1 |
On Saturday, April 18, 2015 9:35:27 PM Fernando Rodriguez wrote: |
2 |
> On Saturday, April 18, 2015 12:27:15 PM Marko Weber | 8000 wrote: |
3 |
> > |
4 |
> > hello list, |
5 |
> > |
6 |
> > i try to crypt a partition with cryptsetup. |
7 |
> > Yes, in Kernel i had all need things i think. |
8 |
> > |
9 |
> > CONFIG_CRYPTO=y |
10 |
> > CONFIG_CRYPTO_ALGAPI=y |
11 |
> > CONFIG_CRYPTO_ALGAPI2=y |
12 |
> > CONFIG_CRYPTO_AEAD=m |
13 |
> > CONFIG_CRYPTO_AEAD2=y |
14 |
> > CONFIG_CRYPTO_BLKCIPHER=y |
15 |
> > CONFIG_CRYPTO_BLKCIPHER2=y |
16 |
> > CONFIG_CRYPTO_HASH=y |
17 |
> > CONFIG_CRYPTO_HASH2=y |
18 |
> > CONFIG_CRYPTO_RNG=m |
19 |
> > CONFIG_CRYPTO_RNG2=y |
20 |
> > CONFIG_CRYPTO_PCOMP=m |
21 |
> > CONFIG_CRYPTO_PCOMP2=y |
22 |
> > CONFIG_CRYPTO_MANAGER=y |
23 |
> > CONFIG_CRYPTO_MANAGER2=y |
24 |
> > CONFIG_CRYPTO_USER=m |
25 |
> > # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set |
26 |
> > CONFIG_CRYPTO_GF128MUL=m |
27 |
> > CONFIG_CRYPTO_NULL=m |
28 |
> > CONFIG_CRYPTO_PCRYPT=m |
29 |
> > CONFIG_CRYPTO_WORKQUEUE=y |
30 |
> > CONFIG_CRYPTO_CRYPTD=m |
31 |
> > CONFIG_CRYPTO_MCRYPTD=m |
32 |
> > CONFIG_CRYPTO_AUTHENC=m |
33 |
> > CONFIG_CRYPTO_TEST=m |
34 |
> > CONFIG_CRYPTO_ABLK_HELPER=m |
35 |
> > CONFIG_CRYPTO_GLUE_HELPER_X86=m |
36 |
> > CONFIG_CRYPTO_CCM=m |
37 |
> > CONFIG_CRYPTO_GCM=m |
38 |
> > CONFIG_CRYPTO_SEQIV=m |
39 |
> > CONFIG_CRYPTO_CBC=y |
40 |
> > CONFIG_CRYPTO_CTR=m |
41 |
> > CONFIG_CRYPTO_CTS=m |
42 |
> > CONFIG_CRYPTO_ECB=m |
43 |
> > CONFIG_CRYPTO_LRW=m |
44 |
> > CONFIG_CRYPTO_PCBC=m |
45 |
> > CONFIG_CRYPTO_XTS=m |
46 |
> > CONFIG_CRYPTO_CMAC=m |
47 |
> > CONFIG_CRYPTO_HMAC=m |
48 |
> > CONFIG_CRYPTO_XCBC=m |
49 |
> > CONFIG_CRYPTO_VMAC=m |
50 |
> > CONFIG_CRYPTO_CRC32C=y |
51 |
> > CONFIG_CRYPTO_CRC32C_INTEL=m |
52 |
> > CONFIG_CRYPTO_CRC32=m |
53 |
> > CONFIG_CRYPTO_CRC32_PCLMUL=m |
54 |
> > CONFIG_CRYPTO_CRCT10DIF=y |
55 |
> > CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m |
56 |
> > CONFIG_CRYPTO_GHASH=m |
57 |
> > CONFIG_CRYPTO_MD4=m |
58 |
> > CONFIG_CRYPTO_MD5=y |
59 |
> > CONFIG_CRYPTO_MICHAEL_MIC=m |
60 |
> > CONFIG_CRYPTO_RMD128=m |
61 |
> > CONFIG_CRYPTO_RMD160=m |
62 |
> > CONFIG_CRYPTO_RMD256=m |
63 |
> > CONFIG_CRYPTO_RMD320=m |
64 |
> > CONFIG_CRYPTO_SHA1=m |
65 |
> > CONFIG_CRYPTO_SHA1_SSSE3=m |
66 |
> > CONFIG_CRYPTO_SHA256_SSSE3=m |
67 |
> > CONFIG_CRYPTO_SHA512_SSSE3=m |
68 |
> > CONFIG_CRYPTO_SHA1_MB=m |
69 |
> > CONFIG_CRYPTO_SHA256=m |
70 |
> > CONFIG_CRYPTO_SHA512=m |
71 |
> > CONFIG_CRYPTO_TGR192=m |
72 |
> > CONFIG_CRYPTO_WP512=m |
73 |
> > CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m |
74 |
> > CONFIG_CRYPTO_AES=y |
75 |
> > CONFIG_CRYPTO_AES_X86_64=m |
76 |
> > CONFIG_CRYPTO_AES_NI_INTEL=m |
77 |
> > CONFIG_CRYPTO_ANUBIS=m |
78 |
> > CONFIG_CRYPTO_ARC4=m |
79 |
> > CONFIG_CRYPTO_BLOWFISH=m |
80 |
> > CONFIG_CRYPTO_BLOWFISH_COMMON=m |
81 |
> > CONFIG_CRYPTO_BLOWFISH_X86_64=m |
82 |
> > CONFIG_CRYPTO_CAMELLIA=m |
83 |
> > CONFIG_CRYPTO_CAMELLIA_X86_64=m |
84 |
> > CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m |
85 |
> > CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m |
86 |
> > CONFIG_CRYPTO_CAST_COMMON=m |
87 |
> > CONFIG_CRYPTO_CAST5=m |
88 |
> > CONFIG_CRYPTO_CAST5_AVX_X86_64=m |
89 |
> > CONFIG_CRYPTO_CAST6=m |
90 |
> > CONFIG_CRYPTO_CAST6_AVX_X86_64=m |
91 |
> > CONFIG_CRYPTO_DES=m |
92 |
> > CONFIG_CRYPTO_DES3_EDE_X86_64=m |
93 |
> > CONFIG_CRYPTO_FCRYPT=m |
94 |
> > CONFIG_CRYPTO_KHAZAD=m |
95 |
> > CONFIG_CRYPTO_SALSA20=m |
96 |
> > CONFIG_CRYPTO_SALSA20_X86_64=m |
97 |
> > CONFIG_CRYPTO_SEED=m |
98 |
> > CONFIG_CRYPTO_SERPENT=m |
99 |
> > CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m |
100 |
> > CONFIG_CRYPTO_SERPENT_AVX_X86_64=m |
101 |
> > CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m |
102 |
> > CONFIG_CRYPTO_TEA=m |
103 |
> > CONFIG_CRYPTO_TWOFISH=m |
104 |
> > CONFIG_CRYPTO_TWOFISH_COMMON=m |
105 |
> > CONFIG_CRYPTO_TWOFISH_X86_64=m |
106 |
> > CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m |
107 |
> > CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m |
108 |
> > CONFIG_CRYPTO_DEFLATE=m |
109 |
> > CONFIG_CRYPTO_ZLIB=m |
110 |
> > CONFIG_CRYPTO_LZO=m |
111 |
> > CONFIG_CRYPTO_LZ4=m |
112 |
> > CONFIG_CRYPTO_LZ4HC=m |
113 |
> > CONFIG_CRYPTO_ANSI_CPRNG=m |
114 |
> > CONFIG_CRYPTO_DRBG_MENU=m |
115 |
> > CONFIG_CRYPTO_DRBG_HMAC=y |
116 |
> > # CONFIG_CRYPTO_DRBG_HASH is not set |
117 |
> > # CONFIG_CRYPTO_DRBG_CTR is not set |
118 |
> > CONFIG_CRYPTO_DRBG=m |
119 |
> > CONFIG_CRYPTO_USER_API=m |
120 |
> > CONFIG_CRYPTO_USER_API_HASH=m |
121 |
> > CONFIG_CRYPTO_USER_API_SKCIPHER=m |
122 |
> > CONFIG_CRYPTO_HASH_INFO=y |
123 |
> > # CONFIG_CRYPTO_HW is not set |
124 |
> > |
125 |
> > |
126 |
> > but when i try to use cryptsetup i get this: |
127 |
> > |
128 |
> > # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat |
129 |
> > /dev/mapper/VolGroup01-media2 |
130 |
> > |
131 |
> > WARNING! |
132 |
> > ======== |
133 |
> > This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably. |
134 |
> > |
135 |
> > Are you sure? (Type uppercase yes): YES |
136 |
> > Enter passphrase: |
137 |
> > Verify passphrase: |
138 |
> > device-mapper: reload ioctl on failed: Invalid argument |
139 |
> > Failed to setup dm-crypt key mapping for device |
140 |
> > /dev/mapper/VolGroup01-media2. |
141 |
> > Check that kernel supports aes-xts:plain64 cipher (check syslog for more |
142 |
> > info). |
143 |
> > |
144 |
> > |
145 |
> > |
146 |
> > Any ideas? |
147 |
> > |
148 |
> > i built cryptsetup with this useflags: |
149 |
> > |
150 |
> > nls openssl python udev urandom |
151 |
> > |
152 |
> > |
153 |
> > |
154 |
> > cryptsetup --help shows me i am able to use the options |
155 |
> > |
156 |
> > Default compiled-in device cipher parameters: |
157 |
> > loop-AES: aes, Key 256 bits |
158 |
> > plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: |
159 |
> > ripemd160 |
160 |
> > LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: |
161 |
> > sha1, RNG: /dev/random |
162 |
> > |
163 |
> > |
164 |
> > any help / ideas or knowledge welcome. |
165 |
> > |
166 |
> > best regards |
167 |
> > |
168 |
> > marko |
169 |
> |
170 |
> That message is incorrectly shown if something's wrong with the way you |
171 |
> specified the cipher and key size. It threw me off for a while too. This is |
172 |
what |
173 |
> I ended up using: |
174 |
> |
175 |
> cryptsetup -i 30000 -c twofish-xts-essiv:sha256 -s 512 -h sha512 luksFormat |
176 |
> file.img |
177 |
> |
178 |
> I don't remember where I was getting it wrong, I think I was using -s 256 |
179 |
but |
180 |
> xts uses half the key for every other block so the key needs to be twice the |
181 |
> size. I found a site with a table that list what you can use with which |
182 |
> options but unfortunately I can't find it now. So try using -s 512 (since |
183 |
> cryptsetup is telling you that you can use a 256 bit key). |
184 |
|
185 |
btw. it's not telling you that you can use those. It's telling you that those |
186 |
are the compiled-in defaults (what it will select for you if you don't specify |
187 |
anything). It shows the same for me and I'm not using either. |
188 |
|
189 |
-- |
190 |
Fernando Rodriguez |