Opening LUKS encrypted drive with cryptsetup

Help and Support Vero 4K / Vero 4K +
1

Hi everybody,

I recently attached a large (5TB) drive which was LUKS encrypted with standard settings on a different device using Debian to my new Vero4K+. When I try to unlock the drive now with sudo cryptsetup --verbose --debug luksOpen /dev/sda vaultName the log shows the following error message:

# cryptsetup 2.1.0 processing "cryptsetup --verbose --debug luksOpen /dev/sda vaultName"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sda.
# Trying to open and read device /dev/sda with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/sda.
# Crypto backend (OpenSSL 1.1.1d  10 Sep 2019) initialized in cryptsetup library version 2.1.0.
# Detected kernel Linux 3.14.29-160-osmc aarch64.
# Loading LUKS2 header (repair disabled).
# Opening lock resource file /run/cryptsetup/L_8:0
# Acquiring read lock for device /dev/sda.
# Verifying read lock handle for device /dev/sda.
# Device /dev/sda READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/sda
# Veryfing locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:20e45fe46c980a56ce5fd2d896f425033654aab9d1a4abb5b10fa5f105c0b44d (on-disk)
# Checksum:20e45fe46c980a56ce5fd2d896f425033654aab9d1a4abb5b10fa5f105c0b44d (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Opening locked device /dev/sda
# Veryfing locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:e3756e2aa78246419ab7a383ff3d3e1c114ce09b44bba185e5b8e0da82756f9c (on-disk)
# Checksum:e3756e2aa78246419ab7a383ff3d3e1c114ce09b44bba185e5b8e0da82756f9c (in-memory)
# Device size 5000981077504, offset 16777216.
# Device /dev/sda READ lock released.
# Not enough physical memory detected, PBKDF max memory decreased from 1048576kB to 882060kB.
# PBKDF argon2i, hash sha256, time_ms 2000 (iterations 0), max_memory_kb 882060, parallel_threads 4.
# Activating volume vaultName using token -1.
# Interactive passphrase entry requested.
Enter passphrase for /dev/sda:
# Activating volume vaultName [keyslot -1] using passphrase.
# dm version   [ opencount flush ]   [16384] (*1)
# dm versions   [ opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.27.0.
# Detected dm-crypt version 1.13.0.
# Device-mapper backend running with UDEV support enabled.
# dm status vaultName  [ opencount noflush ]   [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Reading keyslot area [0x8000].
# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
# Keyslot 0 (luks2) open failed with -95.
# Releasing crypt device /dev/sda context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).

Especially the following message sticks out:

# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).

I could possibly re-encrypt the drive with different settings, but I only want to do this as a last resort.

Thank you in advance,
Chris

2

This is a bit of a guess, but the 3.14 kernel is build without CONFIG_CRYPTO_USER_API_SKCIPHER being enabled, which might cause the error you see.

The missing kernel setting seems to be enabled in the forthcoming 4.9 kernel.

3

This kernel will be released for Sunday.

Sam

4

Thanks to both of you for your quick reply. That’s perfect, just take your time.

Chris

5

I just upgraded and can happily report that everything is working smoothly now.

Thank you for your hard work!
Chris

3 Likes
6

Thanks for confirming this.

1 Like