Check that kernel supports aes-xts-plain64 cipher

2

After an update I can't access my encrypted disk.

When trying to do so :

sudo cryptsetup luksOpen /dev/sda8 Documents


Failed to setup dm-crypt key mapping
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info)

I did:

lsmod | grep -i aes
aesni_intel           167997  3
aes_x86_64             16719  1 aesni_intel
lrw                    12757  1 aesni_intel
glue_helper            12649  1 aesni_intel
ablk_helper            12572  1 aesni_intel
cryptd                 18553  2 aesni_intel,ablk_helper

Also:

lsmod | grep -i dm-mod
lsmod | grep -i dm-crypt
lsmod | grep -i sha256
lsmod | grep -i xts

and they didn't return anything,so,I modprobe all of these but I have still the same issue.

George

Posted 2016-02-13T19:01:58.153

Reputation: 167

What does zgrep CONFIG_CRYPTO_XTS /proc/config.gz return? – Tom Yan – 2016-02-13T20:26:08.563

@Tom Yan:CONFIG_CRYPTO_XTS=m – George – 2016-02-13T20:33:43.943

so is the xts module loaded (or can it be loaded)? – Tom Yan – 2016-02-13T20:38:19.723

@Tom Yan:Yes, I am using modprobe xts also.But still the same – George – 2016-02-13T20:44:56.993

So have you checked you syslog as told? (dmesg?) – Tom Yan – 2016-02-13T20:47:13.093

@Tom Yan:Yes,but I can't find something..I am using dmesg |grep crypt and journalctl |grep crypt or grep aes or similar.. – George – 2016-02-13T20:56:58.353

You don't really need grep for that. You just need to see if any new messages pop up after you failed to run what you wanted (btw, what's the exact command you ran that gives you those error? i think you should add it to your post) – Tom Yan – 2016-02-13T21:03:07.047

@Tom Yan:I updated .In dmesg ,after running the command I can't see any new message. – George – 2016-02-13T21:15:05.753

Not sure if it's relevant but, have you run lukFormat on /dev/sda8 before luksOpen? – Tom Yan – 2016-02-13T21:20:52.783

@Tom Yan:Yes,of course.I am using this partiotion for a long time. – George – 2016-02-13T21:21:46.233

Let us continue this discussion in chat.

– Tom Yan – 2016-02-13T21:24:28.200

Answers

2

According to man cryptsetup :

The available combinations of ciphers, modes, hashes and key sizes depend on kernel support. See /proc/crypto for a list of available options. You might need to load additional kernel crypto modules in order to get more options.

Also try cryptsetup --help to show defaults.

FYI: My (Linux Mint) cryptsetup works fine with default LUKS. My cryptsetup --help has this at the end:

Default compiled-in device cipher parameters:
    loop-AES: aes, Key 256 bits
    plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
    LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha1, RNG: /dev/urandom

And my lsmod contains no mention of sha, aes, or xts, but does have:

dm_crypt 22653 0 (note the underscore, not a dash like in your Q)

And my /proc/crypto has:

$ grep name.*aes /proc/crypto|cut -d : -f 2
 cbc(aes)
 aes

Xen2050

Posted 2016-02-13T19:01:58.153

Reputation: 12 097

:Thanks for the info.I downgraded to previous kernel and it works fine now. – George – 2016-02-14T20:37:35.920

Asked: 2016-02-13T19:01:58.153

Viewed: 7 900 times

Active: 2017-06-27T13:26:19.467