#425 Issue closed: AES-SHA256 on Ubuntu (precise) Cryptloop¶
Labels: enhancement
tyl0re opened issue at 2014-06-14 21:29:¶
On Ubuntu precise + Cryptloop
when booting rear
the step:
cryptsetup --debug luksFormat -q --cypher aes-sha256 --hash sha1 --uuid
Failed to setup dm-crypt key mapping for device /dev/sda5
Check that kernel supports aes-sha256 cipher (Check Syslog for more
information)
Gets: Command failed with code 5: Failed to write to key Storage
Syslog:
davice-mapper: table 252:0: crypt: IV mechanism required
davice-mapper: error adding target to table
Changing it to twofish has worked. for the cryptsetup, seems there is some modules missing
gdha commented at 2014-06-16 09:17:¶
@tyl0re could you find out to see which module is present on production side? Perhaps dm-crypt needs an extra module??
gdha commented at 2014-06-16 13:45:¶
Looked at the sources of
https://code.google.com/p/cryptsetup/source/browse/src/cryptsetup.h
and noticed that it relies on OpenSSL. So my guess is that openssl
should be added to the rescue image... worth trying.
gdha commented at 2014-06-25 12:06:¶
@tyl0re any luck so far?
tyl0re commented at 2014-06-25 12:13:¶
I have written you an email to gratien.dhaese@gmail.com, so you could have a look for your self, mayby its faster,since there a two Ubuntu Problems
gdha commented at 2014-06-26 14:03:¶
Finding 1:
root@test-rear:~# cat /proc/crypto | grep aes
name : cbc(aes)
driver : cbc(aes-generic)
name : cbc(aes)
driver : cbc(aes-generic)
name : aes
driver : aes-generic
root@test-rear:~# cat /proc/crypto | grep sha256
name : hmac(sha256)
driver : hmac(sha256-generic)
name : sha256
driver : sha256-generic
RESCUE test-rear:/var/lib/rear/layout # cat /proc/crypto | grep aes
name : cbc(aes)
driver : cbc(aes-generic)
name : cbc(aes)
driver : cbc(aes-generic)
name : aes
driver : aes-generic
RESCUE test-rear:/var/lib/rear/layout # cat /proc/crypto | grep sha256
name : hmac(sha256)
driver : hmac(sha256-generic)
name : sha256
driver : sha256-generic
so, all required drivers are available in the kernel on both systems. That is not the issue here.
tyl0re commented at 2014-06-27 09:28:¶
Crypting it with other then aes-sha256 seems to work, only aes-sha256 fails
gdha commented at 2014-06-27 10:02:¶
Does it aes-sha256 work fine on your test system (not recovery system)?
tyl0re commented at 2014-06-27 10:07:¶
There are 2 Testsystems (1 Bootet Rear cd) 1 the Orginal System (2 Ports) So its easier to try and compare them
gdha commented at 2014-08-21 15:43:¶
not sure what added value I still can deliver for this case?
tyl0re commented at 2014-08-30 16:26:¶
Hi Sorry for the late answer, i have been in Holliday.
I found the Error! :-)
The Orginal System is:
root@mail:/etc# cryptsetup status sda5_crypt
/dev/mapper/sda5_crypt is active and is in use.
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda5
offset: 4096 sectors
size: 209207296 sectors
mode: read/write
The command in Rear is:
cryptsetup luksFormat -q --cypher aes-sha256 -hash sha1 --uid [NR]
/dev/sda5
When Changing it to:
cryptsetup luksFormat -q --cypher aes-cbc-essiv:sha256 -hash sha1 --uid
[NR] /dev/sda5
Works (Changed in the Cypher from the Orginal machine) Seems somehow rear seems to get the cypher wrong
gdha commented at 2014-09-01 08:27:¶
@tyl0re Ok, thx for the feedback - so in
/var/lib/rear/layout/disklayout.conf the cypher was wrong?
Perhaps, if you could debug the script
./usr/share/rear/layout/save/GNU/Linux/26_crypt_layout.sh to where it
goes wrong for me?
tyl0re commented at 2014-09-01 09:21:¶
Errror is in:
mode=$(cryptsetup luksDump $device |grep "Cipher mode"| sed -r
's/^.+:\s*(.+)$/\1/'
Cipher mode: cbc-essiv:sha256
since the mode has an : in it, it cuts only the last part instead the complete mode
mode=$(cryptsetup luksDump $device |grep "Cipher mode"|cut -d : -f 2-|awk '{printf("%s",$1)};')
Works,mayby there is an more elegant way to do it
tyl0re commented at 2014-10-21 08:31:¶
Forgott to close ,since its working
[Export of Github issue for rear/rear.]