| 1 |
On Saturday, April 18, 2015 12:27:15 PM Marko Weber | 8000 wrote: |
| 2 |
> |
| 3 |
> hello list, |
| 4 |
> |
| 5 |
> i try to crypt a partition with cryptsetup. |
| 6 |
> Yes, in Kernel i had all need things i think. |
| 7 |
> |
| 8 |
> CONFIG_CRYPTO=y |
| 9 |
> CONFIG_CRYPTO_ALGAPI=y |
| 10 |
> CONFIG_CRYPTO_ALGAPI2=y |
| 11 |
> CONFIG_CRYPTO_AEAD=m |
| 12 |
> CONFIG_CRYPTO_AEAD2=y |
| 13 |
> CONFIG_CRYPTO_BLKCIPHER=y |
| 14 |
> CONFIG_CRYPTO_BLKCIPHER2=y |
| 15 |
> CONFIG_CRYPTO_HASH=y |
| 16 |
> CONFIG_CRYPTO_HASH2=y |
| 17 |
> CONFIG_CRYPTO_RNG=m |
| 18 |
> CONFIG_CRYPTO_RNG2=y |
| 19 |
> CONFIG_CRYPTO_PCOMP=m |
| 20 |
> CONFIG_CRYPTO_PCOMP2=y |
| 21 |
> CONFIG_CRYPTO_MANAGER=y |
| 22 |
> CONFIG_CRYPTO_MANAGER2=y |
| 23 |
> CONFIG_CRYPTO_USER=m |
| 24 |
> # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set |
| 25 |
> CONFIG_CRYPTO_GF128MUL=m |
| 26 |
> CONFIG_CRYPTO_NULL=m |
| 27 |
> CONFIG_CRYPTO_PCRYPT=m |
| 28 |
> CONFIG_CRYPTO_WORKQUEUE=y |
| 29 |
> CONFIG_CRYPTO_CRYPTD=m |
| 30 |
> CONFIG_CRYPTO_MCRYPTD=m |
| 31 |
> CONFIG_CRYPTO_AUTHENC=m |
| 32 |
> CONFIG_CRYPTO_TEST=m |
| 33 |
> CONFIG_CRYPTO_ABLK_HELPER=m |
| 34 |
> CONFIG_CRYPTO_GLUE_HELPER_X86=m |
| 35 |
> CONFIG_CRYPTO_CCM=m |
| 36 |
> CONFIG_CRYPTO_GCM=m |
| 37 |
> CONFIG_CRYPTO_SEQIV=m |
| 38 |
> CONFIG_CRYPTO_CBC=y |
| 39 |
> CONFIG_CRYPTO_CTR=m |
| 40 |
> CONFIG_CRYPTO_CTS=m |
| 41 |
> CONFIG_CRYPTO_ECB=m |
| 42 |
> CONFIG_CRYPTO_LRW=m |
| 43 |
> CONFIG_CRYPTO_PCBC=m |
| 44 |
> CONFIG_CRYPTO_XTS=m |
| 45 |
> CONFIG_CRYPTO_CMAC=m |
| 46 |
> CONFIG_CRYPTO_HMAC=m |
| 47 |
> CONFIG_CRYPTO_XCBC=m |
| 48 |
> CONFIG_CRYPTO_VMAC=m |
| 49 |
> CONFIG_CRYPTO_CRC32C=y |
| 50 |
> CONFIG_CRYPTO_CRC32C_INTEL=m |
| 51 |
> CONFIG_CRYPTO_CRC32=m |
| 52 |
> CONFIG_CRYPTO_CRC32_PCLMUL=m |
| 53 |
> CONFIG_CRYPTO_CRCT10DIF=y |
| 54 |
> CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m |
| 55 |
> CONFIG_CRYPTO_GHASH=m |
| 56 |
> CONFIG_CRYPTO_MD4=m |
| 57 |
> CONFIG_CRYPTO_MD5=y |
| 58 |
> CONFIG_CRYPTO_MICHAEL_MIC=m |
| 59 |
> CONFIG_CRYPTO_RMD128=m |
| 60 |
> CONFIG_CRYPTO_RMD160=m |
| 61 |
> CONFIG_CRYPTO_RMD256=m |
| 62 |
> CONFIG_CRYPTO_RMD320=m |
| 63 |
> CONFIG_CRYPTO_SHA1=m |
| 64 |
> CONFIG_CRYPTO_SHA1_SSSE3=m |
| 65 |
> CONFIG_CRYPTO_SHA256_SSSE3=m |
| 66 |
> CONFIG_CRYPTO_SHA512_SSSE3=m |
| 67 |
> CONFIG_CRYPTO_SHA1_MB=m |
| 68 |
> CONFIG_CRYPTO_SHA256=m |
| 69 |
> CONFIG_CRYPTO_SHA512=m |
| 70 |
> CONFIG_CRYPTO_TGR192=m |
| 71 |
> CONFIG_CRYPTO_WP512=m |
| 72 |
> CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m |
| 73 |
> CONFIG_CRYPTO_AES=y |
| 74 |
> CONFIG_CRYPTO_AES_X86_64=m |
| 75 |
> CONFIG_CRYPTO_AES_NI_INTEL=m |
| 76 |
> CONFIG_CRYPTO_ANUBIS=m |
| 77 |
> CONFIG_CRYPTO_ARC4=m |
| 78 |
> CONFIG_CRYPTO_BLOWFISH=m |
| 79 |
> CONFIG_CRYPTO_BLOWFISH_COMMON=m |
| 80 |
> CONFIG_CRYPTO_BLOWFISH_X86_64=m |
| 81 |
> CONFIG_CRYPTO_CAMELLIA=m |
| 82 |
> CONFIG_CRYPTO_CAMELLIA_X86_64=m |
| 83 |
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m |
| 84 |
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m |
| 85 |
> CONFIG_CRYPTO_CAST_COMMON=m |
| 86 |
> CONFIG_CRYPTO_CAST5=m |
| 87 |
> CONFIG_CRYPTO_CAST5_AVX_X86_64=m |
| 88 |
> CONFIG_CRYPTO_CAST6=m |
| 89 |
> CONFIG_CRYPTO_CAST6_AVX_X86_64=m |
| 90 |
> CONFIG_CRYPTO_DES=m |
| 91 |
> CONFIG_CRYPTO_DES3_EDE_X86_64=m |
| 92 |
> CONFIG_CRYPTO_FCRYPT=m |
| 93 |
> CONFIG_CRYPTO_KHAZAD=m |
| 94 |
> CONFIG_CRYPTO_SALSA20=m |
| 95 |
> CONFIG_CRYPTO_SALSA20_X86_64=m |
| 96 |
> CONFIG_CRYPTO_SEED=m |
| 97 |
> CONFIG_CRYPTO_SERPENT=m |
| 98 |
> CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m |
| 99 |
> CONFIG_CRYPTO_SERPENT_AVX_X86_64=m |
| 100 |
> CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m |
| 101 |
> CONFIG_CRYPTO_TEA=m |
| 102 |
> CONFIG_CRYPTO_TWOFISH=m |
| 103 |
> CONFIG_CRYPTO_TWOFISH_COMMON=m |
| 104 |
> CONFIG_CRYPTO_TWOFISH_X86_64=m |
| 105 |
> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m |
| 106 |
> CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m |
| 107 |
> CONFIG_CRYPTO_DEFLATE=m |
| 108 |
> CONFIG_CRYPTO_ZLIB=m |
| 109 |
> CONFIG_CRYPTO_LZO=m |
| 110 |
> CONFIG_CRYPTO_LZ4=m |
| 111 |
> CONFIG_CRYPTO_LZ4HC=m |
| 112 |
> CONFIG_CRYPTO_ANSI_CPRNG=m |
| 113 |
> CONFIG_CRYPTO_DRBG_MENU=m |
| 114 |
> CONFIG_CRYPTO_DRBG_HMAC=y |
| 115 |
> # CONFIG_CRYPTO_DRBG_HASH is not set |
| 116 |
> # CONFIG_CRYPTO_DRBG_CTR is not set |
| 117 |
> CONFIG_CRYPTO_DRBG=m |
| 118 |
> CONFIG_CRYPTO_USER_API=m |
| 119 |
> CONFIG_CRYPTO_USER_API_HASH=m |
| 120 |
> CONFIG_CRYPTO_USER_API_SKCIPHER=m |
| 121 |
> CONFIG_CRYPTO_HASH_INFO=y |
| 122 |
> # CONFIG_CRYPTO_HW is not set |
| 123 |
> |
| 124 |
> |
| 125 |
> but when i try to use cryptsetup i get this: |
| 126 |
> |
| 127 |
> # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat |
| 128 |
> /dev/mapper/VolGroup01-media2 |
| 129 |
> |
| 130 |
> WARNING! |
| 131 |
> ======== |
| 132 |
> This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably. |
| 133 |
> |
| 134 |
> Are you sure? (Type uppercase yes): YES |
| 135 |
> Enter passphrase: |
| 136 |
> Verify passphrase: |
| 137 |
> device-mapper: reload ioctl on failed: Invalid argument |
| 138 |
> Failed to setup dm-crypt key mapping for device |
| 139 |
> /dev/mapper/VolGroup01-media2. |
| 140 |
> Check that kernel supports aes-xts:plain64 cipher (check syslog for more |
| 141 |
> info). |
| 142 |
> |
| 143 |
> |
| 144 |
> |
| 145 |
> Any ideas? |
| 146 |
> |
| 147 |
> i built cryptsetup with this useflags: |
| 148 |
> |
| 149 |
> nls openssl python udev urandom |
| 150 |
> |
| 151 |
> |
| 152 |
> |
| 153 |
> cryptsetup --help shows me i am able to use the options |
| 154 |
> |
| 155 |
> Default compiled-in device cipher parameters: |
| 156 |
> loop-AES: aes, Key 256 bits |
| 157 |
> plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: |
| 158 |
> ripemd160 |
| 159 |
> LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: |
| 160 |
> sha1, RNG: /dev/random |
| 161 |
> |
| 162 |
> |
| 163 |
> any help / ideas or knowledge welcome. |
| 164 |
> |
| 165 |
> best regards |
| 166 |
> |
| 167 |
> marko |
| 168 |
|
| 169 |
That message is incorrectly shown if something's wrong with the way you |
| 170 |
specified the cipher and key size. It threw me off for a while too. This is what |
| 171 |
I ended up using: |
| 172 |
|
| 173 |
cryptsetup -i 30000 -c twofish-xts-essiv:sha256 -s 512 -h sha512 luksFormat |
| 174 |
file.img |
| 175 |
|
| 176 |
I don't remember where I was getting it wrong, I think I was using -s 256 but |
| 177 |
xts uses half the key for every other block so the key needs to be twice the |
| 178 |
size. I found a site with a table that list what you can use with which |
| 179 |
options but unfortunately I can't find it now. So try using -s 512 (since |
| 180 |
cryptsetup is telling you that you can use a 256 bit key). |
| 181 |
|
| 182 |
|
| 183 |
-- |
| 184 |
Fernando Rodriguez |
Archives