Arch Linux

parpagnas

Member

Registered: 2013-05-15

Posts: 17

[SOLVED] Impossible to crypt the drive using cryptsetup

Hello,

I have boot my computer on archiso in order to install arch's latest build on it. I have chosen to use GPT instead of MBR and i want to encrypt the hard drive before installing arch on it.

I have been followinf this tuto and others but i've never manged to crypt my partition:

$ sudo cryptsetup -c aes-xts-plain -y -s 512 -r luksFormat /dev/sda2 --debug
# cryptsetup 1.6.1 processing "cryptsetup -c aes-xts-plain -y -s 512 -r luksFormat /dev/sda2 --debug"
# Running command luksFormat.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
# Allocating crypt device /dev/sda2 context.
# Trying to open and read device /dev/sda2.
# Initialising device-mapper backend library.
# Timeout set to 0 miliseconds.
# Iteration time set to 1000 miliseconds.
# Interactive passphrase entry requested.
Enter passphrase: 
Verify passphrase: 
# Formatting device /dev/sda2 as type LUKS1.
# Crypto backend (gcrypt 1.5.2) initialized.
# Topology: IO (512/0), offset = 0; Required alignment is 1048576 bytes.
# Generating LUKS header version 1 using hash sha1, aes, xts-plain, MK 64 bytes
# Crypto backend (gcrypt 1.5.2) initialized.
# KDF pbkdf2, hash sha1: 349525 iterations per second.
# Data offset 4096, UUID 99256e6c-34b6-4775-b945-5c7082c44c6b, digest iterations 42625
# Updating LUKS header of size 1024 on device /dev/sda2
# Key length 64, device size 97265664 sectors, header size 4036 sectors.
# Reading LUKS header of size 1024 from device /dev/sda2
# Key length 64, device size 97265664 sectors, header size 4036 sectors.
# Adding new keyslot -1 using volume key.
# Calculating data for key slot 0
# Crypto backend (gcrypt 1.5.2) initialized.
# KDF pbkdf2, hash sha1: 351399 iterations per second.
# Key slot 0 use 171581 password iterations.
# Using hash sha1 for AF in key slot 0, 4000 stripes
# Updating key slot 0 [0x1000] area.
# Calculated device size is 500 sectors (RW), offset 8.
# dm version   OF   [16384] (*1)
# dm versions   OF   [16384] (*1)
# Device-mapper backend running with UDEV support enabled.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-8259
# Udev cookie 0xd4d1e5c (semid 819200) created
# Udev cookie 0xd4d1e5c (semid 819200) incremented to 1
# Udev cookie 0xd4d1e5c (semid 819200) incremented to 2
# Udev cookie 0xd4d1e5c (semid 819200) assigned to CREATE task(0) with flags DISABLE_SUBSYSTEM_RULES DISABLE_DISK_RULES DISABLE_OTHER_RULES (0xe)
# dm versions   OF   [16384] (*1)
# Device-mapper backend running with UDEV support enabled.
# dm create temporary-cryptsetup-8259 CRYPT-TEMP-temporary-cryptsetup-8259 OF   [16384] (*1)
# dm reload temporary-cryptsetup-8259  OF   [16384] (*1)
device-mapper: reload ioctl on temporary-cryptsetup-8259 failed: Invalid argument
# Udev cookie 0xd4d1e5c (semid 819200) decremented to 1
# Udev cookie 0xd4d1e5c (semid 819200) incremented to 2
# Udev cookie 0xd4d1e5c (semid 819200) assigned to REMOVE task(2) with flags DISABLE_SUBSYSTEM_RULES DISABLE_DISK_RULES DISABLE_OTHER_RULES (0xe)
# dm remove temporary-cryptsetup-8259  OF   [16384] (*1)
# temporary-cryptsetup-8259: Stacking NODE_DEL [verify_udev]
# Udev cookie 0xd4d1e5c (semid 819200) decremented to 1
# Udev cookie 0xd4d1e5c (semid 819200) waiting for zero
# Udev cookie 0xd4d1e5c (semid 819200) destroyed
# temporary-cryptsetup-8259: Processing NODE_DEL [verify_udev]
Failed to open temporary keystore device.
# dm versions   OF   [16384] (*1)
# Device-mapper backend running with UDEV support enabled.
# Udev cookie 0xd4d1a0a (semid 851968) created
# Udev cookie 0xd4d1a0a (semid 851968) incremented to 1
# Udev cookie 0xd4d1a0a (semid 851968) incremented to 2
# Udev cookie 0xd4d1a0a (semid 851968) assigned to REMOVE task(2) with flags (0x0)
# dm remove temporary-cryptsetup-8259  OFT    [16384] (*1)
device-mapper: remove ioctl on temporary-cryptsetup-8259 failed: No such device or address
# Udev cookie 0xd4d1a0a (semid 851968) decremented to 1
# Udev cookie 0xd4d1a0a (semid 851968) decremented to 0
# Udev cookie 0xd4d1a0a (semid 851968) waiting for zero
# Udev cookie 0xd4d1a0a (semid 851968) destroyed
# WARNING: other process locked internal device temporary-cryptsetup-8259, retrying remove.
# dm reload temporary-cryptsetup-8259  NFR   [16384] (*1)
device-mapper: reload ioctl on temporary-cryptsetup-8259 failed: No such device or address
# Udev cookie 0xd4d7091 (semid 884736) created
# Udev cookie 0xd4d7091 (semid 884736) incremented to 1
# Udev cookie 0xd4d7091 (semid 884736) incremented to 2
# Udev cookie 0xd4d7091 (semid 884736) assigned to REMOVE task(2) with flags (0x0)
# dm remove temporary-cryptsetup-8259  OFT    [16384] (*1)
device-mapper: remove ioctl on temporary-cryptsetup-8259 failed: No such device or address
# Udev cookie 0xd4d7091 (semid 884736) decremented to 1
# Udev cookie 0xd4d7091 (semid 884736) decremented to 0
# Udev cookie 0xd4d7091 (semid 884736) waiting for zero
# Udev cookie 0xd4d7091 (semid 884736) destroyed
# WARNING: other process locked internal device temporary-cryptsetup-8259, retrying remove.
# Udev cookie 0xd4dfed3 (semid 917504) created
# Udev cookie 0xd4dfed3 (semid 917504) incremented to 1
# Udev cookie 0xd4dfed3 (semid 917504) incremented to 2
# Udev cookie 0xd4dfed3 (semid 917504) assigned to REMOVE task(2) with flags (0x0)
# dm remove temporary-cryptsetup-8259  OFT    [16384] (*1)
device-mapper: remove ioctl on temporary-cryptsetup-8259 failed: No such device or address
# Udev cookie 0xd4dfed3 (semid 917504) decremented to 1
# Udev cookie 0xd4dfed3 (semid 917504) decremented to 0
# Udev cookie 0xd4dfed3 (semid 917504) waiting for zero
# Udev cookie 0xd4dfed3 (semid 917504) destroyed
# WARNING: other process locked internal device temporary-cryptsetup-8259, retrying remove.
# Udev cookie 0xd4d9da8 (semid 950272) created
# Udev cookie 0xd4d9da8 (semid 950272) incremented to 1
# Udev cookie 0xd4d9da8 (semid 950272) incremented to 2
# Udev cookie 0xd4d9da8 (semid 950272) assigned to REMOVE task(2) with flags (0x0)
# dm remove temporary-cryptsetup-8259  OFT    [16384] (*1)
device-mapper: remove ioctl on temporary-cryptsetup-8259 failed: No such device or address
# Udev cookie 0xd4d9da8 (semid 950272) decremented to 1
# Udev cookie 0xd4d9da8 (semid 950272) decremented to 0
# Udev cookie 0xd4d9da8 (semid 950272) waiting for zero
# Udev cookie 0xd4d9da8 (semid 950272) destroyed
# WARNING: other process locked internal device temporary-cryptsetup-8259, retrying remove.
# Udev cookie 0xd4d04f9 (semid 983040) created
# Udev cookie 0xd4d04f9 (semid 983040) incremented to 1
# Udev cookie 0xd4d04f9 (semid 983040) incremented to 2
# Udev cookie 0xd4d04f9 (semid 983040) assigned to REMOVE task(2) with flags (0x0)
# dm remove temporary-cryptsetup-8259  OFT    [16384] (*1)
device-mapper: remove ioctl on temporary-cryptsetup-8259 failed: No such device or address
# Udev cookie 0xd4d04f9 (semid 983040) decremented to 1
# Udev cookie 0xd4d04f9 (semid 983040) decremented to 0
# Udev cookie 0xd4d04f9 (semid 983040) waiting for zero
# Udev cookie 0xd4d04f9 (semid 983040) destroyed
# Releasing crypt device /dev/sda2 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 5: Input/output error

After a while i found out that this could be due to udev, so i deceided to monitor while i ran the cryptsetup command an dhere is what i get:

$ sudo udevadm monitor
monitor will print the received events for:
UDEV - the event which udev sends out after rule processing
KERNEL - the kernel uevent

$sudo cryptsetup -c aes-xts-plain -y -s 512 -r luksFormat /dev/sda2 --debug
KERNEL[261175.276822] change   /devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/sda2 (block)
UDEV  [261175.280232] change   /devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/sda2 (block)
KERNEL[261176.255085] change   /devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/sda2 (block)
UDEV  [261176.268766] change   /devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/sda2 (block)
KERNEL[261179.179489] change   /devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/sda2 (block)
KERNEL[261179.179656] add      /devices/virtual/bdi/254:1 (bdi)
KERNEL[261179.179698] add      /devices/virtual/block/dm-1 (block)
UDEV  [261179.180011] add      /devices/virtual/bdi/254:1 (bdi)
UDEV  [261179.180155] add      /devices/virtual/block/dm-1 (block)
KERNEL[261179.180815] remove   /devices/virtual/block/dm-1 (block)
KERNEL[261179.181050] remove   /devices/virtual/bdi/254:1 (bdi)
KERNEL[261179.181146] remove   /devices/virtual/block/dm-1 (block)
UDEV  [261179.181234] remove   /devices/virtual/bdi/254:1 (bdi)
UDEV  [261179.181847] change   /devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/sda2 (block)
UDEV  [261179.182451] remove   /devices/virtual/block/dm-1 (block)
UDEV  [261179.182600] remove   /devices/virtual/block/dm-1 (block)

I think that there's some udev rule that is actually locking the drive, isn't it? I have checked /etc/udev.rules.d and udev.conf but there's no rules from i can see.

Note that i have get an error when i benchmark cryptsetup:

$ sudo cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1       346751 iterations per second
PBKDF2-sha256     211406 iterations per second
PBKDF2-sha512     154748 iterations per second
PBKDF2-ripemd160  330156 iterations per second
PBKDF2-whirlpool  168689 iterations per second
Required kernel crypto interface not available.
Ensure you have algif_skcipher kernel module loaded.

Does it mean that the kernel option should be enabled from cryptsetup to work or just for algif_skcipher as i thought?

Thanks in advance for your help.

Last edited by parpagnas (2013-05-27 20:24:07)

karol

Archivist

Registered: 2009-05-06

Posts: 25,440

Re: [SOLVED] Impossible to crypt the drive using cryptsetup

Please edit your post and use [ code ] tags for posting code and command output https://bbs.archlinux.org/help.php#bbcode

like this

It makes the code more readable and - in case of longer listings - more convenient to scroll through.

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,429

Re: [SOLVED] Impossible to crypt the drive using cryptsetup

$ sudo cryptsetup -c aes-xts-plain -y -s 512 -r luksFormat /dev/sda2 --debug
[snip]
Required kernel crypto interface not available.
Ensure you have algif_skcipher kernel module loaded.

Does it mean that the kernel option should be enabled from cryptsetup to work or just for algif_skcipher as i thought?

Thanks in advance for your help.

Not sure from the ISO, the crypto is there as the previous output shows. Before executing the benchmark, try loading

modprobe dm_crypt

manually.

Then for your udev lock: You used the cryptsetup "-r" option (=readonly), don't do that. Leave that one out and see if it makes a difference.

parpagnas

Member

Registered: 2013-05-15

Posts: 17

Re: [SOLVED] Impossible to crypt the drive using cryptsetup

Karol: done

Strike0:
- the wiki said to modprobe, that's the first thing i did and did not get any error message at that moment.
- there's a "-r" in this command because it's the last one i ran, after i read on some thread that it might help to troubleshoot. I made all my other tests without that "-r" option.

Thanks for your help!

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,429

Re: [SOLVED] Impossible to crypt the drive using cryptsetup

Strike0:
- the wiki said to modprobe, that's the first thing i did and did not get any error message at that moment.
- there's a "-r" in this command because it's the last one i ran, after i read on some thread that it might help to troubleshoot. I made all my other tests without that "-r" option.

Thanks for your help!

Ok, please state in the further which wiki you followed, in particular which steps of partitioning /mounting you did prior to luksformat, one cannot guess that and it matters. Then please confirm which months Arch ISO you use. Also it might be good to see the output without that option e.g.

# cryptsetup -v luksFormat /dev/sda2 --debug

unless you were implying that it is the same with/without the option?

parpagnas

Member

Registered: 2013-05-15

Posts: 17

Re: [SOLVED] Impossible to crypt the drive using cryptsetup

I followed arch linux's beginner's guide then https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS :

$ sudo pacman -S parted

$ sudo parted /dev/sda
(parted) print

Model: ATA WDC WD3000HLHX-6 (scsi)
Disk /dev/sda: 300GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 107GB 107GB primary ntfs boot
2 107GB 300GB 193GB primary ntfs

(parted) mklabel gpt
Warning: The existing disk label on /dev/sda will be destroyed and all data on
this disk will be lost. Do you want to continue?
Yes/No? yes

(parted) mkpart primary ext4 0% 200MB

(parted) set 1 boot on

(parted) mkpart primary ext4 200MB  -1

(parted) print

Number Start End Size File system Name Flags
1 1049kB 200MB 199MB ext4 boot
2 200MB  300GB 299.9GB ext4

(parted) quit

$ sudo modprobe dm_crypt

$ sudo cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2

Last edited by parpagnas (2013-05-27 18:18:09)

parpagnas

Member

Registered: 2013-05-15

Posts: 17

Re: [SOLVED] Impossible to crypt the drive using cryptsetup

I rebooted the computer, redone the how-to i have just pasted and everything is now working like a charm... like magics...

Thanks for your help Strike0, it's much appreciated.

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,429

Re: [SOLVED] Impossible to crypt the drive using cryptsetup

There you go. Probably just a bios boot hickup or something like that the first time around.