1 |
On Saturday, April 18, 2015 12:27:15 PM Marko Weber | 8000 wrote: |
2 |
> |
3 |
> hello list, |
4 |
> |
5 |
> i try to crypt a partition with cryptsetup. |
6 |
> Yes, in Kernel i had all need things i think. |
7 |
> |
8 |
> CONFIG_CRYPTO=y |
9 |
> CONFIG_CRYPTO_ALGAPI=y |
10 |
> CONFIG_CRYPTO_ALGAPI2=y |
11 |
> CONFIG_CRYPTO_AEAD=m |
12 |
> CONFIG_CRYPTO_AEAD2=y |
13 |
> CONFIG_CRYPTO_BLKCIPHER=y |
14 |
> CONFIG_CRYPTO_BLKCIPHER2=y |
15 |
> CONFIG_CRYPTO_HASH=y |
16 |
> CONFIG_CRYPTO_HASH2=y |
17 |
> CONFIG_CRYPTO_RNG=m |
18 |
> CONFIG_CRYPTO_RNG2=y |
19 |
> CONFIG_CRYPTO_PCOMP=m |
20 |
> CONFIG_CRYPTO_PCOMP2=y |
21 |
> CONFIG_CRYPTO_MANAGER=y |
22 |
> CONFIG_CRYPTO_MANAGER2=y |
23 |
> CONFIG_CRYPTO_USER=m |
24 |
> # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set |
25 |
> CONFIG_CRYPTO_GF128MUL=m |
26 |
> CONFIG_CRYPTO_NULL=m |
27 |
> CONFIG_CRYPTO_PCRYPT=m |
28 |
> CONFIG_CRYPTO_WORKQUEUE=y |
29 |
> CONFIG_CRYPTO_CRYPTD=m |
30 |
> CONFIG_CRYPTO_MCRYPTD=m |
31 |
> CONFIG_CRYPTO_AUTHENC=m |
32 |
> CONFIG_CRYPTO_TEST=m |
33 |
> CONFIG_CRYPTO_ABLK_HELPER=m |
34 |
> CONFIG_CRYPTO_GLUE_HELPER_X86=m |
35 |
> CONFIG_CRYPTO_CCM=m |
36 |
> CONFIG_CRYPTO_GCM=m |
37 |
> CONFIG_CRYPTO_SEQIV=m |
38 |
> CONFIG_CRYPTO_CBC=y |
39 |
> CONFIG_CRYPTO_CTR=m |
40 |
> CONFIG_CRYPTO_CTS=m |
41 |
> CONFIG_CRYPTO_ECB=m |
42 |
> CONFIG_CRYPTO_LRW=m |
43 |
> CONFIG_CRYPTO_PCBC=m |
44 |
> CONFIG_CRYPTO_XTS=m |
45 |
> CONFIG_CRYPTO_CMAC=m |
46 |
> CONFIG_CRYPTO_HMAC=m |
47 |
> CONFIG_CRYPTO_XCBC=m |
48 |
> CONFIG_CRYPTO_VMAC=m |
49 |
> CONFIG_CRYPTO_CRC32C=y |
50 |
> CONFIG_CRYPTO_CRC32C_INTEL=m |
51 |
> CONFIG_CRYPTO_CRC32=m |
52 |
> CONFIG_CRYPTO_CRC32_PCLMUL=m |
53 |
> CONFIG_CRYPTO_CRCT10DIF=y |
54 |
> CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m |
55 |
> CONFIG_CRYPTO_GHASH=m |
56 |
> CONFIG_CRYPTO_MD4=m |
57 |
> CONFIG_CRYPTO_MD5=y |
58 |
> CONFIG_CRYPTO_MICHAEL_MIC=m |
59 |
> CONFIG_CRYPTO_RMD128=m |
60 |
> CONFIG_CRYPTO_RMD160=m |
61 |
> CONFIG_CRYPTO_RMD256=m |
62 |
> CONFIG_CRYPTO_RMD320=m |
63 |
> CONFIG_CRYPTO_SHA1=m |
64 |
> CONFIG_CRYPTO_SHA1_SSSE3=m |
65 |
> CONFIG_CRYPTO_SHA256_SSSE3=m |
66 |
> CONFIG_CRYPTO_SHA512_SSSE3=m |
67 |
> CONFIG_CRYPTO_SHA1_MB=m |
68 |
> CONFIG_CRYPTO_SHA256=m |
69 |
> CONFIG_CRYPTO_SHA512=m |
70 |
> CONFIG_CRYPTO_TGR192=m |
71 |
> CONFIG_CRYPTO_WP512=m |
72 |
> CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m |
73 |
> CONFIG_CRYPTO_AES=y |
74 |
> CONFIG_CRYPTO_AES_X86_64=m |
75 |
> CONFIG_CRYPTO_AES_NI_INTEL=m |
76 |
> CONFIG_CRYPTO_ANUBIS=m |
77 |
> CONFIG_CRYPTO_ARC4=m |
78 |
> CONFIG_CRYPTO_BLOWFISH=m |
79 |
> CONFIG_CRYPTO_BLOWFISH_COMMON=m |
80 |
> CONFIG_CRYPTO_BLOWFISH_X86_64=m |
81 |
> CONFIG_CRYPTO_CAMELLIA=m |
82 |
> CONFIG_CRYPTO_CAMELLIA_X86_64=m |
83 |
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m |
84 |
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m |
85 |
> CONFIG_CRYPTO_CAST_COMMON=m |
86 |
> CONFIG_CRYPTO_CAST5=m |
87 |
> CONFIG_CRYPTO_CAST5_AVX_X86_64=m |
88 |
> CONFIG_CRYPTO_CAST6=m |
89 |
> CONFIG_CRYPTO_CAST6_AVX_X86_64=m |
90 |
> CONFIG_CRYPTO_DES=m |
91 |
> CONFIG_CRYPTO_DES3_EDE_X86_64=m |
92 |
> CONFIG_CRYPTO_FCRYPT=m |
93 |
> CONFIG_CRYPTO_KHAZAD=m |
94 |
> CONFIG_CRYPTO_SALSA20=m |
95 |
> CONFIG_CRYPTO_SALSA20_X86_64=m |
96 |
> CONFIG_CRYPTO_SEED=m |
97 |
> CONFIG_CRYPTO_SERPENT=m |
98 |
> CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m |
99 |
> CONFIG_CRYPTO_SERPENT_AVX_X86_64=m |
100 |
> CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m |
101 |
> CONFIG_CRYPTO_TEA=m |
102 |
> CONFIG_CRYPTO_TWOFISH=m |
103 |
> CONFIG_CRYPTO_TWOFISH_COMMON=m |
104 |
> CONFIG_CRYPTO_TWOFISH_X86_64=m |
105 |
> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m |
106 |
> CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m |
107 |
> CONFIG_CRYPTO_DEFLATE=m |
108 |
> CONFIG_CRYPTO_ZLIB=m |
109 |
> CONFIG_CRYPTO_LZO=m |
110 |
> CONFIG_CRYPTO_LZ4=m |
111 |
> CONFIG_CRYPTO_LZ4HC=m |
112 |
> CONFIG_CRYPTO_ANSI_CPRNG=m |
113 |
> CONFIG_CRYPTO_DRBG_MENU=m |
114 |
> CONFIG_CRYPTO_DRBG_HMAC=y |
115 |
> # CONFIG_CRYPTO_DRBG_HASH is not set |
116 |
> # CONFIG_CRYPTO_DRBG_CTR is not set |
117 |
> CONFIG_CRYPTO_DRBG=m |
118 |
> CONFIG_CRYPTO_USER_API=m |
119 |
> CONFIG_CRYPTO_USER_API_HASH=m |
120 |
> CONFIG_CRYPTO_USER_API_SKCIPHER=m |
121 |
> CONFIG_CRYPTO_HASH_INFO=y |
122 |
> # CONFIG_CRYPTO_HW is not set |
123 |
> |
124 |
> |
125 |
> but when i try to use cryptsetup i get this: |
126 |
> |
127 |
> # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat |
128 |
> /dev/mapper/VolGroup01-media2 |
129 |
> |
130 |
> WARNING! |
131 |
> ======== |
132 |
> This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably. |
133 |
> |
134 |
> Are you sure? (Type uppercase yes): YES |
135 |
> Enter passphrase: |
136 |
> Verify passphrase: |
137 |
> device-mapper: reload ioctl on failed: Invalid argument |
138 |
> Failed to setup dm-crypt key mapping for device |
139 |
> /dev/mapper/VolGroup01-media2. |
140 |
> Check that kernel supports aes-xts:plain64 cipher (check syslog for more |
141 |
> info). |
142 |
> |
143 |
> |
144 |
> |
145 |
> Any ideas? |
146 |
> |
147 |
> i built cryptsetup with this useflags: |
148 |
> |
149 |
> nls openssl python udev urandom |
150 |
> |
151 |
> |
152 |
> |
153 |
> cryptsetup --help shows me i am able to use the options |
154 |
> |
155 |
> Default compiled-in device cipher parameters: |
156 |
> loop-AES: aes, Key 256 bits |
157 |
> plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: |
158 |
> ripemd160 |
159 |
> LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: |
160 |
> sha1, RNG: /dev/random |
161 |
> |
162 |
> |
163 |
> any help / ideas or knowledge welcome. |
164 |
> |
165 |
> best regards |
166 |
> |
167 |
> marko |
168 |
|
169 |
That message is incorrectly shown if something's wrong with the way you |
170 |
specified the cipher and key size. It threw me off for a while too. This is what |
171 |
I ended up using: |
172 |
|
173 |
cryptsetup -i 30000 -c twofish-xts-essiv:sha256 -s 512 -h sha512 luksFormat |
174 |
file.img |
175 |
|
176 |
I don't remember where I was getting it wrong, I think I was using -s 256 but |
177 |
xts uses half the key for every other block so the key needs to be twice the |
178 |
size. I found a site with a table that list what you can use with which |
179 |
options but unfortunately I can't find it now. So try using -s 512 (since |
180 |
cryptsetup is telling you that you can use a 256 bit key). |
181 |
|
182 |
|
183 |
-- |
184 |
Fernando Rodriguez |