Opening LUKS encrypted drive with cryptsetup

Hi everybody,

I recently attached a large (5TB) drive which was LUKS encrypted with standard settings on a different device using Debian to my new Vero4K+. When I try to unlock the drive now with sudo cryptsetup --verbose --debug luksOpen /dev/sda vaultName the log shows the following error message:

# cryptsetup 2.1.0 processing "cryptsetup --verbose --debug luksOpen /dev/sda vaultName"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sda.
# Trying to open and read device /dev/sda with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/sda.
# Crypto backend (OpenSSL 1.1.1d  10 Sep 2019) initialized in cryptsetup library version 2.1.0.
# Detected kernel Linux 3.14.29-160-osmc aarch64.
# Loading LUKS2 header (repair disabled).
# Opening lock resource file /run/cryptsetup/L_8:0
# Acquiring read lock for device /dev/sda.
# Verifying read lock handle for device /dev/sda.
# Device /dev/sda READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/sda
# Veryfing locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:20e45fe46c980a56ce5fd2d896f425033654aab9d1a4abb5b10fa5f105c0b44d (on-disk)
# Checksum:20e45fe46c980a56ce5fd2d896f425033654aab9d1a4abb5b10fa5f105c0b44d (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Opening locked device /dev/sda
# Veryfing locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:e3756e2aa78246419ab7a383ff3d3e1c114ce09b44bba185e5b8e0da82756f9c (on-disk)
# Checksum:e3756e2aa78246419ab7a383ff3d3e1c114ce09b44bba185e5b8e0da82756f9c (in-memory)
# Device size 5000981077504, offset 16777216.
# Device /dev/sda READ lock released.
# Not enough physical memory detected, PBKDF max memory decreased from 1048576kB to 882060kB.
# PBKDF argon2i, hash sha256, time_ms 2000 (iterations 0), max_memory_kb 882060, parallel_threads 4.
# Activating volume vaultName using token -1.
# Interactive passphrase entry requested.
Enter passphrase for /dev/sda:
# Activating volume vaultName [keyslot -1] using passphrase.
# dm version   [ opencount flush ]   [16384] (*1)
# dm versions   [ opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.27.0.
# Detected dm-crypt version 1.13.0.
# Device-mapper backend running with UDEV support enabled.
# dm status vaultName  [ opencount noflush ]   [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Reading keyslot area [0x8000].
# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
# Keyslot 0 (luks2) open failed with -95.
# Releasing crypt device /dev/sda context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).

Especially the following message sticks out:

# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).

I could possibly re-encrypt the drive with different settings, but I only want to do this as a last resort.

Thank you in advance,

This is a bit of a guess, but the 3.14 kernel is build without CONFIG_CRYPTO_USER_API_SKCIPHER being enabled, which might cause the error you see.

The missing kernel setting seems to be enabled in the forthcoming 4.9 kernel.

This kernel will be released for Sunday.


Thanks to both of you for your quick reply. That’s perfect, just take your time.


I just upgraded and can happily report that everything is working smoothly now.

Thank you for your hard work!


Thanks for confirming this.

1 Like