Closed GoogleCodeExporter closed 9 years ago
It not problem in cryptsetup but in libgcrypt. Read
http://www.saout.de/pipermail/dm-crypt/2014-January/003813.html
It is (or better was) bug in gcrypt. It seems that all LUKS devices using
whirlpool with gcrypt < 1.6.0 are in fact corrupted.
I will try to provide some workaround how to "fix" these devices but it will
not be trivial.
Original comment by gmazyl...@gmail.com
on 17 Jan 2014 at 8:15
To me it sounds like the data itself on the devices isn't corrupted. Can't we
just recover the master key with an older version of libgcrypt and create a new
LUKS header afterwards with sha1 instead of whirlpool? I did a reencrypt
yesterday and it took an awful long time.
Original comment by eisensh...@gmail.com
on 18 Jan 2014 at 9:29
Yes, just reencryption of header is fine (fortunately key derivation is ok, the
problem is only in AF filter which only diffuse key store to more sectors) and
next version will have this option (exactly to solve this problem). But
currently it is possible only with old gcrypt installed (new one cannot open it
anymore), if you read thread mentioned above, there is possibility gcrypt will
provide some more help (to access both whirlpool variants).
For now is the best to use old gcrypt. And I would suggest not to override LUKS
defaults next time without serious reasons (I found some post on Arch forum
where someone suggested Whirlpool without explanation why - and people just
copy & paste it... even SHA1 is still fine here, read FAQ.)
Original comment by gmazyl...@gmail.com
on 19 Jan 2014 at 9:28
The lesson was definitely learned. I'll keep an eye on the thread. Thank you
very much for your effort. :)
Original comment by eisensh...@gmail.com
on 20 Jan 2014 at 12:39
Workaround for whirlpool gcrypt bug is described in FAQ now
https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#8._Issues_wit
h_Specific_Versions_of_cryptsetup
Original comment by gmazyl...@gmail.com
on 14 Jun 2014 at 3:53
Original issue reported on code.google.com by
eisensh...@gmail.com
on 17 Jan 2014 at 7:56