search

veracrypt / VeraCrypt

Disk encryption with strong security based on TrueCrypt
https://www.veracrypt.fr
Other
6.83k stars 942 forks source link

Can't mount veracrypt volume using kernel crypto anymore #692

Closed ohthehugemanatee closed 3 years ago

ohthehugemanatee commented 4 years ago

I rebooted today and found that my veracrypt volume which usually mounts on boot, is now failing to mount. 

Error: device-mapper: reload ioctl on veracrypt1  failed: Invalid argument

This usually indicates that veracrypt couldn't use the kernel crypto services to decrypt the volume. So I tried mounting it with -m=nokernelcrypto, and it works.

Here are the attributes of the volume:

Type: Normal
Algorithm: AES
Primary Key size: 256bits
Secondary Key Size (XTS Mode): 256 bits
Block Size: 128 bts
Mode: XTS
PKCS-5 PRF: HMAC-SHA-256
Volume format verson: 2

It sure looks like the kernel supports everything I need:

» grep name /proc/crypto |grep aes
name         : __xts(aes)
name         : cbc(aes)
name         : ccm(aes)
name         : ctr(aes)
name         : cbcmac(aes)
name         : cmac(aes)
name         : __ecb(aes)
name         : gcm(aes)
name         : rfc4106(gcm(aes))
name         : __gcm(aes)
name         : __rfc4106(gcm(aes))
name         : xts(aes)
name         : ctr(aes)
name         : cbc(aes)
name         : ecb(aes)
name         : __xts(aes)
name         : __ctr(aes)
name         : __cbc(aes)
name         : __ecb(aes)
name         : aes
name         : aes

» grep name /proc/crypto |grep hmac
name         : hmac(sha256)
name         : hmac(sha1)

I had a kernel update a couple of weeks ago (5.8.6-1 -> 5.8.11-1). Veracrypt hasn't been updated in over a month, so I doubt it's a regression. I'm running up to date manjaro.

Any ideas? What else could impact this?

idrassi commented 3 years ago

I have just tested on freshly installed Manjaro 20.2 with the latest kernel 5.9.11-3 using the VeraCrypt binary installed through pacman and everything works as expected. I created different set of file containers with one of them using AES-SHA256 and I didn't have any issue.

So, there must be something specific about configuration because VeraCrypt always calls dmsetup using the same parameters. Maybe there is a bug in Device Mapper shipped with your version of Manjaro or in the kernel version you are running.

I don't have other ideas about the cause of the issue. Maybe updating to more recent kernel and recent dmsetup version can help. FYI, output of dmsetup --version on my machine is:

Library version:   1.02.170 (2020-03-24)
Driver version:    4.42.0
stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

ohthehugemanatee commented 4 months ago

Non-reopening update:

Several years and many installs later, I still have to disable kernel crypto in order to mount this container. Clearly it's something funny in how it was created.