I have already created the /run/cryptsetup folder which does not get automatically created when installing the cryptsetup package. Again, luks volumes work excellently.
Output of cryptsetup --debug open --type plain -c aes-cbc-essiv:sha256 -s 256 --key-file /some-key.key /dev/sda e1 follows:
# cryptsetup 2.1.0 processing "cryptsetup --debug open --type plain -c aes-cbc-essiv:sha256 -s 256 --key-file /root/wdc.key /dev/sda e1"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sda.
# Trying to open and read device /dev/sda with direct-io.
# Initialising device-mapper backend library.
# Formatting device /dev/sda as type PLAIN.
# Crypto backend (Linux 4.14.209 kernel cryptoAPI) initialized in cryptsetup library version 2.1.0.
# Detected kernel Linux 4.14.209 mips.
# Activating volume e1 [keyslot -1] using keyfile /******.key.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Detected dm-ioctl version 4.37.0.
# Detected dm-crypt version 1.18.1.
# Device-mapper backend running with UDEV support disabled.
# dm status e1 [ opencount noflush ] [16384] (*1)
# Trying to activate PLAIN device e1 using cipher aes-cbc-essiv:sha256.
# dm versions [ opencount flush ] [16384] (*1)
# dm status e1 [ opencount noflush ] [16384] (*1)
# Calculated device size is 9767475200 sectors (RW), offset 0.
# DM-UUID is CRYPT-PLAIN-e1
# dm create e1 CRYPT-PLAIN-e1 [ opencount flush ] [16384] (*1)
# dm reload e1 [ opencount flush securedata ] [16384] (*1)
device-mapper: reload ioctl on failed: No such file or directory
# dm remove e1 [ opencount flush securedata ] [16384] (*1)
# e1: Stacking NODE_DEL
# e1: Processing NODE_DEL
# Releasing crypt device /dev/sda context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).
It seems like a bug to me, but because I'm not sure, I'm asking for help here
Since you said you are using a snapshot it probably doesn't have "essiv" installed. Check "lsmod". You need kmod-crypto-essiv. You will need to compile your own kernel for that and select ESSIV via make kernel_menuconfig.
With the same cipher LUKS/LUKS2 will also fail. Same if you would switch to "--cipher aes-xts-plain64". "kmod-crypto-xts" is also not selected by default.
BTW using PLAIN is not recommended over LUKS2 but its not my data that will be lost if you ever use the wrong passphrase or wish / need to change the password.
I'm so happy when someone can magically spot the problem that's been bothering me for days.
Admittedly, I didn't spend 10's of hours reading the appropriate documentation.
It turns out that switching to "--cipher aes-xts-plain64" 'solves' the problem (obviously the "kmod-crypto-xts" package needs to be installed for that). So, I gather that I was missing the cipher package for the default cipher used in dm-plain (apparrently "kmod-crypto-essiv").
However, not in the latest stable (19.07.5) not in SNAPSHOT is this package available from the repository. Shouldn't there be an easy way to get it? I haven't tried compiling etc, I only use the precompiled images
Thanks for the heads-up on the PLAIN format, I have put appropriate thought on it.
All the packages that are available via "make menuconfig" are available for download. Anything else you need configured in the kernel (make kernel_menuconfig) has to be compiled from source.
I have no idea what the criteria are for a specific kmod package to be directly available. But since echainiv and seqiv are available, maybe essiv should be added to the crypto.mk within the kernel package.
Alright, installing the kmod-crypto-cbc solved my issue. I suppose by default plain mode uses the aes-cbc-essiv cipher. There is no kmod-crypto-essiv package, but there is a kmod-crypto-iv package which I have installed.
For future reference, the relevant packages (as far as I can tell) that I have installed are:
You can query the opkg manager for anything kmod-crypto-* (also from the web interface, if installed) in case you face any similar issues in the future.