Cryptsetup with plain dm-crypt does not work

I've set up and used cryptsetup with the latest 19.07.5 and snapshot builds of OpenWRT.

Cryptseup works well for luks/luks2 encrypted volumes, but I cannot get it to work for plain dm-crypt volumes. The command I use is:

cryptsetup open --type plain --key-file /some-key.key /dev/sda e1

Error I get is:

device-mapper: reload ioctl on   failed: No such file or directory

Same error comes out of the following command (explicitly specifying cipher and key size, as I read at some random online topic):

cryptsetup open --type plain -c aes-cbc-essiv:sha256 -s 256 --key-file /some-key.key /dev/sda e1

I have already created the /run/cryptsetup folder which does not get automatically created when installing the cryptsetup package. Again, luks volumes work excellently.

Output of cryptsetup --debug open --type plain -c aes-cbc-essiv:sha256 -s 256 --key-file /some-key.key /dev/sda e1 follows:

# cryptsetup 2.1.0 processing "cryptsetup --debug open --type plain -c aes-cbc-essiv:sha256 -s 256 --key-file /root/wdc.key /dev/sda e1"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/sda.
# Trying to open and read device /dev/sda with direct-io.
# Initialising device-mapper backend library.
# Formatting device /dev/sda as type PLAIN.
# Crypto backend (Linux 4.14.209 kernel cryptoAPI) initialized in cryptsetup library version 2.1.0.
# Detected kernel Linux 4.14.209 mips.
# Activating volume e1 [keyslot -1] using keyfile /******.key.
# dm version   [ opencount flush ]   [16384] (*1)
# dm versions   [ opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.37.0.
# Detected dm-crypt version 1.18.1.
# Device-mapper backend running with UDEV support disabled.
# dm status e1  [ opencount noflush ]   [16384] (*1)
# Trying to activate PLAIN device e1 using cipher aes-cbc-essiv:sha256.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm status e1  [ opencount noflush ]   [16384] (*1)
# Calculated device size is 9767475200 sectors (RW), offset 0.
# dm create e1 CRYPT-PLAIN-e1 [ opencount flush ]   [16384] (*1)
# dm reload e1  [ opencount flush securedata ]   [16384] (*1)
device-mapper: reload ioctl on   failed: No such file or directory
# dm remove e1  [ opencount flush securedata ]   [16384] (*1)
# e1: Stacking NODE_DEL
# e1: Processing NODE_DEL
# Releasing crypt device /dev/sda context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).

It seems like a bug to me, but because I'm not sure, I'm asking for help here

Check the log to get a better description of the error using the command "logread".

Very likely it will give you something like:

device-mapper: table: 253:0 crypt: Error allocating crypt tfm

Since you said you are using a snapshot it probably doesn't have "essiv" installed. Check "lsmod". You need kmod-crypto-essiv. You will need to compile your own kernel for that and select ESSIV via make kernel_menuconfig.

With the same cipher LUKS/LUKS2 will also fail. Same if you would switch to "--cipher aes-xts-plain64". "kmod-crypto-xts" is also not selected by default.

BTW using PLAIN is not recommended over LUKS2 but its not my data that will be lost if you ever use the wrong passphrase or wish / need to change the password.

1 Like

I'm so happy when someone can magically spot the problem that's been bothering me for days.
Admittedly, I didn't spend 10's of hours reading the appropriate documentation.

Indeed logread reads the following

device-mapper: table: 253:0 crypt: Error allocating crypt tfm

It turns out that switching to "--cipher aes-xts-plain64" 'solves' the problem (obviously the "kmod-crypto-xts" package needs to be installed for that). So, I gather that I was missing the cipher package for the default cipher used in dm-plain (apparrently "kmod-crypto-essiv").

However, not in the latest stable (19.07.5) not in SNAPSHOT is this package available from the repository. Shouldn't there be an easy way to get it? I haven't tried compiling etc, I only use the precompiled images

Thanks for the heads-up on the PLAIN format, I have put appropriate thought on it.

All the packages that are available via "make menuconfig" are available for download. Anything else you need configured in the kernel (make kernel_menuconfig) has to be compiled from source.

I have no idea what the criteria are for a specific kmod package to be directly available. But since echainiv and seqiv are available, maybe essiv should be added to the within the kernel package.

Alright, installing the kmod-crypto-cbc solved my issue. I suppose by default plain mode uses the aes-cbc-essiv cipher. There is no kmod-crypto-essiv package, but there is a kmod-crypto-iv package which I have installed.

For future reference, the relevant packages (as far as I can tell) that I have installed are:

kmod-crypto-ecb kmod-crypto-xts kmod-crypto-iv kmod-crypto-cbc kmod-crypto-misc kmod-crypto-user kmod-loop cryptsetup

You can query the opkg manager for anything kmod-crypto-* (also from the web interface, if installed) in case you face any similar issues in the future.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.