-x 78 root root 4,0K Jan 3 18:04 etc
drwxr-xr-x 3 root root 4,0K Jan 3 18:04 home
lrwxrwxrwx 1 root root 7 Aug 9 13:53 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Aug 9 13:53 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Aug 9 13:53 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Aug 9 13:53 libx32 -> usr/libx32
drwx------ 2 root root 16K Jan 3 17:57 lost+found
drwxr-xr-x 2 root root 4,0K Aug 9 13:53 media
drwxr-xr-x 2 root root 4,0K Aug 9 13:53 mnt
drwxr-xr-x 2 root root 4,0K Aug 9 13:53 opt
drwxr-xr-x 2 root root 4,0K Apr 18 2022 proc
drwx------ 4 root root 4,0K Jan 3 18:41 root
drwxr-xr-x 9 root root 4,0K Aug 9 13:57 run
lrwxrwxrwx 1 root root 8 Aug 9 13:53 sbin -> usr/sbin
drwxr-xr-x 2 root root 4,0K Jan 3 18:04 snap
drwxr-xr-x 2 root root 4,0K Aug 9 13:53 srv
-rw------- 1 root root 2,0G Jan 3 17:58 swap.img
drwxr-xr-x 2 root root 4,0K Apr 18 2022 sys
drwxrwxrwt 8 root root 4,0K Jan 3 18:59 tmp
drwxr-xr-x 14 root root 4,0K Aug 9 13:53 usr
drwxr-xr-x 13 root root 4,0K Aug 9 13:57 var

#proxmox #luks #encryption #linux #opensource #virtualization #security