LUKS - Not enough available memory to open a keyslot

Hello everyone! :wave:

I just supercharged a old avm 7362 SL (128/128MB) with OpenWrt 23.05.3.

As I want to use this device also to serve some files via samba I followed this tutorial and added all packages needed for that task

https://openwrt.org/docs/guide-user/services/nas/usb-storage-samba-webinterface

Also I went ahead and installed all packages mentioned here:

https://openwrt.org/docs/guide-user/storage/disk.encryption#disk_encryption

What is possible now is to plug in a USB drive with a ext4-LUKS encrypted partition and have this detected and visible in the "Mount points" tab of the luci web ui:

:x: :x: :x: NO IMAGE :x: :x: :x:
:x: An error occurred: Sorry, new users can only put one embedded media item in a post. :x:

Now it looks like I can't make use of the web ui to unlock the drive so I went over to a terminal session via ssh and executed the following:

cryptsetup -v luksOpen /dev/sda1 tmp

I kindly get asked for the passphrase:

Enter passphrase for /dev/sda1: 

But it's not possible to actually unlock the drive instead I get the following error:

Not enough available memory to open a keyslot.
Command failed with code -3 (out of memory).

Any clue whats going (wr)on(g)?

Anything wrong with the error message provided by the OS/application?

Not quite sure - I'm just a user do you maybe know more?

According to this thread LUKS is actually broken on openwrt 23.x

Last working version was openwrt 19.07 but that is already EOL

Aren't we all ?

They're not getting the same error as you, apples and bananas ?

Stop samba, and try to unlock the drive.

You have around 14 years more experience with openwrt so you might fall in the group advanced users and can give tips like:

I stopped samba4 via web ui: System -> Startup -> samba4 [stop]

but it doesn't seem to have much impact on memory usage (even less available now: 29.2MB)

Error is the same:

Not enough available memory to open a keyslot.
Command failed with code -3 (out of memory).

What else are you running, your memory usage is pretty high...

Nothing in particular, it's just a fresh install. Only one package more is in the image not mentioned in the first thread (luci-proto-wireguard) but it's not configured.

can you can try:

--pbkdf-memory 32

option?

On my way :running_man:

cryptsetup -v --pbkdf-memory 32 luksOpen /dev/sda1 tmp

Same Error:

Not enough available memory to open a keyslot.
Command failed with code -3 (out of memory).

I can open my luks drive and mount it, too ... but I get errors when I do some file operations, like copy/move/edit a file.
In openwrt 19.x, luks works fine. But openwrt higher than 19.x, luks throws erros when I do some file operations.

So you had success unlocking via LUKS on 23.x? Same hardware (avm 7362sl)?

I found this:
https://unix.stackexchange.com/questions/647859/open-cryptsetup-out-of-memory-not-enough-available-memory-to-open-a-keyslot

1 Like

LUKS2 uses Argon2i key derivation function which is memory-hard -- meaning it requires a lot of memory to open the device to prevent (or at least make it harder) brute force attacks using GPUs. You can check how much memory you need to open your device using cryptsetup luksDump /dev/sda2, look for the line Memory: 755294 under Keyslots.

For me that's

	Memory:     607222

Assuming that's 60MB or 600MB, would mean the error message thrown is accurate.

The GPU thing might however indicate it's actually 600.

I'm guessing the 19.07 LUKS didn't have the GPU protection, and required a lot less RAM.

1 Like

I think its LUKS1 didn't had this but LUKS2 does have it by default (making the encryption much stronger/more resistant to bruteforce).

I try to add a second low memory key at the moment :scientist:

It's RAM you're lacking, I assume, not disk/flash space.

You could try to manually install cryptsetup from v19, while running v23.

No guarantee it'll work though.

If the 600MB minimum is correct, the wiki entry should say <1GB RAM devices should be avoided.

So I added a second key with PBKDF2 (only cost of time no cost of memory = LUKS1 default) to the USB drive which is already setup with LUKS2.

Described in the second answer from that link:

In detail:

Vojtech Trefny already explained that this happens because of Argon2i requiring too much memory. Indeed, from man cryptsetup:

For PBKDF2, only time cost (number of iterations) applies. For Argon2i/id, there is also memory cost (memory required during the process of key derivation) and parallel cost (number of threads that run in parallel during the key derivation).

But, as long as you have access to hardware with sufficient memory1, it is overkill to re-create the device.

Instead, using a computer with sufficient memory, just add a key to your encrypted device with pbkdf2,

cryptsetup luksAddKey -S 1 --pbkdf pbkdf2 /dev/sdxy

which assumes that the key slot 1 is free (you can find free key slots by inspecting cryptsetup luksDump /dev/sdxy).

Then, in your less powerful computer, unlock the device with

cryptsetup luksOpen -S 1 /dev/sdxy name

The -S 1 is essential, otherwise the more expensive key may be tried and the OOM killer triggered all the same.

1: Remember that you can always keep around a bootable USB with a minimal shell and core utilities (a Debian ISO cut it for me), and you will be able to boot it in most computers and access your encrypted volume.

And it unlocks! :unlock:

Enter passphrase for /dev/sda1: 
Key slot 1 unlocked.
Command successful.

1 Like

With 19.x luks1 and luks2 works fine... When i know, I want to use a luks device on my 7362 SL, I format it on my 7362 SL. Then I am sure, that the luks device is working on my 7362 SL.

But ... I have no luck to use luks1 or luks2 on openwrt, higher then 19.x ... thats a pitty ...
I can encrypt it and mount it but I cant do some file operation, coz this will destroy my data on the luks device.

Please, tell me, if luks works correctly on your 7362 SL device.

1 Like

Can u do some file operations on your luks device, without errors?

dmesg

Great, should also go into the wiki, if it works.