Mailing List Archive

cryptsetup wont use aes-xts:plain64
hello list,

i try to crypt a partition with cryptsetup.
Yes, in Kernel i had all need things i think.

CONFIG_CRYPTO=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=m
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_BLKCIPHER=y
CONFIG_CRYPTO_BLKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=m
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_PCOMP=m
CONFIG_CRYPTO_PCOMP2=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER=m
# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
CONFIG_CRYPTO_GF128MUL=m
CONFIG_CRYPTO_NULL=m
CONFIG_CRYPTO_PCRYPT=m
CONFIG_CRYPTO_WORKQUEUE=y
CONFIG_CRYPTO_CRYPTD=m
CONFIG_CRYPTO_MCRYPTD=m
CONFIG_CRYPTO_AUTHENC=m
CONFIG_CRYPTO_TEST=m
CONFIG_CRYPTO_ABLK_HELPER=m
CONFIG_CRYPTO_GLUE_HELPER_X86=m
CONFIG_CRYPTO_CCM=m
CONFIG_CRYPTO_GCM=m
CONFIG_CRYPTO_SEQIV=m
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CTR=m
CONFIG_CRYPTO_CTS=m
CONFIG_CRYPTO_ECB=m
CONFIG_CRYPTO_LRW=m
CONFIG_CRYPTO_PCBC=m
CONFIG_CRYPTO_XTS=m
CONFIG_CRYPTO_CMAC=m
CONFIG_CRYPTO_HMAC=m
CONFIG_CRYPTO_XCBC=m
CONFIG_CRYPTO_VMAC=m
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_CRC32C_INTEL=m
CONFIG_CRYPTO_CRC32=m
CONFIG_CRYPTO_CRC32_PCLMUL=m
CONFIG_CRYPTO_CRCT10DIF=y
CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
CONFIG_CRYPTO_GHASH=m
CONFIG_CRYPTO_MD4=m
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_MICHAEL_MIC=m
CONFIG_CRYPTO_RMD128=m
CONFIG_CRYPTO_RMD160=m
CONFIG_CRYPTO_RMD256=m
CONFIG_CRYPTO_RMD320=m
CONFIG_CRYPTO_SHA1=m
CONFIG_CRYPTO_SHA1_SSSE3=m
CONFIG_CRYPTO_SHA256_SSSE3=m
CONFIG_CRYPTO_SHA512_SSSE3=m
CONFIG_CRYPTO_SHA1_MB=m
CONFIG_CRYPTO_SHA256=m
CONFIG_CRYPTO_SHA512=m
CONFIG_CRYPTO_TGR192=m
CONFIG_CRYPTO_WP512=m
CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_AES_X86_64=m
CONFIG_CRYPTO_AES_NI_INTEL=m
CONFIG_CRYPTO_ANUBIS=m
CONFIG_CRYPTO_ARC4=m
CONFIG_CRYPTO_BLOWFISH=m
CONFIG_CRYPTO_BLOWFISH_COMMON=m
CONFIG_CRYPTO_BLOWFISH_X86_64=m
CONFIG_CRYPTO_CAMELLIA=m
CONFIG_CRYPTO_CAMELLIA_X86_64=m
CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
CONFIG_CRYPTO_CAST_COMMON=m
CONFIG_CRYPTO_CAST5=m
CONFIG_CRYPTO_CAST5_AVX_X86_64=m
CONFIG_CRYPTO_CAST6=m
CONFIG_CRYPTO_CAST6_AVX_X86_64=m
CONFIG_CRYPTO_DES=m
CONFIG_CRYPTO_DES3_EDE_X86_64=m
CONFIG_CRYPTO_FCRYPT=m
CONFIG_CRYPTO_KHAZAD=m
CONFIG_CRYPTO_SALSA20=m
CONFIG_CRYPTO_SALSA20_X86_64=m
CONFIG_CRYPTO_SEED=m
CONFIG_CRYPTO_SERPENT=m
CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
CONFIG_CRYPTO_TEA=m
CONFIG_CRYPTO_TWOFISH=m
CONFIG_CRYPTO_TWOFISH_COMMON=m
CONFIG_CRYPTO_TWOFISH_X86_64=m
CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
CONFIG_CRYPTO_DEFLATE=m
CONFIG_CRYPTO_ZLIB=m
CONFIG_CRYPTO_LZO=m
CONFIG_CRYPTO_LZ4=m
CONFIG_CRYPTO_LZ4HC=m
CONFIG_CRYPTO_ANSI_CPRNG=m
CONFIG_CRYPTO_DRBG_MENU=m
CONFIG_CRYPTO_DRBG_HMAC=y
# CONFIG_CRYPTO_DRBG_HASH is not set
# CONFIG_CRYPTO_DRBG_CTR is not set
CONFIG_CRYPTO_DRBG=m
CONFIG_CRYPTO_USER_API=m
CONFIG_CRYPTO_USER_API_HASH=m
CONFIG_CRYPTO_USER_API_SKCIPHER=m
CONFIG_CRYPTO_HASH_INFO=y
# CONFIG_CRYPTO_HW is not set


but when i try to use cryptsetup i get this:

# cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat
/dev/mapper/VolGroup01-media2

WARNING!
========
This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
device-mapper: reload ioctl on failed: Invalid argument
Failed to setup dm-crypt key mapping for device
/dev/mapper/VolGroup01-media2.
Check that kernel supports aes-xts:plain64 cipher (check syslog for more
info).



Any ideas?

i built cryptsetup with this useflags:

nls openssl python udev urandom



cryptsetup --help shows me i am able to use the options

Default compiled-in device cipher parameters:
loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing:
ripemd160
LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing:
sha1, RNG: /dev/random


any help / ideas or knowledge welcome.

best regards

marko





--
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Hi Marko,

could you please paste the latest few lines of dmesg after trying to
create your volume?
And please paste the output of lsmod.

All your crypto-kernel-stuff are modules. Perhaps they're not loaded.
Check if corresponding modules are loaded.

Cheers
Ralf

On 04/18/2015 12:27 PM, Marko Weber | 8000 wrote:
>
> hello list,
>
> i try to crypt a partition with cryptsetup.
> Yes, in Kernel i had all need things i think.
>
> CONFIG_CRYPTO=y
> CONFIG_CRYPTO_ALGAPI=y
> CONFIG_CRYPTO_ALGAPI2=y
> CONFIG_CRYPTO_AEAD=m
> CONFIG_CRYPTO_AEAD2=y
> CONFIG_CRYPTO_BLKCIPHER=y
> CONFIG_CRYPTO_BLKCIPHER2=y
> CONFIG_CRYPTO_HASH=y
> CONFIG_CRYPTO_HASH2=y
> CONFIG_CRYPTO_RNG=m
> CONFIG_CRYPTO_RNG2=y
> CONFIG_CRYPTO_PCOMP=m
> CONFIG_CRYPTO_PCOMP2=y
> CONFIG_CRYPTO_MANAGER=y
> CONFIG_CRYPTO_MANAGER2=y
> CONFIG_CRYPTO_USER=m
> # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
> CONFIG_CRYPTO_GF128MUL=m
> CONFIG_CRYPTO_NULL=m
> CONFIG_CRYPTO_PCRYPT=m
> CONFIG_CRYPTO_WORKQUEUE=y
> CONFIG_CRYPTO_CRYPTD=m
> CONFIG_CRYPTO_MCRYPTD=m
> CONFIG_CRYPTO_AUTHENC=m
> CONFIG_CRYPTO_TEST=m
> CONFIG_CRYPTO_ABLK_HELPER=m
> CONFIG_CRYPTO_GLUE_HELPER_X86=m
> CONFIG_CRYPTO_CCM=m
> CONFIG_CRYPTO_GCM=m
> CONFIG_CRYPTO_SEQIV=m
> CONFIG_CRYPTO_CBC=y
> CONFIG_CRYPTO_CTR=m
> CONFIG_CRYPTO_CTS=m
> CONFIG_CRYPTO_ECB=m
> CONFIG_CRYPTO_LRW=m
> CONFIG_CRYPTO_PCBC=m
> CONFIG_CRYPTO_XTS=m
> CONFIG_CRYPTO_CMAC=m
> CONFIG_CRYPTO_HMAC=m
> CONFIG_CRYPTO_XCBC=m
> CONFIG_CRYPTO_VMAC=m
> CONFIG_CRYPTO_CRC32C=y
> CONFIG_CRYPTO_CRC32C_INTEL=m
> CONFIG_CRYPTO_CRC32=m
> CONFIG_CRYPTO_CRC32_PCLMUL=m
> CONFIG_CRYPTO_CRCT10DIF=y
> CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
> CONFIG_CRYPTO_GHASH=m
> CONFIG_CRYPTO_MD4=m
> CONFIG_CRYPTO_MD5=y
> CONFIG_CRYPTO_MICHAEL_MIC=m
> CONFIG_CRYPTO_RMD128=m
> CONFIG_CRYPTO_RMD160=m
> CONFIG_CRYPTO_RMD256=m
> CONFIG_CRYPTO_RMD320=m
> CONFIG_CRYPTO_SHA1=m
> CONFIG_CRYPTO_SHA1_SSSE3=m
> CONFIG_CRYPTO_SHA256_SSSE3=m
> CONFIG_CRYPTO_SHA512_SSSE3=m
> CONFIG_CRYPTO_SHA1_MB=m
> CONFIG_CRYPTO_SHA256=m
> CONFIG_CRYPTO_SHA512=m
> CONFIG_CRYPTO_TGR192=m
> CONFIG_CRYPTO_WP512=m
> CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
> CONFIG_CRYPTO_AES=y
> CONFIG_CRYPTO_AES_X86_64=m
> CONFIG_CRYPTO_AES_NI_INTEL=m
> CONFIG_CRYPTO_ANUBIS=m
> CONFIG_CRYPTO_ARC4=m
> CONFIG_CRYPTO_BLOWFISH=m
> CONFIG_CRYPTO_BLOWFISH_COMMON=m
> CONFIG_CRYPTO_BLOWFISH_X86_64=m
> CONFIG_CRYPTO_CAMELLIA=m
> CONFIG_CRYPTO_CAMELLIA_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
> CONFIG_CRYPTO_CAST_COMMON=m
> CONFIG_CRYPTO_CAST5=m
> CONFIG_CRYPTO_CAST5_AVX_X86_64=m
> CONFIG_CRYPTO_CAST6=m
> CONFIG_CRYPTO_CAST6_AVX_X86_64=m
> CONFIG_CRYPTO_DES=m
> CONFIG_CRYPTO_DES3_EDE_X86_64=m
> CONFIG_CRYPTO_FCRYPT=m
> CONFIG_CRYPTO_KHAZAD=m
> CONFIG_CRYPTO_SALSA20=m
> CONFIG_CRYPTO_SALSA20_X86_64=m
> CONFIG_CRYPTO_SEED=m
> CONFIG_CRYPTO_SERPENT=m
> CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
> CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
> CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
> CONFIG_CRYPTO_TEA=m
> CONFIG_CRYPTO_TWOFISH=m
> CONFIG_CRYPTO_TWOFISH_COMMON=m
> CONFIG_CRYPTO_TWOFISH_X86_64=m
> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
> CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
> CONFIG_CRYPTO_DEFLATE=m
> CONFIG_CRYPTO_ZLIB=m
> CONFIG_CRYPTO_LZO=m
> CONFIG_CRYPTO_LZ4=m
> CONFIG_CRYPTO_LZ4HC=m
> CONFIG_CRYPTO_ANSI_CPRNG=m
> CONFIG_CRYPTO_DRBG_MENU=m
> CONFIG_CRYPTO_DRBG_HMAC=y
> # CONFIG_CRYPTO_DRBG_HASH is not set
> # CONFIG_CRYPTO_DRBG_CTR is not set
> CONFIG_CRYPTO_DRBG=m
> CONFIG_CRYPTO_USER_API=m
> CONFIG_CRYPTO_USER_API_HASH=m
> CONFIG_CRYPTO_USER_API_SKCIPHER=m
> CONFIG_CRYPTO_HASH_INFO=y
> # CONFIG_CRYPTO_HW is not set
>
>
> but when i try to use cryptsetup i get this:
>
> # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat
> /dev/mapper/VolGroup01-media2
>
> WARNING!
> ========
> This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> Enter passphrase:
> Verify passphrase:
> device-mapper: reload ioctl on failed: Invalid argument
> Failed to setup dm-crypt key mapping for device
> /dev/mapper/VolGroup01-media2.
> Check that kernel supports aes-xts:plain64 cipher (check syslog for
> more info).
>
>
>
> Any ideas?
>
> i built cryptsetup with this useflags:
>
> nls openssl python udev urandom
>
>
>
> cryptsetup --help shows me i am able to use the options
>
> Default compiled-in device cipher parameters:
> loop-AES: aes, Key 256 bits
> plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing:
> ripemd160
> LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing:
> sha1, RNG: /dev/random
>
>
> any help / ideas or knowledge welcome.
>
> best regards
>
> marko
>
>
>
>
>
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Am 18.04.2015 um 12:27 schrieb Marko Weber | 8000:

> i try to crypt a partition with cryptsetup.
> Yes, in Kernel i had all need things i think.

No, you haven't.

You need to make those changes:
> CONFIG_CRYPTO_XTS=m
CONFIG_CRYPTO_XTS=y
> CONFIG_CRYPTO_AES_X86_64=m
CONFIG_CRYPTO_AES_X86_64=y
> CONFIG_CRYPTO_AES_NI_INTEL=m
CONFIG_CRYPTO_AES_NI_INTEL=y (only if you have an Intel CPU)

You have to compile the modules which are necessary for the encryption
method you're using directly into the kernel, not as a module, because
the kernel needs them directly at boot time.

> but when i try to use cryptsetup i get this:
>
> # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat
> /dev/mapper/VolGroup01-media2

The correct command is:

# cryptsetup -s 256 -y -c aes-xts-plain64 luksFormat
/dev/mapper/VolGroup01-media2

Maybe you should consider those parameters:
-s 512 (for a longer key)
-h sha512 (otherwise sha1 will get used for the password hash)
--use-random (manpage says: "Using /dev/urandom can lead to weak keys.")
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
On 04/18/2015 02:07 PM, Heiko Baums wrote:
> You have to compile the modules which are necessary for the encryption
> method you're using directly into the kernel, not as a module, because
> the kernel needs them directly at boot time.
No. Could you please explain why you think so?
Even if your root partition is encrypted, your ramdisk could load the
modules.

After loading the modules you can see that they are available by cat
/proc/crypto.

The modules can be loaded _after_ bootup as well.

Cheers
Ralf
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Am 18.04.2015 um 12:27 schrieb Marko Weber | 8000:

> i try to crypt a partition with cryptsetup.
> Yes, in Kernel i had all need things i think.

Depending on the password hash you're using (parameter -h) you need to
make the appropriate changes here, too:

> CONFIG_CRYPTO_SHA1=m
CONFIG_CRYPTO_SHA1=y
> CONFIG_CRYPTO_SHA1_SSSE3=m
CONFIG_CRYPTO_SHA1_SSSE3=y
> CONFIG_CRYPTO_SHA256_SSSE3=m
CONFIG_CRYPTO_SHA256_SSSE3=y
> CONFIG_CRYPTO_SHA512_SSSE3=m
CONFIG_CRYPTO_SHA512_SSSE3=y
> CONFIG_CRYPTO_SHA1_MB=m
CONFIG_CRYPTO_SHA1_MB=y
> CONFIG_CRYPTO_SHA256=m
CONFIG_CRYPTO_SHA256=y
> CONFIG_CRYPTO_SHA512=m
CONFIG_CRYPTO_SHA512=y
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Am 18.04.2015 um 14:12 schrieb Ralf:

> No. Could you please explain why you think so?
> Even if your root partition is encrypted, your ramdisk could load the
> modules.

Are you sure about that? Are you sure that the necessary modules are
definitely put into the initrd and that the kernel will be able to load
them soon enough at boot time?

Compiling those modules into the kernel is definitely more secure (in
terms of being sure that they are always available) and doesn't do any
harm, because they need to be loaded anyway.

Btw., several dm-crypt/LUKS documentation (all that I've read) say that
those modules have to be compiled into the kernel directly.

> After loading the modules you can see that they are available by cat
> /proc/crypto.

You won't be able to run this command when the kernel tries to unlock
the LUKS container at boot time.

> The modules can be loaded _after_ bootup as well.

If you want to unlock the LUKS container at boot time (particularly if
your root partition is encrypted), loading the modules after bootup is
too late.

So I wouldn't risk it.
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Hi,

@Marko
tl;dr: it's going a bit offtopic.
Marko, try to hardcompile those modules into your kernel.
This should be the simplest fix of your problem.

On 04/18/2015 02:44 PM, Heiko Baums wrote:
> Am 18.04.2015 um 14:12 schrieb Ralf:
>
>> No. Could you please explain why you think so?
>> Even if your root partition is encrypted, your ramdisk could load the
>> modules.
> Are you sure about that? Are you sure that the necessary modules are
> definitely put into the initrd and that the kernel will be able to load
> them soon enough at boot time?
I double checked it and now I am sure:

For reasons of comfortability I inspected a standard Arch-Linux
installation.
It supports rootfs encryption and xts is loaded in the initrd as module.
So it is possible to treat it as a module.

Besides that: Why should your kernel config allow you to compile it as
module if it isn't useable as module?
>
> Compiling those modules into the kernel is definitely more secure (in
> terms of being sure that they are always available) and doesn't do any
> harm, because they need to be loaded anyway.
Yes for a homebrew kernel, i can second that.
>
> Btw., several dm-crypt/LUKS documentation (all that I've read) say that
> those modules have to be compiled into the kernel directly.
>
>> After loading the modules you can see that they are available by cat
>> /proc/crypto.
> You won't be able to run this command when the kernel tries to unlock
> the LUKS container at boot time.
No, but it is accessible when creating your LUKS volume, and that's
Marko problem at the moment.
>
>> The modules can be loaded _after_ bootup as well.
> If you want to unlock the LUKS container at boot time (particularly if
> your root partition is encrypted), loading the modules after bootup is
> too late.
Loading those modules during the early bootup phase in your initrd is
actually not too late.

Ah, and for completeness sake:
Grub2 is able to speak LUKS. So your kernel and initrd maybe inside an
encrypted volume.

>
> So I wouldn't risk it.
Neither do I.

Cheers
Ralf
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Am 18.04.2015 um 12:27 schrieb Marko Weber | 8000:

> i try to crypt a partition with cryptsetup.
> Yes, in Kernel i had all need things i think.

Sorry, but I forgot some more kernel modules you need:

CONFIG_BLK_DEV_DM=y
CONFIG_DM_CRYPT=y

You didn't mention them, so I don't know if you have them already built
into your kernel.
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
On Saturday, April 18, 2015 12:27:15 PM Marko Weber | 8000 wrote:
>
> hello list,
>
> i try to crypt a partition with cryptsetup.
> Yes, in Kernel i had all need things i think.
>
> CONFIG_CRYPTO=y
> CONFIG_CRYPTO_ALGAPI=y
> CONFIG_CRYPTO_ALGAPI2=y
> CONFIG_CRYPTO_AEAD=m
> CONFIG_CRYPTO_AEAD2=y
> CONFIG_CRYPTO_BLKCIPHER=y
> CONFIG_CRYPTO_BLKCIPHER2=y
> CONFIG_CRYPTO_HASH=y
> CONFIG_CRYPTO_HASH2=y
> CONFIG_CRYPTO_RNG=m
> CONFIG_CRYPTO_RNG2=y
> CONFIG_CRYPTO_PCOMP=m
> CONFIG_CRYPTO_PCOMP2=y
> CONFIG_CRYPTO_MANAGER=y
> CONFIG_CRYPTO_MANAGER2=y
> CONFIG_CRYPTO_USER=m
> # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
> CONFIG_CRYPTO_GF128MUL=m
> CONFIG_CRYPTO_NULL=m
> CONFIG_CRYPTO_PCRYPT=m
> CONFIG_CRYPTO_WORKQUEUE=y
> CONFIG_CRYPTO_CRYPTD=m
> CONFIG_CRYPTO_MCRYPTD=m
> CONFIG_CRYPTO_AUTHENC=m
> CONFIG_CRYPTO_TEST=m
> CONFIG_CRYPTO_ABLK_HELPER=m
> CONFIG_CRYPTO_GLUE_HELPER_X86=m
> CONFIG_CRYPTO_CCM=m
> CONFIG_CRYPTO_GCM=m
> CONFIG_CRYPTO_SEQIV=m
> CONFIG_CRYPTO_CBC=y
> CONFIG_CRYPTO_CTR=m
> CONFIG_CRYPTO_CTS=m
> CONFIG_CRYPTO_ECB=m
> CONFIG_CRYPTO_LRW=m
> CONFIG_CRYPTO_PCBC=m
> CONFIG_CRYPTO_XTS=m
> CONFIG_CRYPTO_CMAC=m
> CONFIG_CRYPTO_HMAC=m
> CONFIG_CRYPTO_XCBC=m
> CONFIG_CRYPTO_VMAC=m
> CONFIG_CRYPTO_CRC32C=y
> CONFIG_CRYPTO_CRC32C_INTEL=m
> CONFIG_CRYPTO_CRC32=m
> CONFIG_CRYPTO_CRC32_PCLMUL=m
> CONFIG_CRYPTO_CRCT10DIF=y
> CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
> CONFIG_CRYPTO_GHASH=m
> CONFIG_CRYPTO_MD4=m
> CONFIG_CRYPTO_MD5=y
> CONFIG_CRYPTO_MICHAEL_MIC=m
> CONFIG_CRYPTO_RMD128=m
> CONFIG_CRYPTO_RMD160=m
> CONFIG_CRYPTO_RMD256=m
> CONFIG_CRYPTO_RMD320=m
> CONFIG_CRYPTO_SHA1=m
> CONFIG_CRYPTO_SHA1_SSSE3=m
> CONFIG_CRYPTO_SHA256_SSSE3=m
> CONFIG_CRYPTO_SHA512_SSSE3=m
> CONFIG_CRYPTO_SHA1_MB=m
> CONFIG_CRYPTO_SHA256=m
> CONFIG_CRYPTO_SHA512=m
> CONFIG_CRYPTO_TGR192=m
> CONFIG_CRYPTO_WP512=m
> CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
> CONFIG_CRYPTO_AES=y
> CONFIG_CRYPTO_AES_X86_64=m
> CONFIG_CRYPTO_AES_NI_INTEL=m
> CONFIG_CRYPTO_ANUBIS=m
> CONFIG_CRYPTO_ARC4=m
> CONFIG_CRYPTO_BLOWFISH=m
> CONFIG_CRYPTO_BLOWFISH_COMMON=m
> CONFIG_CRYPTO_BLOWFISH_X86_64=m
> CONFIG_CRYPTO_CAMELLIA=m
> CONFIG_CRYPTO_CAMELLIA_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
> CONFIG_CRYPTO_CAST_COMMON=m
> CONFIG_CRYPTO_CAST5=m
> CONFIG_CRYPTO_CAST5_AVX_X86_64=m
> CONFIG_CRYPTO_CAST6=m
> CONFIG_CRYPTO_CAST6_AVX_X86_64=m
> CONFIG_CRYPTO_DES=m
> CONFIG_CRYPTO_DES3_EDE_X86_64=m
> CONFIG_CRYPTO_FCRYPT=m
> CONFIG_CRYPTO_KHAZAD=m
> CONFIG_CRYPTO_SALSA20=m
> CONFIG_CRYPTO_SALSA20_X86_64=m
> CONFIG_CRYPTO_SEED=m
> CONFIG_CRYPTO_SERPENT=m
> CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
> CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
> CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
> CONFIG_CRYPTO_TEA=m
> CONFIG_CRYPTO_TWOFISH=m
> CONFIG_CRYPTO_TWOFISH_COMMON=m
> CONFIG_CRYPTO_TWOFISH_X86_64=m
> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
> CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
> CONFIG_CRYPTO_DEFLATE=m
> CONFIG_CRYPTO_ZLIB=m
> CONFIG_CRYPTO_LZO=m
> CONFIG_CRYPTO_LZ4=m
> CONFIG_CRYPTO_LZ4HC=m
> CONFIG_CRYPTO_ANSI_CPRNG=m
> CONFIG_CRYPTO_DRBG_MENU=m
> CONFIG_CRYPTO_DRBG_HMAC=y
> # CONFIG_CRYPTO_DRBG_HASH is not set
> # CONFIG_CRYPTO_DRBG_CTR is not set
> CONFIG_CRYPTO_DRBG=m
> CONFIG_CRYPTO_USER_API=m
> CONFIG_CRYPTO_USER_API_HASH=m
> CONFIG_CRYPTO_USER_API_SKCIPHER=m
> CONFIG_CRYPTO_HASH_INFO=y
> # CONFIG_CRYPTO_HW is not set
>
>
> but when i try to use cryptsetup i get this:
>
> # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat
> /dev/mapper/VolGroup01-media2
>
> WARNING!
> ========
> This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> Enter passphrase:
> Verify passphrase:
> device-mapper: reload ioctl on failed: Invalid argument
> Failed to setup dm-crypt key mapping for device
> /dev/mapper/VolGroup01-media2.
> Check that kernel supports aes-xts:plain64 cipher (check syslog for more
> info).
>
>
>
> Any ideas?
>
> i built cryptsetup with this useflags:
>
> nls openssl python udev urandom
>
>
>
> cryptsetup --help shows me i am able to use the options
>
> Default compiled-in device cipher parameters:
> loop-AES: aes, Key 256 bits
> plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing:
> ripemd160
> LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing:
> sha1, RNG: /dev/random
>
>
> any help / ideas or knowledge welcome.
>
> best regards
>
> marko

That message is incorrectly shown if something's wrong with the way you
specified the cipher and key size. It threw me off for a while too. This is what
I ended up using:

cryptsetup -i 30000 -c twofish-xts-essiv:sha256 -s 512 -h sha512 luksFormat
file.img

I don't remember where I was getting it wrong, I think I was using -s 256 but
xts uses half the key for every other block so the key needs to be twice the
size. I found a site with a table that list what you can use with which
options but unfortunately I can't find it now. So try using -s 512 (since
cryptsetup is telling you that you can use a 256 bit key).


--
Fernando Rodriguez
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
On Saturday, April 18, 2015 9:35:27 PM Fernando Rodriguez wrote:
> On Saturday, April 18, 2015 12:27:15 PM Marko Weber | 8000 wrote:
> >
> > hello list,
> >
> > i try to crypt a partition with cryptsetup.
> > Yes, in Kernel i had all need things i think.
> >
> > CONFIG_CRYPTO=y
> > CONFIG_CRYPTO_ALGAPI=y
> > CONFIG_CRYPTO_ALGAPI2=y
> > CONFIG_CRYPTO_AEAD=m
> > CONFIG_CRYPTO_AEAD2=y
> > CONFIG_CRYPTO_BLKCIPHER=y
> > CONFIG_CRYPTO_BLKCIPHER2=y
> > CONFIG_CRYPTO_HASH=y
> > CONFIG_CRYPTO_HASH2=y
> > CONFIG_CRYPTO_RNG=m
> > CONFIG_CRYPTO_RNG2=y
> > CONFIG_CRYPTO_PCOMP=m
> > CONFIG_CRYPTO_PCOMP2=y
> > CONFIG_CRYPTO_MANAGER=y
> > CONFIG_CRYPTO_MANAGER2=y
> > CONFIG_CRYPTO_USER=m
> > # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
> > CONFIG_CRYPTO_GF128MUL=m
> > CONFIG_CRYPTO_NULL=m
> > CONFIG_CRYPTO_PCRYPT=m
> > CONFIG_CRYPTO_WORKQUEUE=y
> > CONFIG_CRYPTO_CRYPTD=m
> > CONFIG_CRYPTO_MCRYPTD=m
> > CONFIG_CRYPTO_AUTHENC=m
> > CONFIG_CRYPTO_TEST=m
> > CONFIG_CRYPTO_ABLK_HELPER=m
> > CONFIG_CRYPTO_GLUE_HELPER_X86=m
> > CONFIG_CRYPTO_CCM=m
> > CONFIG_CRYPTO_GCM=m
> > CONFIG_CRYPTO_SEQIV=m
> > CONFIG_CRYPTO_CBC=y
> > CONFIG_CRYPTO_CTR=m
> > CONFIG_CRYPTO_CTS=m
> > CONFIG_CRYPTO_ECB=m
> > CONFIG_CRYPTO_LRW=m
> > CONFIG_CRYPTO_PCBC=m
> > CONFIG_CRYPTO_XTS=m
> > CONFIG_CRYPTO_CMAC=m
> > CONFIG_CRYPTO_HMAC=m
> > CONFIG_CRYPTO_XCBC=m
> > CONFIG_CRYPTO_VMAC=m
> > CONFIG_CRYPTO_CRC32C=y
> > CONFIG_CRYPTO_CRC32C_INTEL=m
> > CONFIG_CRYPTO_CRC32=m
> > CONFIG_CRYPTO_CRC32_PCLMUL=m
> > CONFIG_CRYPTO_CRCT10DIF=y
> > CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
> > CONFIG_CRYPTO_GHASH=m
> > CONFIG_CRYPTO_MD4=m
> > CONFIG_CRYPTO_MD5=y
> > CONFIG_CRYPTO_MICHAEL_MIC=m
> > CONFIG_CRYPTO_RMD128=m
> > CONFIG_CRYPTO_RMD160=m
> > CONFIG_CRYPTO_RMD256=m
> > CONFIG_CRYPTO_RMD320=m
> > CONFIG_CRYPTO_SHA1=m
> > CONFIG_CRYPTO_SHA1_SSSE3=m
> > CONFIG_CRYPTO_SHA256_SSSE3=m
> > CONFIG_CRYPTO_SHA512_SSSE3=m
> > CONFIG_CRYPTO_SHA1_MB=m
> > CONFIG_CRYPTO_SHA256=m
> > CONFIG_CRYPTO_SHA512=m
> > CONFIG_CRYPTO_TGR192=m
> > CONFIG_CRYPTO_WP512=m
> > CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
> > CONFIG_CRYPTO_AES=y
> > CONFIG_CRYPTO_AES_X86_64=m
> > CONFIG_CRYPTO_AES_NI_INTEL=m
> > CONFIG_CRYPTO_ANUBIS=m
> > CONFIG_CRYPTO_ARC4=m
> > CONFIG_CRYPTO_BLOWFISH=m
> > CONFIG_CRYPTO_BLOWFISH_COMMON=m
> > CONFIG_CRYPTO_BLOWFISH_X86_64=m
> > CONFIG_CRYPTO_CAMELLIA=m
> > CONFIG_CRYPTO_CAMELLIA_X86_64=m
> > CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
> > CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
> > CONFIG_CRYPTO_CAST_COMMON=m
> > CONFIG_CRYPTO_CAST5=m
> > CONFIG_CRYPTO_CAST5_AVX_X86_64=m
> > CONFIG_CRYPTO_CAST6=m
> > CONFIG_CRYPTO_CAST6_AVX_X86_64=m
> > CONFIG_CRYPTO_DES=m
> > CONFIG_CRYPTO_DES3_EDE_X86_64=m
> > CONFIG_CRYPTO_FCRYPT=m
> > CONFIG_CRYPTO_KHAZAD=m
> > CONFIG_CRYPTO_SALSA20=m
> > CONFIG_CRYPTO_SALSA20_X86_64=m
> > CONFIG_CRYPTO_SEED=m
> > CONFIG_CRYPTO_SERPENT=m
> > CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
> > CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
> > CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
> > CONFIG_CRYPTO_TEA=m
> > CONFIG_CRYPTO_TWOFISH=m
> > CONFIG_CRYPTO_TWOFISH_COMMON=m
> > CONFIG_CRYPTO_TWOFISH_X86_64=m
> > CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
> > CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
> > CONFIG_CRYPTO_DEFLATE=m
> > CONFIG_CRYPTO_ZLIB=m
> > CONFIG_CRYPTO_LZO=m
> > CONFIG_CRYPTO_LZ4=m
> > CONFIG_CRYPTO_LZ4HC=m
> > CONFIG_CRYPTO_ANSI_CPRNG=m
> > CONFIG_CRYPTO_DRBG_MENU=m
> > CONFIG_CRYPTO_DRBG_HMAC=y
> > # CONFIG_CRYPTO_DRBG_HASH is not set
> > # CONFIG_CRYPTO_DRBG_CTR is not set
> > CONFIG_CRYPTO_DRBG=m
> > CONFIG_CRYPTO_USER_API=m
> > CONFIG_CRYPTO_USER_API_HASH=m
> > CONFIG_CRYPTO_USER_API_SKCIPHER=m
> > CONFIG_CRYPTO_HASH_INFO=y
> > # CONFIG_CRYPTO_HW is not set
> >
> >
> > but when i try to use cryptsetup i get this:
> >
> > # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat
> > /dev/mapper/VolGroup01-media2
> >
> > WARNING!
> > ========
> > This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.
> >
> > Are you sure? (Type uppercase yes): YES
> > Enter passphrase:
> > Verify passphrase:
> > device-mapper: reload ioctl on failed: Invalid argument
> > Failed to setup dm-crypt key mapping for device
> > /dev/mapper/VolGroup01-media2.
> > Check that kernel supports aes-xts:plain64 cipher (check syslog for more
> > info).
> >
> >
> >
> > Any ideas?
> >
> > i built cryptsetup with this useflags:
> >
> > nls openssl python udev urandom
> >
> >
> >
> > cryptsetup --help shows me i am able to use the options
> >
> > Default compiled-in device cipher parameters:
> > loop-AES: aes, Key 256 bits
> > plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing:
> > ripemd160
> > LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing:
> > sha1, RNG: /dev/random
> >
> >
> > any help / ideas or knowledge welcome.
> >
> > best regards
> >
> > marko
>
> That message is incorrectly shown if something's wrong with the way you
> specified the cipher and key size. It threw me off for a while too. This is
what
> I ended up using:
>
> cryptsetup -i 30000 -c twofish-xts-essiv:sha256 -s 512 -h sha512 luksFormat
> file.img
>
> I don't remember where I was getting it wrong, I think I was using -s 256
but
> xts uses half the key for every other block so the key needs to be twice the
> size. I found a site with a table that list what you can use with which
> options but unfortunately I can't find it now. So try using -s 512 (since
> cryptsetup is telling you that you can use a 256 bit key).

btw. it's not telling you that you can use those. It's telling you that those
are the compiled-in defaults (what it will select for you if you don't specify
anything). It shows the same for me and I'm not using either.

--
Fernando Rodriguez
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
hi Heiko,

Am 2015-04-18 17:41, schrieb Heiko Baums:
> Am 18.04.2015 um 12:27 schrieb Marko Weber | 8000:
>
>> i try to crypt a partition with cryptsetup.
>> Yes, in Kernel i had all need things i think.
>
> Sorry, but I forgot some more kernel modules you need:
>
> CONFIG_BLK_DEV_DM=y
> CONFIG_DM_CRYPT=y
>
> You didn't mention them, so I don't know if you have them already built
> into your kernel.

i have them in config. with y

marko
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
hi fernando,

Am 2015-04-19 03:35, schrieb Fernando Rodriguez:
> On Saturday, April 18, 2015 12:27:15 PM Marko Weber | 8000 wrote:
>>
>> hello list,
>>
>> i try to crypt a partition with cryptsetup.
>> Yes, in Kernel i had all need things i think.
>>
>> CONFIG_CRYPTO=y
>> CONFIG_CRYPTO_ALGAPI=y
>> CONFIG_CRYPTO_ALGAPI2=y
>> CONFIG_CRYPTO_AEAD=m
>> CONFIG_CRYPTO_AEAD2=y
>> CONFIG_CRYPTO_BLKCIPHER=y
>> CONFIG_CRYPTO_BLKCIPHER2=y
>> CONFIG_CRYPTO_HASH=y
>> CONFIG_CRYPTO_HASH2=y
>> CONFIG_CRYPTO_RNG=m
>> CONFIG_CRYPTO_RNG2=y
>> CONFIG_CRYPTO_PCOMP=m
>> CONFIG_CRYPTO_PCOMP2=y
>> CONFIG_CRYPTO_MANAGER=y
>> CONFIG_CRYPTO_MANAGER2=y
>> CONFIG_CRYPTO_USER=m
>> # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
>> CONFIG_CRYPTO_GF128MUL=m
>> CONFIG_CRYPTO_NULL=m
>> CONFIG_CRYPTO_PCRYPT=m
>> CONFIG_CRYPTO_WORKQUEUE=y
>> CONFIG_CRYPTO_CRYPTD=m
>> CONFIG_CRYPTO_MCRYPTD=m
>> CONFIG_CRYPTO_AUTHENC=m
>> CONFIG_CRYPTO_TEST=m
>> CONFIG_CRYPTO_ABLK_HELPER=m
>> CONFIG_CRYPTO_GLUE_HELPER_X86=m
>> CONFIG_CRYPTO_CCM=m
>> CONFIG_CRYPTO_GCM=m
>> CONFIG_CRYPTO_SEQIV=m
>> CONFIG_CRYPTO_CBC=y
>> CONFIG_CRYPTO_CTR=m
>> CONFIG_CRYPTO_CTS=m
>> CONFIG_CRYPTO_ECB=m
>> CONFIG_CRYPTO_LRW=m
>> CONFIG_CRYPTO_PCBC=m
>> CONFIG_CRYPTO_XTS=m
>> CONFIG_CRYPTO_CMAC=m
>> CONFIG_CRYPTO_HMAC=m
>> CONFIG_CRYPTO_XCBC=m
>> CONFIG_CRYPTO_VMAC=m
>> CONFIG_CRYPTO_CRC32C=y
>> CONFIG_CRYPTO_CRC32C_INTEL=m
>> CONFIG_CRYPTO_CRC32=m
>> CONFIG_CRYPTO_CRC32_PCLMUL=m
>> CONFIG_CRYPTO_CRCT10DIF=y
>> CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
>> CONFIG_CRYPTO_GHASH=m
>> CONFIG_CRYPTO_MD4=m
>> CONFIG_CRYPTO_MD5=y
>> CONFIG_CRYPTO_MICHAEL_MIC=m
>> CONFIG_CRYPTO_RMD128=m
>> CONFIG_CRYPTO_RMD160=m
>> CONFIG_CRYPTO_RMD256=m
>> CONFIG_CRYPTO_RMD320=m
>> CONFIG_CRYPTO_SHA1=m
>> CONFIG_CRYPTO_SHA1_SSSE3=m
>> CONFIG_CRYPTO_SHA256_SSSE3=m
>> CONFIG_CRYPTO_SHA512_SSSE3=m
>> CONFIG_CRYPTO_SHA1_MB=m
>> CONFIG_CRYPTO_SHA256=m
>> CONFIG_CRYPTO_SHA512=m
>> CONFIG_CRYPTO_TGR192=m
>> CONFIG_CRYPTO_WP512=m
>> CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
>> CONFIG_CRYPTO_AES=y
>> CONFIG_CRYPTO_AES_X86_64=m
>> CONFIG_CRYPTO_AES_NI_INTEL=m
>> CONFIG_CRYPTO_ANUBIS=m
>> CONFIG_CRYPTO_ARC4=m
>> CONFIG_CRYPTO_BLOWFISH=m
>> CONFIG_CRYPTO_BLOWFISH_COMMON=m
>> CONFIG_CRYPTO_BLOWFISH_X86_64=m
>> CONFIG_CRYPTO_CAMELLIA=m
>> CONFIG_CRYPTO_CAMELLIA_X86_64=m
>> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
>> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
>> CONFIG_CRYPTO_CAST_COMMON=m
>> CONFIG_CRYPTO_CAST5=m
>> CONFIG_CRYPTO_CAST5_AVX_X86_64=m
>> CONFIG_CRYPTO_CAST6=m
>> CONFIG_CRYPTO_CAST6_AVX_X86_64=m
>> CONFIG_CRYPTO_DES=m
>> CONFIG_CRYPTO_DES3_EDE_X86_64=m
>> CONFIG_CRYPTO_FCRYPT=m
>> CONFIG_CRYPTO_KHAZAD=m
>> CONFIG_CRYPTO_SALSA20=m
>> CONFIG_CRYPTO_SALSA20_X86_64=m
>> CONFIG_CRYPTO_SEED=m
>> CONFIG_CRYPTO_SERPENT=m
>> CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
>> CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
>> CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
>> CONFIG_CRYPTO_TEA=m
>> CONFIG_CRYPTO_TWOFISH=m
>> CONFIG_CRYPTO_TWOFISH_COMMON=m
>> CONFIG_CRYPTO_TWOFISH_X86_64=m
>> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
>> CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
>> CONFIG_CRYPTO_DEFLATE=m
>> CONFIG_CRYPTO_ZLIB=m
>> CONFIG_CRYPTO_LZO=m
>> CONFIG_CRYPTO_LZ4=m
>> CONFIG_CRYPTO_LZ4HC=m
>> CONFIG_CRYPTO_ANSI_CPRNG=m
>> CONFIG_CRYPTO_DRBG_MENU=m
>> CONFIG_CRYPTO_DRBG_HMAC=y
>> # CONFIG_CRYPTO_DRBG_HASH is not set
>> # CONFIG_CRYPTO_DRBG_CTR is not set
>> CONFIG_CRYPTO_DRBG=m
>> CONFIG_CRYPTO_USER_API=m
>> CONFIG_CRYPTO_USER_API_HASH=m
>> CONFIG_CRYPTO_USER_API_SKCIPHER=m
>> CONFIG_CRYPTO_HASH_INFO=y
>> # CONFIG_CRYPTO_HW is not set
>>
>>
>> but when i try to use cryptsetup i get this:
>>
>> # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat
>> /dev/mapper/VolGroup01-media2
>>
>> WARNING!
>> ========
>> This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.
>> # cryptsetup -c aes-xts:plain64 -y -s 512 luksFormat
>> /dev/mapper/VolGroup01-media2

WARNING!
========
This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
device-mapper: reload ioctl on failed: Invalid argument
Failed to setup dm-crypt key mapping for device
/dev/mapper/VolGroup01-media2.
Check that kernel supports aes-xts:plain64 cipher (check syslog for more
info).
>> Are you sure? (Type uppercase yes): YES
>> Enter passphrase:
>> Verify passphrase:
>> device-mapper: reload ioctl on failed: Invalid argument
>> Failed to setup dm-crypt key mapping for device
>> /dev/mapper/VolGroup01-media2.
>> Check that kernel supports aes-xts:plain64 cipher (check syslog for
>> more
>> info).
>>
>>
>>
>> Any ideas?
>>
>> i built cryptsetup with this useflags:
>>
>> nls openssl python udev urandom
>>
>>
>>
>> cryptsetup --help shows me i am able to use the options
>>
>> Default compiled-in device cipher parameters:
>> loop-AES: aes, Key 256 bits
>> plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing:
>> ripemd160
>> LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing:
>> sha1, RNG: /dev/random
>>
>>
>> any help / ideas or knowledge welcome.
>>
>> best regards
>>
>> marko
>
> That message is incorrectly shown if something's wrong with the way you
> specified the cipher and key size. It threw me off for a while too.
> This is what
> I ended up using:
>
> cryptsetup -i 30000 -c twofish-xts-essiv:sha256 -s 512 -h sha512
> luksFormat
> file.img
>
> I don't remember where I was getting it wrong, I think I was using -s
> 256 but
> xts uses half the key for every other block so the key needs to be
> twice the
> size. I found a site with a table that list what you can use with which
> options but unfortunately I can't find it now. So try using -s 512
> (since
> cryptsetup is telling you that you can use a 256 bit key).

also with keysize 512 i get:

# cryptsetup -c aes-xts:plain64 -y -s 512 luksFormat
/dev/mapper/VolGroup01-media2

WARNING!
========
This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
device-mapper: reload ioctl on failed: Invalid argument
Failed to setup dm-crypt key mapping for device
/dev/mapper/VolGroup01-media2.
Check that kernel supports aes-xts:plain64 cipher (check syslog for more
info).


NOW; i have all crypto thingies in Kernel and not as modules.
Still not working
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Am 2015-04-18 12:27, schrieb Marko Weber | 8000:
> hello list,
>
> i try to crypt a partition with cryptsetup.
> Yes, in Kernel i had all need things i think.
>
> CONFIG_CRYPTO=y
> CONFIG_CRYPTO_ALGAPI=y
> CONFIG_CRYPTO_ALGAPI2=y
> CONFIG_CRYPTO_AEAD=m
> CONFIG_CRYPTO_AEAD2=y
> CONFIG_CRYPTO_BLKCIPHER=y
> CONFIG_CRYPTO_BLKCIPHER2=y
> CONFIG_CRYPTO_HASH=y
> CONFIG_CRYPTO_HASH2=y
> CONFIG_CRYPTO_RNG=m
> CONFIG_CRYPTO_RNG2=y
> CONFIG_CRYPTO_PCOMP=m
> CONFIG_CRYPTO_PCOMP2=y
> CONFIG_CRYPTO_MANAGER=y
> CONFIG_CRYPTO_MANAGER2=y
> CONFIG_CRYPTO_USER=m
> # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
> CONFIG_CRYPTO_GF128MUL=m
> CONFIG_CRYPTO_NULL=m
> CONFIG_CRYPTO_PCRYPT=m
> CONFIG_CRYPTO_WORKQUEUE=y
> CONFIG_CRYPTO_CRYPTD=m
> CONFIG_CRYPTO_MCRYP# cryptsetup -c aes-xts:plain64 -y -s 512 luksFormat
> /dev/mapper/VolGroup01-media2

WARNING!
========
This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
device-mapper: reload ioctl on failed: Invalid argument
Failed to setup dm-crypt key mapping for device
/dev/mapper/VolGroup01-media2.
Check that kernel supports aes-xts:plain64 cipher (check syslog for more
info).TD=m
> CONFIG_CRYPTO_AUTHENC=m
> CONFIG_CRYPTO_TEST=m
> CONFIG_CRYPTO_ABLK_HELPER=m
> CONFIG_CRYPTO_GLUE_HELPER_X86=m
> CONFIG_CRYPTO_CCM=m
> CONFIG_CRYPTO_GCM=m
> CONFIG_CRYPTO_SEQIV=m
> CONFIG_CRYPTO_CBC=y
> CONFIG_CRYPTO_CTR=m
> CONFIG_CRYPTO_CTS=m
> CONFIG_CRYPTO_ECB=m
> CONFIG_CRYPTO_LRW=m
> CONFIG_CRYPTO_PCBC=m
> CONFIG_CRYPTO_XTS=m
> CONFIG_CRYPTO_CMAC=m
> CONFIG_CRYPTO_HMAC=m
> CONFIG_CRYPTO_XCBC=m
> CONFIG_CRYPTO_VMAC=m
> CONFIG_CRYPTO_CRC32C=y
> CONFIG_CRYPTO_CRC32C_INTEL=m
> CONFIG_CRYPTO_CRC32=m
> CONFIG_CRYPTO_CRC32_PCLMUL=m
> CONFIG_CRYPTO_CRCT10DIF=y
> CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
> CONFIG_CRYPTO_GHASH=m
> CONFIG_CRYPTO_MD4=m
> CONFIG_CRYPTO_MD5=y
> CONFIG_CRYPTO_MICHAEL_MIC=m
> CONFIG_CRYPTO_RMD128=m
> CONFIG_CRYPTO_RMD160=m
> CONFIG_CRYPTO_RMD256=m
> CONFIG_CRYPTO_RMD320=m
> CONFIG_CRYPTO_SHA1=m
> CONFIG_CRYPTO_SHA1_SSSE3=m
> CONFIG_CRYPTO_SHA256_SSSE3=m
> CONFIG_CRYPTO_SHA512_SSSE3=m
> CONFIG_CRYPTO_SHA1_MB=m
> CONFIG_CRYPTO_SHA256=m
> CONFIG_CRYPTO_SHA512=m
> CONFIG_CRYPTO_TGR192=m
> CONFIG_CRYPTO_WP512=m
> CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
> CONFIG_CRYPTO_AES=y
> CONFIG_CRYPTO_AES_X86_64=m
> CONFIG_CRYPTO_AES_NI_INTEL=m
> CONFIG_CRYPTO_ANUBIS=m
> CONFIG_CRYPTO_ARC4=m
> CONFIG_CRYPTO_BLOWFISH=m
> CONFIG_CRYPTO_BLOWFISH_COMMON=m
> CONFIG_CRYPTO_BLOWFISH_X86_64=m
> CONFIG_CRYPTO_CAMELLIA=m
> CONFIG_CRYPTO_CAMELLIA_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
> CONFIG_CRYPTO_CAST_COMMON=m
> CONFIG_CRYPTO_CAST5=m
> CONFIG_CRYPTO_CAST5_AVX_X86_64=m
> CONFIG_CRYPTO_CAST6=m
> CONFIG_CRYPTO_CAST6_AVX_X86_64=m
> CONFIG_CRYPTO_DES=m
> CONFIG_CRYPTO_DES3_EDE_X86_64=m
> CONFIG_CRYPTO_FCRYPT=m
> CONFIG_CRYPTO_KHAZAD=m
> CONFIG_CRYPTO_SALSA20=m
> CONFIG_CRYPTO_SALSA20_X86_64=m
> CONFIG_CRYPTO_SEED=m
> CONFIG_CRYPTO_SERPENT=m
> CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
> CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
> CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
> CONFIG_CRYPTO_TEA=m
> CONFIG_CRYPTO_TWOFISH=m
> CONFIG_CRYPTO_TWOFISH_COMMON=m
> CONFIG_CRYPTO_TWOFISH_X86_64=m
> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
> CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
> CONFIG_CRYPTO_DEFLATE=m
> CONFIG_CRYPTO_ZLIB=m
> CONFIG_CRYPTO_LZO=m
> CONFIG_CRYPTO_LZ4=m
> CONFIG_CRYPTO_LZ4HC=m
> CONFIG_CRYPTO_ANSI_CPRNG=m
> CONFIG_CRYPTO_DRBG_MENU=m
> CONFIG_CRYPTO_DRBG_HMAC=y
> # CONFIG_CRYPTO_DRBG_HASH is not set
> # CONFIG_CRYPTO_DRBG_CTR is not set
> CONFIG_CRYPTO_DRBG=m
> CONFIG_CRYPTO_USER_API=m
> CONFIG_CRYPTO_USER_API_HASH=m
> CONFIG_CRYPTO_USER_API_SKCIPHER=m
> CONFIG_CRYPTO_HASH_INFO=y
> # CONFIG_CRYPTO_HW is not set
>
>
> but when i try to use cryptsetup i get this:
>
> # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat
> /dev/mapper/VolGroup01-media2
>
> WARNING!
> ========
> This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> Enter passphrase:
> Verify passphrase:
> device-mapper: reload ioctl on failed: Invalid argument
> Failed to setup dm-crypt key mapping for device
> /dev/mapper/VolGroup01-media2.
> Check that kernel supports aes-xts:plain64 cipher (check syslog for
> more info).
>
>
>
> Any ideas?
>
> i built cryptsetup with this useflags:
>
> nls openssl python udev urandom
>
>
>
> cryptsetup --help shows me i am able to use the options
>
> Default compiled-in device cipher parameters:
> loop-AES: aes, Key 256 bits
> plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing:
> ripemd160
> LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing:
> sha1, RNG: /dev/random
>
>
> any help / ideas or knowledge welcome.
>
> best regards
>
> marko
#

Ok, now i have built into Kernel.

ALso

CONFIG_BLK_DEV_DM_BUILTIN=y
CONFIG_BLK_DEV_DM=y

i set.


Here is output of /proc/crypto =

# cat /proc/crypto
name : ghash
driver : ghash-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : shash
blocksize : 16
digestsize : 16

name : stdrng
driver : drbg_nopr_hmac_sha256
module : kernel
priority : 107
refcnt : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver : drbg_nopr_hmac_sha512
module : kernel
priority : 106
refcnt : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver : drbg_nopr_hmac_sha384
module : kernel
priority : 105
refcnt : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver : drbg_nopr_hmac_sha1
module : kernel
priority : 104
refcnt : 1
selftest : passed
type : rng
seedsize : 0

name : hmac(sha256)
driver : hmac(sha256-ssse3)
module : kernel
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32

name : stdrng
driver : drbg_pr_hmac_sha256
module : kernel
priority : 103
refcnt : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver : drbg_pr_hmac_sha512
module : kernel
priority : 102
refcnt : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver : drbg_pr_hmac_sha384
module : kernel
priority : 101
refcnt : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver : drbg_pr_hmac_sha1
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver : ansi_cprng
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : rng
seedsize : 48

name : stdrng
driver : krng
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : rng
seedsize : 0

name : lz4hc
driver : lz4hc-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : compression

name : lz4
driver : lz4-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : compression

name : lzo
driver : lzo-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : compression

name : crct10dif
driver : crct10dif-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 2

name : crc32
driver : crc32-table
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 4

name : crc32c
driver : crc32c-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 4

name : michael_mic
driver : michael_mic-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 8
digestsize : 8

name : zlib
driver : zlib-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : pcomp

name : deflate
driver : deflate-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : compression

name : salsa20
driver : salsa20-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 8
geniv : <default>

name : seed
driver : seed-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 16

name : anubis
driver : anubis-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 40

name : khazad
driver : khazad-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 16
max keysize : 16

name : xeta
driver : xeta-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 16
max keysize : 16

name : xtea
driver : xtea-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 16
max keysize : 16

name : tea
driver : tea-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 16
max keysize : 16

name : ecb(arc4)
driver : ecb(arc4)-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 1
max keysize : 256
ivsize : 0
geniv : <default>

name : arc4
driver : arc4-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 1
min keysize : 1
max keysize : 256

name : cast6
driver : cast6-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32

name : cast5
driver : cast5-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 5
max keysize : 16

name : camellia
driver : camellia-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32

name : aes
driver : aes-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32

name : tnepres
driver : tnepres-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32

name : serpent
driver : serpent-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32

name : twofish
driver : twofish-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32

name : blowfish
driver : blowfish-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 4
max keysize : 56

name : fcrypt
driver : fcrypt-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 8
max keysize : 8

name : des3_ede
driver : des3_ede-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 24
max keysize : 24

name : des
driver : des-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 8
max keysize : 8

name : tgr128
driver : tgr128-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16

name : tgr160
driver : tgr160-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20

name : tgr192
driver : tgr192-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 24

name : wp256
driver : wp256-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32

name : wp384
driver : wp384-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 48

name : wp512
driver : wp512-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 64

name : sha384
driver : sha384-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 48

name : sha512
driver : sha512-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 64

name : sha224
driver : sha224-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 28

name : sha256
driver : sha256-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32

name : sha1
driver : sha1-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20

name : rmd320
driver : rmd320-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 40

name : rmd256
driver : rmd256-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32

name : rmd160
driver : rmd160-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20

name : rmd128
driver : rmd128-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16

name : md5
driver : md5-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16

name : md4
driver : md4-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16

name : digest_null
driver : digest_null-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 0

name : compress_null
driver : compress_null-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : compression

name : ecb(cipher_null)
driver : ecb-cipher_null
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 0
ivsize : 0
geniv : <default>

name : cipher_null
driver : cipher_null-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 1
min keysize : 0
max keysize : 0

name : xts(serpent)
driver : xts-serpent-avx
module : kernel
priority : 500
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 64
ivsize : 16
geniv : <default>

name : lrw(serpent)
driver : lrw-serpent-avx
module : kernel
priority : 500
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 48
ivsize : 16
geniv : <default>

name : ctr(serpent)
driver : ctr-serpent-avx
module : kernel
priority : 500
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 0
max keysize : 32
ivsize : 16
geniv : chainiv

name : cbc(serpent)
driver : cbc-serpent-avx
module : kernel
priority : 500
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>

name : __ecb-serpent-avx
driver : cryptd(__driver-ecb-serpent-avx)
module : kernel
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>

name : ecb(serpent)
driver : ecb-serpent-avx
module : kernel
priority : 500
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>

name : __xts-serpent-avx
driver : __driver-xts-serpent-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 64
ivsize : 16
geniv : <default>

name : __lrw-serpent-avx
driver : __driver-lrw-serpent-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 48
ivsize : 16
geniv : <default>

name : __ctr-serpent-avx
driver : __driver-ctr-serpent-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>

name : __cbc-serpent-avx
driver : __driver-cbc-serpent-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>

name : __ecb-serpent-avx
driver : __driver-ecb-serpent-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>

name : xts(twofish)
driver : xts-twofish-avx
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>

name : lrw(twofish)
driver : lrw-twofish-avx
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>

name : ctr(twofish)
driver : ctr-twofish-avx
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv

name : cbc(twofish)
driver : cbc-twofish-avx
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : __ecb-twofish-avx
driver : cryptd(__driver-ecb-twofish-avx)
module : kernel
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : ecb(twofish)
driver : ecb-twofish-avx
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : __xts-twofish-avx
driver : __driver-xts-twofish-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>

name : __lrw-twofish-avx
driver : __driver-lrw-twofish-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>

name : __ctr-twofish-avx
driver : __driver-ctr-twofish-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : __cbc-twofish-avx
driver : __driver-cbc-twofish-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : __ecb-twofish-avx
driver : __driver-ecb-twofish-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : xts(cast6)
driver : xts-cast6-avx
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>

name : lrw(cast6)
driver : lrw-cast6-avx
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>

name : ctr(cast6)
driver : ctr-cast6-avx
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv

name : cbc(cast6)
driver : cbc-cast6-avx
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : __ecb-cast6-avx
driver : cryptd(__driver-ecb-cast6-avx)
module : kernel
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : ecb(cast6)
driver : ecb-cast6-avx
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : __xts-cast6-avx
driver : __driver-xts-cast6-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>

name : __lrw-cast6-avx
driver : __driver-lrw-cast6-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>

name : __ctr-cast6-avx
driver : __driver-ctr-cast6-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : __cbc-cast6-avx
driver : __driver-cbc-cast6-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : __ecb-cast6-avx
driver : __driver-ecb-cast6-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : ctr(cast5)
driver : ctr-cast5-avx
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 5
max keysize : 16
ivsize : 8
geniv : chainiv

name : cbc(cast5)
driver : cbc-cast5-avx
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 8
geniv : <default>

name : __ecb-cast5-avx
driver : cryptd(__driver-ecb-cast5-avx)
module : kernel
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 0
geniv : <default>

name : ecb(cast5)
driver : ecb-cast5-avx
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 0
geniv : <default>

name : __ctr-cast5-avx
driver : __driver-ctr-cast5-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 5
max keysize : 16
ivsize : 8
geniv : <default>

name : __cbc-cast5-avx
driver : __driver-cbc-cast5-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 0
geniv : <default>

name : __ecb-cast5-avx
driver : __driver-ecb-cast5-avx
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 0
geniv : <default>

name : xts(camellia)
driver : xts-camellia-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>

name : lrw(camellia)
driver : lrw-camellia-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>

name : ctr(camellia)
driver : ctr-camellia-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv

name : cbc(camellia)
driver : cbc-camellia-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : __ecb-camellia-aesni
driver : cryptd(__driver-ecb-camellia-aesni)
module : kernel
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : ecb(camellia)
driver : ecb-camellia-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : __xts-camellia-aesni
driver : __driver-xts-camellia-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>

name : __lrw-camellia-aesni
driver : __driver-lrw-camellia-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>

name : __ctr-camellia-aesni
driver : __driver-ctr-camellia-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : __cbc-camellia-aesni
driver : __driver-cbc-camellia-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : __ecb-camellia-aesni
driver : __driver-ecb-camellia-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : crct10dif
driver : crct10dif-pclmul
module : kernel
priority : 200
refcnt : 2
selftest : passed
type : shash
blocksize : 1
digestsize : 2

name : sha384
driver : sha384-ssse3
module : kernel
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 48

name : sha512
driver : sha512-ssse3
module : kernel
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 64

name : sha224
driver : sha224-ssse3
module : kernel
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 28

name : sha256
driver : sha256-ssse3
module : kernel
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32

name : crc32
driver : crc32-pclmul
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 4

name : sha1
driver : sha1-ssse3
module : kernel
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20

name : crc32c
driver : crc32c-intel
module : kernel
priority : 200
refcnt : 2
selftest : passed
type : shash
blocksize : 1
digestsize : 4

name : __ghash
driver : cryptd(__ghash-pclmulqdqni)
module : kernel
priority : 50
refcnt : 1
selftest : passed
type : ahash
async : yes
blocksize : 16
digestsize : 16

name : ghash
driver : ghash-clmulni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ahash
async : yes
blocksize : 16
digestsize : 16

name : __ghash
driver : __ghash-pclmulqdqni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 16
digestsize : 16

name : xts(aes)
driver : xts-aes-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>

name : lrw(aes)
driver : lrw-aes-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>

name : __xts-aes-aesni
driver : __driver-xts-aes-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>

name : __lrw-aes-aesni
driver : __driver-lrw-aes-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>

name : pcbc(aes)
driver : pcbc-aes-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : rfc4106(gcm(aes))
driver : rfc4106-gcm-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : nivaead
async : yes
blocksize : 1
ivsize : 8
maxauthsize : 16
geniv : seqiv

name : __gcm-aes-aesni
driver : __driver-gcm-aes-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : aead
async : no
blocksize : 1
ivsize : 0
maxauthsize : 0
geniv : <built-in>

name : ctr(aes)
driver : ctr-aes-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv

name : __ctr-aes-aesni
driver : __driver-ctr-aes-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : cbc(aes)
driver : cbc-aes-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : __ecb-aes-aesni
driver : cryptd(__driver-ecb-aes-aesni)
module : kernel
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : ecb(aes)
driver : ecb-aes-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : __cbc-aes-aesni
driver : __driver-cbc-aes-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : __ecb-aes-aesni
driver : __driver-ecb-aes-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : __aes-aesni
driver : __driver-aes-aesni
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32

name : aes
driver : aes-aesni
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32

name : xts(serpent)
driver : xts-serpent-sse2
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 64
ivsize : 16
geniv : <default>

name : lrw(serpent)
driver : lrw-serpent-sse2
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 48
ivsize : 16
geniv : <default>

name : ctr(serpent)
driver : ctr-serpent-sse2
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 0
max keysize : 32
ivsize : 16
geniv : chainiv

name : cbc(serpent)
driver : cbc-serpent-sse2
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>

name : __ecb-serpent-sse2
driver : cryptd(__driver-ecb-serpent-sse2)
module : kernel
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>

name : ecb(serpent)
driver : ecb-serpent-sse2
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>

name : __xts-serpent-sse2
driver : __driver-xts-serpent-sse2
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 64
ivsize : 16
geniv : <default>

name : __lrw-serpent-sse2
driver : __driver-lrw-serpent-sse2
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 48
ivsize : 16
geniv : <default>

name : __ctr-serpent-sse2
driver : __driver-ctr-serpent-sse2
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>

name : __cbc-serpent-sse2
driver : __driver-cbc-serpent-sse2
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>

name : __ecb-serpent-sse2
driver : __driver-ecb-serpent-sse2
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>

name : salsa20
driver : salsa20-asm
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 8
geniv : <default>

name : xts(twofish)
driver : xts-twofish-3way
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>

name : lrw(twofish)
driver : lrw-twofish-3way
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>

name : ctr(twofish)
driver : ctr-twofish-3way
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : cbc(twofish)
driver : cbc-twofish-3way
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : ecb(twofish)
driver : ecb-twofish-3way
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : twofish
driver : twofish-asm
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32

name : ctr(blowfish)
driver : ctr-blowfish-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 4
max keysize : 56
ivsize : 8
geniv : <default>

name : cbc(blowfish)
driver : cbc-blowfish-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 4
max keysize : 56
ivsize : 8
geniv : <default>

name : ecb(blowfish)
driver : ecb-blowfish-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 4
max keysize : 56
ivsize : 0
geniv : <default>

name : blowfish
driver : blowfish-asm
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 4
max keysize : 56

name : xts(camellia)
driver : xts-camellia-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>

name : lrw(camellia)
driver : lrw-camellia-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>

name : ctr(camellia)
driver : ctr-camellia-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : cbc(camellia)
driver : cbc-camellia-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>

name : ecb(camellia)
driver : ecb-camellia-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>

name : camellia
driver : camellia-asm
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32

name : ctr(des3_ede)
driver : ctr-des3_ede-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 24
max keysize : 24
ivsize : 8
geniv : <default>

name : cbc(des3_ede)
driver : cbc-des3_ede-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 24
max keysize : 24
ivsize : 8
geniv : <default>

name : ecb(des3_ede)
driver : ecb-des3_ede-asm
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 24
max keysize : 24
ivsize : 0
geniv : <default>

name : des3_ede
driver : des3_ede-asm
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 24
max keysize : 24

name : aes
driver : aes-asm
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32



why i want to use aes-xts:plain64?

cause cryptsetup benchmark show me its fastest.

# cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 1846084 iterations per second
PBKDF2-sha256 1040253 iterations per second
PBKDF2-sha512 834853 iterations per second
PBKDF2-ripemd160 1154819 iterations per second
PBKDF2-whirlpool 392431 iterations per second
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 641.4 MiB/s 2210.4 MiB/s
serpent-cbc 128b 81.4 MiB/s 320.1 MiB/s
twofish-cbc 128b 180.2 MiB/s 348.1 MiB/s
aes-cbc 256b 476.1 MiB/s 1681.8 MiB/s
serpent-cbc 256b 81.4 MiB/s 320.4 MiB/s
twofish-cbc 256b 181.6 MiB/s 347.8 MiB/s
aes-xts 256b 1887.8 MiB/s 1893.4 MiB/s
serpent-xts 256b 331.4 MiB/s 315.6 MiB/s
twofish-xts 256b 337.9 MiB/s 343.8 MiB/s
aes-xts 512b 1467.9 MiB/s 1487.0 MiB/s
serpent-xts 512b 331.5 MiB/s 315.5 MiB/s
twofish-xts 512b 341.2 MiB/s 343.0 MiB/s


Do i have to build Cryptsetup with 'Kernel' Useflag instead of openssl ?

marko
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
On Sat, 18 Apr 2015 12:27:15 +0200
Marko Weber | 8000 <weber@zbfmail.de> wrote:

>
> hello list,
>
> i try to crypt a partition with cryptsetup.
> Yes, in Kernel i had all need things i think.
>
> CONFIG_CRYPTO=y
...
> # CONFIG_CRYPTO_HW is not set
>
>
> but when i try to use cryptsetup i get this:
>
> # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat
> /dev/mapper/VolGroup01-media2
>
> WARNING!
> ========
> This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> Enter passphrase:
> Verify passphrase:
> device-mapper: reload ioctl on failed: Invalid argument
> Failed to setup dm-crypt key mapping for device
> /dev/mapper/VolGroup01-media2.
> Check that kernel supports aes-xts:plain64 cipher (check syslog for
> more info).
>
>
>
> Any ideas?
>
> i built cryptsetup with this useflags:
>
> nls openssl python udev urandom
>
>
>
> cryptsetup --help shows me i am able to use the options
>
> Default compiled-in device cipher parameters:
> loop-AES: aes, Key 256 bits
> plain: aes-cbc-essiv:sha256, Key: 256 bits, Password
> hashing: ripemd160
> LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing:
> sha1, RNG: /dev/random
>
>
> any help / ideas or knowledge welcome.
>
> best regards
>
> marko
>
>
>
>
>

I read the whole tread, but will reply here.

I use this mode on some devices, and for me works fine (gentoo
systems), I have it enabled in kernel, also I have cryptsetup with
sys-fs/cryptsetup-1.6.5 (gcrypt nls python_single_target_python2_7
python_targets_python2_7 python_targets_python3_3 udev)
You can probably ignore python*, 'gcrypt' is probably important USE
flag.

Also something which maybe unrelated to you but is important about
CONFIG_CRYPTO_XTS is
"XTS: IEEE1619/D16 narrow block cipher use with
aes-xts-plain, key size 256, 384 or 512 bits. This implementation
currently can't handle a sectorsize which is not a multiple of 16
bytes."
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Am 20.04.2015 um 15:43 schrieb Marko Weber | 8000:

> # cryptsetup -c aes-xts:plain64 -y -s 512 luksFormat
> /dev/mapper/VolGroup01-media2

As I've already mentioned in my first answer, there is a typo in this
command. Well, I actually didn't mention that it's a typo, but I gave
you the correct command:

# cryptsetup -s 256 -y -c aes-xts-plain64 luksFormat
/dev/mapper/VolGroup01-media2

Maybe you should consider those parameters:
-s 512 (for a longer key)
-h sha512 (otherwise sha1 will get used for the password hash)
--use-random (manpage says: "Using /dev/urandom can lead to weak keys.")

Or in other words: It's not -c aes-xts:plain64, but -c aes-xts-plain.
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Finally!

Am 2015-04-18 12:27, schrieb Marko Weber | 8000:
> hello list,
>
> i try to crypt a partition with cryptsetup.
> Yes, in Kernel i had all need things i think.
>
> CONFIG_CRYPTO=y
> CONFIG_CRYPTO_ALGAPI=y
> CONFIG_CRYPTO_ALGAPI2=y
> CONFIG_CRYPTO_AEAD=m
> CONFIG_CRYPTO_AEAD2=y
> CONFIG_CRYPTO_BLKCIPHER=y
> CONFIG_CRYPTO_BLKCIPHER2=y
> CONFIG_CRYPTO_HASH=y
> CONFIG_CRYPTO_HASH2=y
> CONFIG_CRYPTO_RNG=m
> CONFIG_CRYPTO_RNG2=y
> CONFIG_CRYPTO_PCOMP=m
> CONFIG_CRYPTO_PCOMP2=y
> CONFIG_CRYPTO_MANAGER=y
> CONFIG_CRYPTO_MANAGER2=y
> CONFIG_CRYPTO_USER=m
> # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
> CONFIG_CRYPTO_GF128MUL=m
> CONFIG_CRYPTO_NULL=m
> CONFIG_CRYPTO_PCRYPT=m
> CONFIG_CRYPTO_WORKQUEUE=y
> CONFIG_CRYPTO_CRYPTD=m
> CONFIG_CRYPTO_MCRYPTD=m
> CONFIG_CRYPTO_AUTHENC=m
> CONFIG_CRYPTO_TEST=m
> CONFIG_CRYPTO_ABLK_HELPER=m
> CONFIG_CRYPTO_GLUE_HELPER_X86=m
> CONFIG_CRYPTO_CCM=m
> CONFIG_CRYPTO_GCM=m
> CONFIG_CRYPTO_SEQIV=m
> CONFIG_CRYPTO_CBC=y
> CONFIG_CRYPTO_CTR=m
> CONFIG_CRYPTO_CTS=m
> CONFIG_CRYPTO_ECB=m
> CONFIG_CRYPTO_LRW=m
> CONFIG_CRYPTO_PCBC=m
> CONFIG_CRYPTO_XTS=m
> CONFIG_CRYPTO_CMAC=m
> CONFIG_CRYPTO_HMAC=m
> CONFIG_CRYPTO_XCBC=m
> CONFIG_CRYPTO_VMAC=m
> CONFIG_CRYPTO_CRC32C=y
> CONFIG_CRYPTO_CRC32C_INTEL=m
> CONFIG_CRYPTO_CRC32=m
> CONFIG_CRYPTO_CRC32_PCLMUL=m
> CONFIG_CRYPTO_CRCT10DIF=y
> CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
> CONFIG_CRYPTO_GHASH=m
> CONFIG_CRYPTO_MD4=m
> CONFIG_CRYPTO_MD5=y
> CONFIG_CRYPTO_MICHAEL_MIC=m
> CONFIG_CRYPTO_RMD128=m
> CONFIG_CRYPTO_RMD160=m
> CONFIG_CRYPTO_RMD256=m
> CONFIG_CRYPTO_RMD320=m
> CONFIG_CRYPTO_SHA1=m
> CONFIG_CRYPTO_SHA1_SSSE3=m
> CONFIG_CRYPTO_SHA256_SSSE3=m
> CONFIG_CRYPTO_SHA512_SSSE3=m
> CONFIG_CRYPTO_SHA1_MB=m
> CONFIG_CRYPTO_SHA256=m
> CONFIG_CRYPTO_SHA512=m
> CONFIG_CRYPTO_TGR192=m
> CONFIG_CRYPTO_WP512=m
> CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
> CONFIG_CRYPTO_AES=y
> CONFIG_CRYPTO_AES_X86_64=m
> CONFIG_CRYPTO_AES_NI_INTEL=m
> CONFIG_CRYPTO_ANUBIS=m
> CONFIG_CRYPTO_ARC4=m
> CONFIG_CRYPTO_BLOWFISH=m
> CONFIG_CRYPTO_BLOWFISH_COMMON=m
> CONFIG_CRYPTO_BLOWFISH_X86_64=m
> CONFIG_CRYPTO_CAMELLIA=m
> CONFIG_CRYPTO_CAMELLIA_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
> CONFIG_CRYPTO_CAST_COMMON=m
> CONFIG_CRYPTO_CAST5=m
> CONFIG_CRYPTO_CAST5_AVX_X86_64=m
> CONFIG_CRYPTO_CAST6=m
> CONFIG_CRYPTO_CAST6_AVX_X86_64=m
> CONFIG_CRYPTO_DES=m
> CONFIG_CRYPTO_DES3_EDE_X86_64=m
> CONFIG_CRYPTO_FCRYPT=m
> CONFIG_CRYPTO_KHAZAD=m
> CONFIG_CRYPTO_SALSA20=m
> CONFIG_CRYPTO_SALSA20_X86_64=m
> CONFIG_CRYPTO_SEED=m
> CONFIG_CRYPTO_SERPENT=m
> CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
> CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
> CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
> CONFIG_CRYPTO_TEA=m
> CONFIG_CRYPTO_TWOFISH=m
> CONFIG_CRYPTO_TWOFISH_COMMON=m
> CONFIG_CRYPTO_TWOFISH_X86_64=m
> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
> CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
> CONFIG_CRYPTO_DEFLATE=m
> CONFIG_CRYPTO_ZLIB=m
> CONFIG_CRYPTO_LZO=m
> CONFIG_CRYPTO_LZ4=m
> CONFIG_CRYPTO_LZ4HC=m
> CONFIG_CRYPTO_ANSI_CPRNG=m
> CONFIG_CRYPTO_DRBG_MENU=m
> CONFIG_CRYPTO_DRBG_HMAC=y
> # CONFIG_CRYPTO_DRBG_HASH is not set
> # CONFIG_CRYPTO_DRBG_CTR is not set
> CONFIG_CRYPTO_DRBG=m
> CONFIG_CRYPTO_USER_API=m
> CONFIG_CRYPTO_USER_API_HASH=m
> CONFIG_CRYPTO_USER_API_SKCIPHER=m
> CONFIG_CRYPTO_HASH_INFO=y
> # CONFIG_CRYPTO_HW is not set
>
>
> but when i try to use cryptsetup i get this:
>
> # cryptsetup -c aes-xts:plain64 -y -s 256 luksFormat
> /dev/mapper/VolGroup01-media2
>
> WARNING!
> ========
> This will overwrite data on /dev/mapper/VolGroup01-media2 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> Enter passphrase:
> Verify passphrase:
> device-mapper: reload ioctl on failed: Invalid argument
> Failed to setup dm-crypt key mapping for device
> /dev/mapper/VolGroup01-media2.
> Check that kernel supports aes-xts:plain64 cipher (check syslog for
> more info).
>
>
>
> Any ideas?
>
> i built cryptsetup with this useflags:
>
> nls openssl python udev urandom
>
>
>
> cryptsetup --help shows me i am able to use the options
>
> Default compiled-in device cipher parameters:
> loop-AES: aes, Key 256 bits
> plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing:
> ripemd160
> LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing:
> sha1, RNG: /dev/random
>
>
> any help / ideas or knowledge welcome.
>
> best regards
>
> marko

i got it working!

cryptsetup -c aes-xts-plain -h sha256 -y -s 256 luksFormat
/dev/mapper/VolGroup01-media2

But on writing a testfile of 4G with i get 22,9 Mb/sec.
Is there a cipher/hash/keysize which alloows me a bit more write
performance?

marko
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Am 21.04.2015 um 11:21 schrieb Marko Weber | 8000:
>
> Finally!
>
> ...
>
> i got it working!
>
> cryptsetup -c aes-xts-plain -h sha256 -y -s 256 luksFormat
> /dev/mapper/VolGroup01-media2
>
> But on writing a testfile of 4G with i get 22,9 Mb/sec.
> Is there a cipher/hash/keysize which alloows me a bit more write
> performance?

I don't know if it helps you with the write performance, but you can
also use aes-xts-plain64 instead of aes-xts-plain.

# cryptsetup -c aes-xts-plain64 -h sha256 -y -s 256 luksFormat
/dev/mapper/VolGroup01-media2
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
AES cipher algo (AES-NI) is the fastest if you have the necessary
hardware. Twofish cipher algo (x86_64, 3-way parallel) is a close
second, but will slow access down slightly. Serpent is also usably
fast.

CONFIG_CRYPTO_AES_NI_INTEL = ~200mb/s (limited by disk in my case)
CONFIG_CRYPTO_TWOFISH_X86_64_3WAY = ~130mb/s

`cryptsetup --cipher {twofish,aes}-xts-plain64 --key-size 512 --hash
sha512 --iter-time 5000`
Re: cryptsetup wont use aes-xts:plain64 [ In reply to ]
Just try `cryptsetup benchmark`

Cheers

On 04/22/2015 06:09 AM, R0b0t1 wrote:
> AES cipher algo (AES-NI) is the fastest if you have the necessary
> hardware. Twofish cipher algo (x86_64, 3-way parallel) is a close
> second, but will slow access down slightly. Serpent is also usably
> fast.
>
> CONFIG_CRYPTO_AES_NI_INTEL = ~200mb/s (limited by disk in my case)
> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY = ~130mb/s
>
> `cryptsetup --cipher {twofish,aes}-xts-plain64 --key-size 512 --hash
> sha512 --iter-time 5000`
>