I have a Mikrotik RBM33G (SoC Type: MediaTek MT7621) running OpenWrt 19.07.3 (with Linux 4.14.180 #0 SMP Sat May 16 18:32:20 2020 mips GNU/Linux). Just upgraded from 19.07.2 (where I faced the same issue).
I am not able to decrypt a hard drive connected to my router, although i know cryptsetup is being provided with the right key, as i've tried both copy-pasting the passphrase from a password manager and unlocking the drive with a key file. In both cases, i get the same error:
Command failed with code -1 (wrong or missing parameters).
Here is the full output of a debug crypsetup command:
# cryptsetup 2.1.0 processing "cryptsetup --debug open /dev/sda1 backup"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sda1.
# Trying to open and read device /dev/sda1 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/sda1.
# Crypto backend (Linux 4.14.180 kernel cryptoAPI) initialized in cryptsetup library version 2.1.0.
# Detected kernel Linux 4.14.180 mips.
# PBKDF pbkdf2, hash sha256, time_ms 2000 (iterations 0), max_memory_kb 0, parallel_threads 0.
# Reading LUKS header of size 1024 from device /dev/sda1
# Key length 64, device size 3907020800 sectors, header size 4036 sectors.
# Activating volume backup using token -1.
# Interactive passphrase entry requested.
Enter passphrase for /dev/sda1:
# Activating volume backup [keyslot -1] using passphrase.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Detected dm-ioctl version 4.37.0.
# Detected dm-crypt version 1.18.1.
# Device-mapper backend running with UDEV support disabled.
# dm status backup [ opencount noflush ] [16384] (*1)
# Trying to open key slot 0 [ACTIVE].
# Releasing crypt device /dev/sda1 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).
Interestingly, it makes no difference whether i type in a wrong password, the right password, an empty password or provide a keyfile.
Every thing else looks normal otherwise (block info sees the LUKS partition, dmesg output shows the drive properly found). Any clues?
No, that's actually not necessary, cryptsetup figures out it's a LUKS drive and sets the right type itself. You can see in the log that it picks a LUKS slot, for instance.
In any case, explicitly using luksOpen or --type=luks makes no difference and results in the same error.
I'll try creating a new LUKS device locally to see if that makes any difference. It would be interested if it does.
I actually created the volume with dd seconds before trying to create a LUKS volume on it. So the file definitely exists.
For the sake of testing, and because i'd actually created a 10 KB and not a 100 MB volume by mistake, i deleted the test volume and started over (with a 64 MB test file/volume, not that the size should matter much).
It still fails, but the error is still the same. Here is the full error:
Attaching loopback device failed (loop device with autoclear flag is required).
Device /tmp/luks-test-volume doesn't exist or access denied.
Command failed with code -1 (wrong or missing parameters).
The fact cryptsetup complained about the loopback device gave me pause, and surely enough, after cehcking, kmod-loop is not installed by default, nor is it suggested in the wiki page on storage encryption (nor in the forum post linked to by @vgaetera). After a quick opkg install kmod-loop, we get a new error:
root@OpenWrt:~# cryptsetup -v luksFormat /tmp/luks-test-volume
WARNING!
========
This will overwrite data on /tmp/luks-test-volume irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /tmp/luks-test-volume:
Verify passphrase:
device-mapper: reload ioctl on failed: No such file or directory
Failed to setup dm-crypt key mapping for device /tmp/luks-test-volume.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info).
device-mapper: remove ioctl on temporary-cryptsetup-30361 failed: No such device or address
device-mapper: table ioctl on failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-30361 failed: No such device or address
device-mapper: table ioctl on failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-30361 failed: No such device or address
device-mapper: table ioctl on failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-30361 failed: No such device or address
device-mapper: table ioctl on failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-30361 failed: No such device or address
Command failed with code -1 (wrong or missing parameters).
Don't have more time to investigate right now, but it looks like the encyrption algorithm is missing, even though the kmod-crypto-xts package is installed.
# opkg install cryptsetup
Package cryptsetup (2.1.0-2) installed in root is up to date.
# dd if=/dev/zero of=/tmp/crypto bs=1M count=50
50+0 records in
50+0 records out
# cryptsetup luksFormat /tmp/crypto
WARNING!
========
This will overwrite data on /tmp/crypto irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /tmp/crypto:
Verify passphrase:
# cryptsetup luksOpen /tmp/crypto open
Enter passphrase for /tmp/crypto:
# mkfs.ext4 /dev/mapper/open
mke2fs 1.44.5 (15-Dec-2018)
Creating filesystem with 34816 1k blocks and 8720 inodes
Filesystem UUID: 9e00e7b1-a6b2-487f-801c-8ee2dbffc1df
Superblock backups stored on blocks:
8193, 24577
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
# mount /dev/mapper/open /mnt
# ls -l /mnt
drwx------ 2 root root 12288 Aug 17 19:47 lost+found
# umount /mnt
# cryptsetup luksClose /dev/mapper/open
Locking aborted. The locking path /run/cryptsetup is unusable (not a directory or missing).
Failed to acquire read lock on device /dev/loop0.
The last command seems to fail, but it actually works fine.