linux – cryptsetup 2.3.4 rpm for CentOS 7?

I have been searching for cryptsetup 2.3.4 as I want to use --perf-no_read_workqueue.

According to the release note, the option is newly added in 2.3.4.

However, my CentOS 7’s official repository only has 2.0.3. I tried to rebuild 2.3.4 myself. However, it has many dependencies that require newer versions of some libraries and expects header files and libraries in different locations, etc.

Anyone knows which repos provides cryptsetup 2.3.4?

20.10 cryptsetup suddenly fails to open luks: Cannot use twofish-ecb cipher for keyslot encryption

since the recent update from 20.04 to 20.10 cryptsetup fails to open luks container.

Message is:

Cannot use twofish-ecb cipher for keyslot encryption. Keyslot open
failed. No usable keyslot is available.

  • I was able to open and edit the luks container under Ubuntu 20.04.
  • Only fails since the upgrade.
  • I can still open and edit the luks container under Fedora. Data is still available under Fedora and the luks container itself is fine.

isLuks

is positive,

cryptsetup -v luksDump /dev/sdx3

brings the expected results, perfect.

issue:

sudo cryptsetup luksOpen /dev/sdx3 luks-61(…)51

successfully requests and accepts passphrase then
fails with

Cannot use twofish-ecb cipher for keyslot encryption.
Keyslot open failed.
No usable keyslot is available.

Subsequently /dev/mapper does not show this luks mapping while still working fine for the other luks mappings.

Only special thing about /dev/sdx is: it is a btrfs disk. Working fine with Ubuntu, Fedora, Suse until the upgrade.

Used to work fine under Ubuntu 20.04 (until the reboot after upgrade to 20.10).

Version with U20.10: cryptsetup 2.3.3

Why does it fail under Ubuntu 20.10?
What can I do to fix it?

linux – Cryptsetup partition security in Raspberry PI

I cannot open one of my LUKS partitions in Raspberry PI due to memory restriction.
I already discovered that the suggestion in this case is to recreate the partition on the slowest device, which will access it (in this case, the Raspberry PI).

However, I am concerned about the possible decrease in the level of security (probably, with less computing power, a weaker key will be used).

This is what the cryptsetup documentation says about the problem:

Note: Password phrase iteration is determined by cryptsetup depending on
CPU power On a slow device, this may be lower than you want. I
I recently compared this on a Raspberry Pi and it came out approximately
1/15 of the iteration counts for a typical PC. If security is
most importantly, you may want to increase the time spent on iteration, in
The cost of a slower unlock later. For Raspberry Pi, using

cryptsetup luksFormat -i 15000 

gives you an iteration count and a security level equal to an average PC
for password phrase iteration and master key iteration. In case of doubt, verify
the iteration has

cryptsetup luksDump 

and adjust the iteration count accordingly by creating the container
again with a different iteration time (the number after & # 39; -i & # 39; is the
iteration time in milliseconds) until your requirements are met.

Now, I'm not sure what will happen if I follow the above advice.

  1. Will the partition be as secure as on a PC? (if the number of iterations is correct), only slower?
  2. If it is slower, is the unlock only slower or are subsequent readings / writes as fast as without the additional iteration? (If so, why? Is it because by unlocking we only decipher the key that will then be used to decrypt the content of the partition?)
  3. Will it consume even less memory than the partition created on a fast PC? (In other words: I want to recreate the partition to be able to use it with Raspberry PI. With the default values ​​it will be usable, but less secure. Will it still be usable with the highest iteration count, or would it do it? Again it consumes too much memory ?)

18.04 – Problem with update-initramfs and cryptsetup

I am trying to update my initramfs but I receive this error:

cryptsetup: WARNING: could not determine root device from /etc/fstab

I'm not really sure why this happens because this is my fstab:

UUID=0a2cb47d-20dc-467e-9360-38a2e898379e   /boot   ext2    defaults    0   1
UUID=a97179ea-3a70-4ab8-b6e7-1b76a049dc0e   /   btrfs   defaults,subvol=root    0   1
UUID=a97179ea-3a70-4ab8-b6e7-1b76a049dc0e   /home   btrfs   defaults,subvol=home    0   2
UUID=a97179ea-3a70-4ab8-b6e7-1b76a049dc0e   /tmp    btrfs   defaults,subvol=tmp 0   2
UUID=189d2112-c85b-4bb9-8a91-682df21b52fe   none    swap    sw  0   0

and there is an entry for /.

For the background:

I am using Ubuntu 18.04 in a chroot environment. Also, I have a btrfs file system and this is encrypted using LUKS.

My encryption table:

root UUID=1bc78817-271a-46b3-a51a-1b6013744a7c none luks

My devives:

/dev/nvme0n1p2: UUID="189d2112-c85b-4bb9-8a91-682df21b52fe" TYPE="swap" PARTUUID="80cd5dee-02"
/dev/nvme0n1p3: UUID="1bc78817-271a-46b3-a51a-1b6013744a7c" TYPE="crypto_LUKS" PARTUUID="80cd5dee-03"
/dev/nvme0n1p1: UUID="0a2cb47d-20dc-467e-9360-38a2e898379e" TYPE="ext2" PARTUUID="80cd5dee-01"
/dev/mapper/root: UUID="a97179ea-3a70-4ab8-b6e7-1b76a049dc0e" UUID_SUB="ed244bff-3e1a-4442-8426-9d478ad2ba35" TYPE="btrfs"
/dev/nvme0n1: PTUUID="80cd5dee" PTTYPE="dos"

My mounts

/dev/mapper/root on / type btrfs (rw,relatime,ssd_spread,space_cache,subvolid=520,subvol=/root_ubuntu)
/dev/nvme0n1p1 on /boot type ext2 (rw,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=7721800k,nr_inodes=1930450,mode=755)

Hope someone can help me.

How to remove an unknown LUKS key with cryptsetup?

My LUKS encrypted drive has 3 passphrases. Two of them are safe (and long), the other is lost. However, I vaguely remember that I was not up to the task; It was used during the experiments and should have been deleted later. How can I get rid of that key, since I do not know it anymore, but at least the other two?