OpenWrt and luks decrypt

HTMofDreams · June 28, 2022, 9:42am

I want to decrypt with luks my extern HDD. I have installed cryptsetup. I get this error when I want uo decrypt:

root@OpenWrt:~# cryptsetup -v luksOpen /dev/sda1 tmp
Enter passphrase for /dev/sda1: 
device-mapper: reload ioctl on tmp (253:0) failed: No such file or directory
Command failed with code -4 (wrong device or file specified).

Do I miss a cipher?
my luksDump:

Version:        1
Cipher name:    aes
Cipher mode:    xts-essiv:sha256
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      4e 27 3a e1 0e 4e 73 92 fc 10 46 36 78 37 60 a2 84 05 c4 d8 
MK salt:        be 94 98 ee 3c 25 1a 16 31 36 6e 83 bb 50 b0 10 
                03 c8 e4 ee 18 28 c4 1c ee 17 5d fc 0b b5 3a 56 
MK iterations:  55258
UUID:           f5ccce4c-4fa8-4da2-857e-b08e42e67682

Key Slot 0: ENABLED
        Iterations:             881156
        Salt:                   d1 8e b8 de 93 f6 32 96 e7 39 78 71 89 d4 36 a6 
                                6d 04 35 c4 7c 62 dd 98 1f fe f7 7b 20 de d2 93 
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

RuralRoots · June 28, 2022, 11:23am

You could try specifying cipher, key size and hash algorithm explicitly e.g.:

cryptsetup open -c aes -s 256 -h ripemd160 <name> <dev>

I am curious though why you use tmp as your encrypted volume name.

HTMofDreams · June 28, 2022, 6:56pm

No, sorry. I got the same error.

/tmp was only for testing.

RuralRoots · June 29, 2022, 3:46am

What OpenWrt version are you running and what platform are you using?
Did you follow the wiki https://openwrt.org/docs/guide-user/storage/disk.encryption#disk_encryption to install the encryption packages?

The reason I ask is that your luksDump shows Version 1. OpenWrt package repository provides Version 2 on recent builds.

Here is my current luksDump as an example.

Summary

cryptsetup luksDump /dev/sda1
LUKS header information
Version: 2
Epoch: 4
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: ad8c79dc-c8d4-4b34-a4e0-f5ec83ae9248
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)

Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]

Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 92695
Threads: 2
Salt: e2 08 6d dd b6 f0 ac 3f 2f ea 92 48 35 f2 8f 72
ee a7 26 ed 3e 04 27 65 c9 ac 94 d8 fc 48 c5 5a
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 92239
Threads: 2
Salt: 10 ba 84 93 93 66 4e 2b a5 78 8d d6 b7 4f 3b 88
---TRUNCATED---

HTMofDreams · June 29, 2022, 3:16pm

luks Version 1, is not supported? But I can mount it on my Linux PCs, with Debian 11.

RuralRoots · June 29, 2022, 5:50pm

Yes, Version 1 is supported and I believe backward compatible with V2.

I didn't realize the encrypted drive was coming from a Linux distro.

So the question remains, did you install cryptsetup and the crypto kmods?

kmod-crypto-ecb 
kmod-crypto-xts 
kmod-crypto-misc 
kmod-crypto-user 
cryptsetup

HTMofDreams · July 1, 2022, 7:27pm

With OpenWrt 19.07.10 r11427-9ce6aa9d8d it works. I think a cipher is not in the repository of newer versions.
I think, this cipher is missing 'kmod-crypto-iv'

system · July 11, 2022, 7:28pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.