Closed GoogleCodeExporter closed 9 years ago
This message explains it (no need to run debug to see it):
device-mapper: reload ioctl on failed: Das Argument ist ungültig
The argument is wrong because ESSIV requires hash, IOW hash argument for ESSIV
is mandatory.
So you should really use
cryptsetup luksFormat -c twofish-cbc-essiv:sha256 /dev/sdc1
Unfortunately error reporting from kernel dmcrypt consist only of "INVALID
parameters" (and rest of messages is just libdevmapper internal mess, no idea
why it reports 10x times remove ioctl fail).
But header should not be created at all in this, this is bug, will fix it
somehow later.
(You will get the same output for -c blah-blah :)
Thanks for reporting.
Original comment by gmazyl...@gmail.com
on 21 Sep 2013 at 7:56
Original comment by gmazyl...@gmail.com
on 21 Sep 2013 at 7:59
Umm...okay, I tried a lot of combinations (only used parameter was "-c
[cipher]"). Actually most didn't work, not just the ones with twofish:
working:
no parameter (standards)
-c twofish
-c twofish:ripemd160
-c twofish-cbc-essiv:SHA256
-c twofish-cbc-essiv:MD5
failing:
-c twofish:SHA1
-c twofish:SHA256
-c twofish:SHA512
-c twofish:MD5
-c twofish-cbc
-c twofish-cbc:SHA1
-c twofish-cbc:SHA256
-c twofish-cbc:SHA512
-c twofish-cbc:ripemd160
-c twofish-cbc-essiv:SHA1
-c twofish-cbc-essiv:SHA512
-c twofish-cbc-essiv:whirlpool
-c twofish-cbc-essiv:ripemd160
-c AES:MD5
-c aes-cbc-essiv:SHA256
-c aes-cbc-essiv:ripemd160
-c aes-xts:ripemd160
-c serpent-cbc:sha1
$ cat /proc/crypto
name : sha512
driver : sha512-generic
module : sha512_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 64
name : sha384
driver : sha384-generic
module : sha512_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 48
name : sha256
driver : sha256-generic
module : sha256_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32
name : sha224
driver : sha224-generic
module : sha256_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 28
name : xts(twofish)
driver : xts(twofish-asm)
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : givcipher
async : no
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : eseqiv
name : xts(twofish)
driver : xts(twofish-asm)
module : xts
priority : 200
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : xts(serpent)
driver : xts(serpent-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : givcipher
async : no
blocksize : 16
min keysize : 0
max keysize : 64
ivsize : 16
geniv : eseqiv
name : xts(serpent)
driver : xts(serpent-generic)
module : xts
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 64
ivsize : 16
geniv : <default>
name : cbc(serpent)
driver : cbc(serpent-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : givcipher
async : no
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 16
geniv : eseqiv
name : cbc(serpent)
driver : cbc(serpent-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>
name : tnepres
driver : tnepres-generic
module : serpent
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32
name : serpent
driver : serpent-generic
module : serpent
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32
name : cbc(aes)
driver : cbc(aes-asm)
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : givcipher
async : no
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : eseqiv
name : xts(aes)
driver : xts(aes-asm)
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : givcipher
async : no
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : eseqiv
name : xts(aes)
driver : xts(aes-asm)
module : xts
priority : 200
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : cbc(twofish)
driver : cbc-twofish-3way
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : givcipher
async : no
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : eseqiv
name : cbc(twofish)
driver : cbc(twofish-asm)
module : cbc
priority : 200
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : twofish
driver : twofish-generic
module : twofish_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : ctr(twofish)
driver : ctr-twofish-3way
module : twofish_x86_64_3way
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : cbc(twofish)
driver : cbc-twofish-3way
module : twofish_x86_64_3way
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : ecb(twofish)
driver : ecb-twofish-3way
module : twofish_x86_64_3way
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : twofish
driver : twofish-asm
module : twofish_x86_64
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : cbc(aes)
driver : cbc(aes-asm)
module : cbc
priority : 200
refcnt : 528
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : ecb(aes)
driver : ecb(aes-asm)
module : ecb
priority : 200
refcnt : 2
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : aes
driver : aes-asm
module : aes_x86_64
priority : 200
refcnt : 529
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : aes-generic
module : aes_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : arc4
driver : arc4-generic
module : arc4
priority : 0
refcnt : 3
selftest : passed
type : cipher
blocksize : 1
min keysize : 1
max keysize : 256
name : crc32c
driver : crc32c-generic
module : crc32c
priority : 100
refcnt : 2
selftest : passed
type : shash
blocksize : 1
digestsize : 4
name : stdrng
driver : krng
module : kernel
priority : 200
refcnt : 2
selftest : passed
type : rng
seedsize : 0
name : md5
driver : md5-generic
module : kernel
priority : 0
refcnt : 1055
selftest : passed
type : shash
blocksize : 64
digestsize : 16
$cryptsetup --help says about the standard config:
Vorgabewerte für Schlüssel und Passsätze:
Maximale Größe der Schlüsseldatei: 8192kB, Maximale Länge des interaktiven Passsatzes: 512 Zeichen
Vorgabe für die Durchlaufzeit für PBKDF2 mit LIKS: 1000 Millisekunden
Standard-Verschlüsselungsparameter:
Loop-AES: aes, Schlüssel 256 Bits
plain: aes-cbc-essiv:sha256, Schlüssel: 256 Bits, Passsatz-Hashen: ripemd160
LUKS1: aes-xts-plain64, Schlüssel: 256 Bits, LUKS-Kopfbereich-Hashen: sha1, Zufallszahlengenerator: /dev/urandom
Original comment by DjStY...@gmail.com
on 21 Sep 2013 at 8:01
Sorry didn't see your comment since I was writing mine at the same time :o)
What about the other combinations that fail like "twofish-cbc-essiv:sha512"?
Original comment by DjStY...@gmail.com
on 21 Sep 2013 at 8:05
cryptsetup use logic - if it is possible and user want it, let's do not block
him.
That said, there are some shortcuts for cipher definitions, perhaps the best is
to study this internal test
http://code.google.com/p/cryptsetup/source/browse/tests/mode-test
and see dmcrypt spec (cipher+mode is 1:1 to -c parameter)
http://code.google.com/p/cryptsetup/wiki/DMCrypt
Some modes make sense, some make sense but kernel module is not available in
your config etc.
I expect user understand how IV and cipher is used when specifying it on
command line.
Anyway, I would suggest to use XTS mode. If you want twofish, then e.g. -c
twofish-xtx-plain64 -s 512 for example.
Original comment by gmazyl...@gmail.com
on 21 Sep 2013 at 8:20
LUKS header is now not written if cipher/mode specification is wrong, commit
http://code.google.com/p/cryptsetup/source/detail?r=ce23225e46cbbef41dd6881acf8b
e5d0016d7ca5#
Original comment by gmazyl...@gmail.com
on 10 Nov 2013 at 9:13
Original issue reported on code.google.com by
DjStY...@gmail.com
on 21 Sep 2013 at 7:39