Re: [gentoo-user] cryptsetup wont use aes-xts:plain64 - gentoo-user

From:	Fernando Rodriguez <frodriguez.developer@×××××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] cryptsetup wont use aes-xts:plain64
Date:	Sun, 19 Apr 2015 01:49:23
Message-Id:	`6821587.VGggvmrEYE@navi`
In Reply to:	Re: [gentoo-user] cryptsetup wont use aes-xts:plain64 by Fernando Rodriguez

1

On Saturday, April 18, 2015 9:35:27 PM Fernando Rodriguez wrote:

2

> On Saturday, April 18, 2015 12:27:15 PM Marko Weber | 8000 wrote:

3

> >

4

> > hello list,

5

> >

6

> > i try to crypt a partition with cryptsetup.

7

> > Yes, in Kernel i had all need things i think.

8

> >

9

> > CONFIG_CRYPTO=y

10

> > CONFIG_CRYPTO_ALGAPI=y

11

> > CONFIG_CRYPTO_ALGAPI2=y

12

> > CONFIG_CRYPTO_AEAD=m

13

> > CONFIG_CRYPTO_AEAD2=y

14

> > CONFIG_CRYPTO_BLKCIPHER=y

15

> > CONFIG_CRYPTO_BLKCIPHER2=y

16

> > CONFIG_CRYPTO_HASH=y

17

> > CONFIG_CRYPTO_HASH2=y

18

> > CONFIG_CRYPTO_RNG=m

19

> > CONFIG_CRYPTO_RNG2=y

20

> > CONFIG_CRYPTO_PCOMP=m

21

> > CONFIG_CRYPTO_PCOMP2=y

22

> > CONFIG_CRYPTO_MANAGER=y

23

> > CONFIG_CRYPTO_MANAGER2=y

24

> > CONFIG_CRYPTO_USER=m

25

> > # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set

26

> > CONFIG_CRYPTO_GF128MUL=m

27

> > CONFIG_CRYPTO_NULL=m

28

> > CONFIG_CRYPTO_PCRYPT=m

29

> > CONFIG_CRYPTO_WORKQUEUE=y

30

> > CONFIG_CRYPTO_CRYPTD=m

31

> > CONFIG_CRYPTO_MCRYPTD=m

32

> > CONFIG_CRYPTO_AUTHENC=m

33

> > CONFIG_CRYPTO_TEST=m

34

> > CONFIG_CRYPTO_ABLK_HELPER=m

35

> > CONFIG_CRYPTO_GLUE_HELPER_X86=m

36

> > CONFIG_CRYPTO_CCM=m

37

> > CONFIG_CRYPTO_GCM=m

38

> > CONFIG_CRYPTO_SEQIV=m

39

> > CONFIG_CRYPTO_CBC=y

40

> > CONFIG_CRYPTO_CTR=m

41

> > CONFIG_CRYPTO_CTS=m

42

> > CONFIG_CRYPTO_ECB=m

43

> > CONFIG_CRYPTO_LRW=m

44

> > CONFIG_CRYPTO_PCBC=m

45

> > CONFIG_CRYPTO_XTS=m

46

> > CONFIG_CRYPTO_CMAC=m

47

> > CONFIG_CRYPTO_HMAC=m

48

> > CONFIG_CRYPTO_XCBC=m

49

> > CONFIG_CRYPTO_VMAC=m

50

> > CONFIG_CRYPTO_CRC32C=y

51

> > CONFIG_CRYPTO_CRC32C_INTEL=m

52

> > CONFIG_CRYPTO_CRC32=m

53

> > CONFIG_CRYPTO_CRC32_PCLMUL=m

54

> > CONFIG_CRYPTO_CRCT10DIF=y

55

> > CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m

56

> > CONFIG_CRYPTO_GHASH=m

57

> > CONFIG_CRYPTO_MD4=m

58

> > CONFIG_CRYPTO_MD5=y

59

> > CONFIG_CRYPTO_MICHAEL_MIC=m

60

> > CONFIG_CRYPTO_RMD128=m

61

> > CONFIG_CRYPTO_RMD160=m

62

> > CONFIG_CRYPTO_RMD256=m

63

> > CONFIG_CRYPTO_RMD320=m

64

> > CONFIG_CRYPTO_SHA1=m

65

> > CONFIG_CRYPTO_SHA1_SSSE3=m

66

> > CONFIG_CRYPTO_SHA256_SSSE3=m

67

> > CONFIG_CRYPTO_SHA512_SSSE3=m

68

> > CONFIG_CRYPTO_SHA1_MB=m

69

> > CONFIG_CRYPTO_SHA256=m

70

> > CONFIG_CRYPTO_SHA512=m

71

> > CONFIG_CRYPTO_TGR192=m

72

> > CONFIG_CRYPTO_WP512=m

73

> > CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m

74

> > CONFIG_CRYPTO_AES=y

75

> > CONFIG_CRYPTO_AES_X86_64=m

76

> > CONFIG_CRYPTO_AES_NI_INTEL=m

77

> > CONFIG_CRYPTO_ANUBIS=m

78

> > CONFIG_CRYPTO_ARC4=m

79

> > CONFIG_CRYPTO_BLOWFISH=m

80

> > CONFIG_CRYPTO_BLOWFISH_COMMON=m

81

> > CONFIG_CRYPTO_BLOWFISH_X86_64=m

82

> > CONFIG_CRYPTO_CAMELLIA=m

83

> > CONFIG_CRYPTO_CAMELLIA_X86_64=m

84

> > CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m

85

> > CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m

86

> > CONFIG_CRYPTO_CAST_COMMON=m

87

> > CONFIG_CRYPTO_CAST5=m

88

> > CONFIG_CRYPTO_CAST5_AVX_X86_64=m

89

> > CONFIG_CRYPTO_CAST6=m

90

> > CONFIG_CRYPTO_CAST6_AVX_X86_64=m

91

> > CONFIG_CRYPTO_DES=m

92

> > CONFIG_CRYPTO_DES3_EDE_X86_64=m

93

> > CONFIG_CRYPTO_FCRYPT=m

94

> > CONFIG_CRYPTO_KHAZAD=m

95

> > CONFIG_CRYPTO_SALSA20=m

96

> > CONFIG_CRYPTO_SALSA20_X86_64=m

97

> > CONFIG_CRYPTO_SEED=m

98

> > CONFIG_CRYPTO_SERPENT=m

99

> > CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m

100

> > CONFIG_CRYPTO_SERPENT_AVX_X86_64=m

101

> > CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m

102

> > CONFIG_CRYPTO_TEA=m

103

> > CONFIG_CRYPTO_TWOFISH=m

104

> > CONFIG_CRYPTO_TWOFISH_COMMON=m

105

> > CONFIG_CRYPTO_TWOFISH_X86_64=m

106

> > CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m

107

> > CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m

108

> > CONFIG_CRYPTO_DEFLATE=m

109

> > CONFIG_CRYPTO_ZLIB=m

110

> > CONFIG_CRYPTO_LZO=m

111

> > CONFIG_CRYPTO_LZ4=m

112

> > CONFIG_CRYPTO_LZ4HC=m

113

> > CONFIG_CRYPTO_ANSI_CPRNG=m

114

> > CONFIG_CRYPTO_DRBG_MENU=m

115

> > CONFIG_CRYPTO_DRBG_HMAC=y

116

> > # CONFIG_CRYPTO_DRBG_HASH is not set

117

> > # CONFIG_CRYPTO_DRBG_CTR is not set

118

> > CONFIG_CRYPTO_DRBG=m

119

> > CONFIG_CRYPTO_USER_API=m

120

> > CONFIG_CRYPTO_USER_API_HASH=m

121

> > CONFIG_CRYPTO_USER_API_SKCIPHER=m

122

> > CONFIG_CRYPTO_HASH_INFO=y

123

> > # CONFIG_CRYPTO_HW is not set

124

> >

125

> >

126

> > but when i try to use cryptsetup i get this:

127

> >

128

> > # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat

129

> > /dev/mapper/VolGroup01-media2

130

> >

131

> > WARNING!

132

> > ========

133

> > This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.

134

> >

135

> > Are you sure? (Type uppercase yes): YES

136

> > Enter passphrase:

137

> > Verify passphrase:

138

> > device-mapper: reload ioctl on  failed: Invalid argument

139

> > Failed to setup dm-crypt key mapping for device

140

> > /dev/mapper/VolGroup01-media2.

141

> > Check that kernel supports aes-xts:plain64 cipher (check syslog for more

142

> > info).

143

> >

144

> >

145

> >

146

> > Any ideas?

147

> >

148

> > i built cryptsetup with this useflags:

149

> >

150

> > nls openssl python udev urandom

151

> >

152

> >

153

> >

154

> > cryptsetup --help shows me i am able to use the options

155

> >

156

> > Default compiled-in device cipher parameters:

157

> >          loop-AES: aes, Key 256 bits

158

> >          plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing:

159

> > ripemd160

160

> >          LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing:

161

> > sha1, RNG: /dev/random

162

> >

163

> >

164

> > any help / ideas or knowledge welcome.

165

> >

166

> > best regards

167

> >

168

> > marko

169

>

170

> That message is incorrectly shown if something's wrong with the way you

171

> specified the cipher and key size. It threw me off for a while too. This is

172

what 

173

> I ended up using:

174

>

175

> cryptsetup -i 30000 -c twofish-xts-essiv:sha256 -s 512 -h sha512 luksFormat

176

> file.img

177

>

178

> I don't remember where I was getting it wrong, I think I was using -s 256

179

but

180

> xts uses half the key for every other block so the key needs to be twice the

181

> size. I found a site with a table that list what you can use with which

182

> options but unfortunately I can't find it now. So try using -s 512 (since

183

> cryptsetup is telling you that you can use a 256 bit key).

184

185

btw. it's not telling you that you can use those. It's telling you that those 

186

are the compiled-in defaults (what it will select for you if you don't specify 

187

anything). It shows the same for me and I'm not using either.

188

189

--

190

Fernando Rodriguez

1	On Saturday, April 18, 2015 9:35:27 PM Fernando Rodriguez wrote:
2	> On Saturday, April 18, 2015 12:27:15 PM Marko Weber \| 8000 wrote:
3	> >
4	> > hello list,
5	> >
6	> > i try to crypt a partition with cryptsetup.
7	> > Yes, in Kernel i had all need things i think.
8	> >
9	> > CONFIG_CRYPTO=y
10	> > CONFIG_CRYPTO_ALGAPI=y
11	> > CONFIG_CRYPTO_ALGAPI2=y
12	> > CONFIG_CRYPTO_AEAD=m
13	> > CONFIG_CRYPTO_AEAD2=y
14	> > CONFIG_CRYPTO_BLKCIPHER=y
15	> > CONFIG_CRYPTO_BLKCIPHER2=y
16	> > CONFIG_CRYPTO_HASH=y
17	> > CONFIG_CRYPTO_HASH2=y
18	> > CONFIG_CRYPTO_RNG=m
19	> > CONFIG_CRYPTO_RNG2=y
20	> > CONFIG_CRYPTO_PCOMP=m
21	> > CONFIG_CRYPTO_PCOMP2=y
22	> > CONFIG_CRYPTO_MANAGER=y
23	> > CONFIG_CRYPTO_MANAGER2=y
24	> > CONFIG_CRYPTO_USER=m
25	> > # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
26	> > CONFIG_CRYPTO_GF128MUL=m
27	> > CONFIG_CRYPTO_NULL=m
28	> > CONFIG_CRYPTO_PCRYPT=m
29	> > CONFIG_CRYPTO_WORKQUEUE=y
30	> > CONFIG_CRYPTO_CRYPTD=m
31	> > CONFIG_CRYPTO_MCRYPTD=m
32	> > CONFIG_CRYPTO_AUTHENC=m
33	> > CONFIG_CRYPTO_TEST=m
34	> > CONFIG_CRYPTO_ABLK_HELPER=m
35	> > CONFIG_CRYPTO_GLUE_HELPER_X86=m
36	> > CONFIG_CRYPTO_CCM=m
37	> > CONFIG_CRYPTO_GCM=m
38	> > CONFIG_CRYPTO_SEQIV=m
39	> > CONFIG_CRYPTO_CBC=y
40	> > CONFIG_CRYPTO_CTR=m
41	> > CONFIG_CRYPTO_CTS=m
42	> > CONFIG_CRYPTO_ECB=m
43	> > CONFIG_CRYPTO_LRW=m
44	> > CONFIG_CRYPTO_PCBC=m
45	> > CONFIG_CRYPTO_XTS=m
46	> > CONFIG_CRYPTO_CMAC=m
47	> > CONFIG_CRYPTO_HMAC=m
48	> > CONFIG_CRYPTO_XCBC=m
49	> > CONFIG_CRYPTO_VMAC=m
50	> > CONFIG_CRYPTO_CRC32C=y
51	> > CONFIG_CRYPTO_CRC32C_INTEL=m
52	> > CONFIG_CRYPTO_CRC32=m
53	> > CONFIG_CRYPTO_CRC32_PCLMUL=m
54	> > CONFIG_CRYPTO_CRCT10DIF=y
55	> > CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
56	> > CONFIG_CRYPTO_GHASH=m
57	> > CONFIG_CRYPTO_MD4=m
58	> > CONFIG_CRYPTO_MD5=y
59	> > CONFIG_CRYPTO_MICHAEL_MIC=m
60	> > CONFIG_CRYPTO_RMD128=m
61	> > CONFIG_CRYPTO_RMD160=m
62	> > CONFIG_CRYPTO_RMD256=m
63	> > CONFIG_CRYPTO_RMD320=m
64	> > CONFIG_CRYPTO_SHA1=m
65	> > CONFIG_CRYPTO_SHA1_SSSE3=m
66	> > CONFIG_CRYPTO_SHA256_SSSE3=m
67	> > CONFIG_CRYPTO_SHA512_SSSE3=m
68	> > CONFIG_CRYPTO_SHA1_MB=m
69	> > CONFIG_CRYPTO_SHA256=m
70	> > CONFIG_CRYPTO_SHA512=m
71	> > CONFIG_CRYPTO_TGR192=m
72	> > CONFIG_CRYPTO_WP512=m
73	> > CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
74	> > CONFIG_CRYPTO_AES=y
75	> > CONFIG_CRYPTO_AES_X86_64=m
76	> > CONFIG_CRYPTO_AES_NI_INTEL=m
77	> > CONFIG_CRYPTO_ANUBIS=m
78	> > CONFIG_CRYPTO_ARC4=m
79	> > CONFIG_CRYPTO_BLOWFISH=m
80	> > CONFIG_CRYPTO_BLOWFISH_COMMON=m
81	> > CONFIG_CRYPTO_BLOWFISH_X86_64=m
82	> > CONFIG_CRYPTO_CAMELLIA=m
83	> > CONFIG_CRYPTO_CAMELLIA_X86_64=m
84	> > CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
85	> > CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
86	> > CONFIG_CRYPTO_CAST_COMMON=m
87	> > CONFIG_CRYPTO_CAST5=m
88	> > CONFIG_CRYPTO_CAST5_AVX_X86_64=m
89	> > CONFIG_CRYPTO_CAST6=m
90	> > CONFIG_CRYPTO_CAST6_AVX_X86_64=m
91	> > CONFIG_CRYPTO_DES=m
92	> > CONFIG_CRYPTO_DES3_EDE_X86_64=m
93	> > CONFIG_CRYPTO_FCRYPT=m
94	> > CONFIG_CRYPTO_KHAZAD=m
95	> > CONFIG_CRYPTO_SALSA20=m
96	> > CONFIG_CRYPTO_SALSA20_X86_64=m
97	> > CONFIG_CRYPTO_SEED=m
98	> > CONFIG_CRYPTO_SERPENT=m
99	> > CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
100	> > CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
101	> > CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
102	> > CONFIG_CRYPTO_TEA=m
103	> > CONFIG_CRYPTO_TWOFISH=m
104	> > CONFIG_CRYPTO_TWOFISH_COMMON=m
105	> > CONFIG_CRYPTO_TWOFISH_X86_64=m
106	> > CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
107	> > CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
108	> > CONFIG_CRYPTO_DEFLATE=m
109	> > CONFIG_CRYPTO_ZLIB=m
110	> > CONFIG_CRYPTO_LZO=m
111	> > CONFIG_CRYPTO_LZ4=m
112	> > CONFIG_CRYPTO_LZ4HC=m
113	> > CONFIG_CRYPTO_ANSI_CPRNG=m
114	> > CONFIG_CRYPTO_DRBG_MENU=m
115	> > CONFIG_CRYPTO_DRBG_HMAC=y
116	> > # CONFIG_CRYPTO_DRBG_HASH is not set
117	> > # CONFIG_CRYPTO_DRBG_CTR is not set
118	> > CONFIG_CRYPTO_DRBG=m
119	> > CONFIG_CRYPTO_USER_API=m
120	> > CONFIG_CRYPTO_USER_API_HASH=m
121	> > CONFIG_CRYPTO_USER_API_SKCIPHER=m
122	> > CONFIG_CRYPTO_HASH_INFO=y
123	> > # CONFIG_CRYPTO_HW is not set
124	> >
125	> >
126	> > but when i try to use cryptsetup i get this:
127	> >
128	> > # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat
129	> > /dev/mapper/VolGroup01-media2
130	> >
131	> > WARNING!
132	> > ========
133	> > This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.
134	> >
135	> > Are you sure? (Type uppercase yes): YES
136	> > Enter passphrase:
137	> > Verify passphrase:
138	> > device-mapper: reload ioctl on failed: Invalid argument
139	> > Failed to setup dm-crypt key mapping for device
140	> > /dev/mapper/VolGroup01-media2.
141	> > Check that kernel supports aes-xts:plain64 cipher (check syslog for more
142	> > info).
143	> >
144	> >
145	> >
146	> > Any ideas?
147	> >
148	> > i built cryptsetup with this useflags:
149	> >
150	> > nls openssl python udev urandom
151	> >
152	> >
153	> >
154	> > cryptsetup --help shows me i am able to use the options
155	> >
156	> > Default compiled-in device cipher parameters:
157	> > loop-AES: aes, Key 256 bits
158	> > plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing:
159	> > ripemd160
160	> > LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing:
161	> > sha1, RNG: /dev/random
162	> >
163	> >
164	> > any help / ideas or knowledge welcome.
165	> >
166	> > best regards
167	> >
168	> > marko
169	>
170	> That message is incorrectly shown if something's wrong with the way you
171	> specified the cipher and key size. It threw me off for a while too. This is
172	what
173	> I ended up using:
174	>
175	> cryptsetup -i 30000 -c twofish-xts-essiv:sha256 -s 512 -h sha512 luksFormat
176	> file.img
177	>
178	> I don't remember where I was getting it wrong, I think I was using -s 256
179	but
180	> xts uses half the key for every other block so the key needs to be twice the
181	> size. I found a site with a table that list what you can use with which
182	> options but unfortunately I can't find it now. So try using -s 512 (since
183	> cryptsetup is telling you that you can use a 256 bit key).
184
185	btw. it's not telling you that you can use those. It's telling you that those
186	are the compiled-in defaults (what it will select for you if you don't specify
187	anything). It shows the same for me and I'm not using either.
188
189	--
190	Fernando Rodriguez

Gentoo Archives: gentoo-user