Mount encrypted ext4 disk

#1

Hi all.

Great box!

I try to mount external hdd that is ext4 encrypted (luks).

Installed cryptsetup and then:

$ sudo cryptsetup luksOpen /dev/sda1 EXT_HDD
Enter passphrase for /dev/sda1:
device-mapper: reload ioctl on failed: No such file or directory
Failed to setup dm-crypt key mapping for device /dev/sda1.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info).
device-mapper: remove ioctl on temporary-cryptsetup-21945 failed: No such device or address
device-mapper: table ioctl on failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-21945 failed: No such device or address
device-mapper: table ioctl on failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-21945 failed: No such device or address
device-mapper: table ioctl on failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-21945 failed: No such device or address
device-mapper: table ioctl on failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-21945 failed: No such device or address

The relevant entries in syslog:

May 8 21:58:15 freedombox kernel: [35466.556738] device-mapper: table: 254:0: crypt: Error allocating crypto tfm
May 8 21:58:15 freedombox kernel: [35466.563827] device-mapper: ioctl: error adding target to table

Any help appreciated.

Best regards,
Kat

1 Like
#2

There is nothing in FreedomBox software that could cause issues with using LUKS encrypted drives compared to a plain Debian machine.

How was the disk connected? It is powered separately via powered USB hub or separate power cable to the disk? If not perhaps the problem is with power.

  • Try accessing the disk with xxd /dev/sda1. Is that yielding errors?
  • Or is another, perhaps unencrypted partition, mountable and accessible?
  • What above the disk being accessible from regular Debian machine?

If nothing works, this should be reported to Debian or Olimex.

#3

Disk connected only with USB cable.

xxd /dev/sda1 works fine. No errors.
No unencrypted partition to test.
Disk works fine on Ubuntu bionic.

It seems the kernel does not support the cipher. Found thread explaining how to see which ciphers kernel supports by doing zcat /proc/config.gz | grep CRYPTO but there is no /proc/config.gz.

Anyone more experienced? Do I need to recompile or get a newer kernel?

#4

I was able to reproduce your issue on my Lime2 (problem is not reproducible on my FreedomBox amd64 VM):

root@freedombox:~# dd if=/dev/zero of=test-crypto-disk bs=1M count=10
10+0 records in   
10+0 records out  
10485760 bytes (10 MB, 10 MiB) copied, 0.0555911 s, 189 MB/s

root@freedombox:~# cryptsetup luksFormat test-crypto-disk

WARNING!
========
This will overwrite data on test-crypto-disk irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for test-crypto-disk:
Verify passphrase:

device-mapper: reload ioctl on   failed: No such file or directory
Failed to setup dm-crypt key mapping for device test-crypto-disk.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info).
device-mapper: remove ioctl on temporary-cryptsetup-4461  failed: No such device or address                                                                                        
device-mapper: table ioctl on   failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-4461  failed: No such device or address                                                                                        
device-mapper: table ioctl on   failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-4461  failed: No such device or address                                                                                        
device-mapper: table ioctl on   failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-4461  failed: No such device or address                                                                                        
device-mapper: table ioctl on   failed: No such device or address
device-mapper: remove ioctl on temporary-cryptsetup-4461  failed: No such device or address  

On a Debian machine, the kernel configuration is available from /boot. Here is the output of cat /boot/config-4.19.0-4-armmp-lpae | grep CRYPTO on my FreedomBox.

# CONFIG_ARM_CRYPTO is not set
# CONFIG_BLK_DEV_CRYPTOLOOP is not set
CONFIG_RT2X00_LIB_CRYPTO=y                                           
CONFIG_CRYPTO=y         
CONFIG_CRYPTO_ALGAPI=y        
CONFIG_CRYPTO_ALGAPI2=y                                     
CONFIG_CRYPTO_AEAD=m                                     
CONFIG_CRYPTO_AEAD2=y         
CONFIG_CRYPTO_BLKCIPHER=m
CONFIG_CRYPTO_BLKCIPHER2=y        
CONFIG_CRYPTO_HASH=y                                     
CONFIG_CRYPTO_HASH2=y  
CONFIG_CRYPTO_RNG=m                    
CONFIG_CRYPTO_RNG2=y                  
CONFIG_CRYPTO_RNG_DEFAULT=m
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y                                 
CONFIG_CRYPTO_KPP2=y                
CONFIG_CRYPTO_KPP=y                
CONFIG_CRYPTO_ACOMP2=y   
CONFIG_CRYPTO_RSA=y                                      
CONFIG_CRYPTO_DH=y                 
CONFIG_CRYPTO_ECDH=m                       
CONFIG_CRYPTO_MANAGER=y          
CONFIG_CRYPTO_MANAGER2=y    
CONFIG_CRYPTO_USER=m                                     
# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
CONFIG_CRYPTO_GF128MUL=m    
CONFIG_CRYPTO_NULL=m            
CONFIG_CRYPTO_NULL2=y                                    
CONFIG_CRYPTO_PCRYPT=m             
CONFIG_CRYPTO_WORKQUEUE=y              
# CONFIG_CRYPTO_CRYPTD is not set      
# CONFIG_CRYPTO_MCRYPTD is not set       
CONFIG_CRYPTO_AUTHENC=m              
CONFIG_CRYPTO_TEST=m                                              
CONFIG_CRYPTO_ENGINE=m                   
CONFIG_CRYPTO_CCM=m                         
CONFIG_CRYPTO_GCM=m                    
CONFIG_CRYPTO_CHACHA20POLY1305=m
CONFIG_CRYPTO_AEGIS128=m                    
CONFIG_CRYPTO_AEGIS128L=m              
CONFIG_CRYPTO_AEGIS256=m   
CONFIG_CRYPTO_MORUS640=m   
CONFIG_CRYPTO_MORUS1280=m                                            
CONFIG_CRYPTO_SEQIV=m                                                     
CONFIG_CRYPTO_ECHAINIV=m      
CONFIG_CRYPTO_CBC=m                   
# CONFIG_CRYPTO_CFB is not set                                       
CONFIG_CRYPTO_CTR=m     
CONFIG_CRYPTO_CTS=m           
CONFIG_CRYPTO_ECB=m                                         
CONFIG_CRYPTO_LRW=m                                      
CONFIG_CRYPTO_PCBC=m          
CONFIG_CRYPTO_XTS=m      
# CONFIG_CRYPTO_KEYWRAP is not set
CONFIG_CRYPTO_CMAC=m                                     
CONFIG_CRYPTO_HMAC=y   
CONFIG_CRYPTO_XCBC=m                   
CONFIG_CRYPTO_VMAC=m                  
CONFIG_CRYPTO_CRC32C=m     
CONFIG_CRYPTO_CRC32=m    
CONFIG_CRYPTO_CRCT10DIF=y                                
CONFIG_CRYPTO_GHASH=m               
CONFIG_CRYPTO_POLY1305=m           
CONFIG_CRYPTO_MD4=m      
CONFIG_CRYPTO_MD5=y                                      
CONFIG_CRYPTO_MICHAEL_MIC=m        
CONFIG_CRYPTO_RMD128=m                     
CONFIG_CRYPTO_RMD160=m           
CONFIG_CRYPTO_RMD256=m      
CONFIG_CRYPTO_RMD320=m                                   
CONFIG_CRYPTO_SHA1=y                            
CONFIG_CRYPTO_SHA256=y      
CONFIG_CRYPTO_SHA512=m          
CONFIG_CRYPTO_SHA3=m                                     
# CONFIG_CRYPTO_SM3 is not set     
CONFIG_CRYPTO_TGR192=m                 
CONFIG_CRYPTO_WP512=m                  
CONFIG_CRYPTO_AES=y                      
# CONFIG_CRYPTO_AES_TI is not set    
CONFIG_CRYPTO_ANUBIS=m                                            
CONFIG_CRYPTO_ARC4=m                     
CONFIG_CRYPTO_BLOWFISH=m                    
CONFIG_CRYPTO_BLOWFISH_COMMON=m        
CONFIG_CRYPTO_CAMELLIA=m        
CONFIG_CRYPTO_CAST_COMMON=m                 
CONFIG_CRYPTO_CAST5=m                  
CONFIG_CRYPTO_CAST6=m      
CONFIG_CRYPTO_DES=m        
CONFIG_CRYPTO_FCRYPT=m                                                
CONFIG_CRYPTO_KHAZAD=m                                                    
CONFIG_CRYPTO_SALSA20=m       
CONFIG_CRYPTO_CHACHA20=m              
CONFIG_CRYPTO_SEED=m                                                 
CONFIG_CRYPTO_SERPENT=m 
# CONFIG_CRYPTO_SM4 is not set
CONFIG_CRYPTO_TEA=m                                         
CONFIG_CRYPTO_TWOFISH=m                                  
CONFIG_CRYPTO_TWOFISH_COMMON=m
CONFIG_CRYPTO_DEFLATE=m  
CONFIG_CRYPTO_LZO=y               
# CONFIG_CRYPTO_842 is not set                           
CONFIG_CRYPTO_LZ4=m    
CONFIG_CRYPTO_LZ4HC=m                  
# CONFIG_CRYPTO_ZSTD is not set       
CONFIG_CRYPTO_ANSI_CPRNG=m 
CONFIG_CRYPTO_DRBG_MENU=m
CONFIG_CRYPTO_DRBG_HMAC=y                                
# CONFIG_CRYPTO_DRBG_HASH is not set
# CONFIG_CRYPTO_DRBG_CTR is not set
CONFIG_CRYPTO_DRBG=m     
CONFIG_CRYPTO_JITTERENTROPY=m                            
CONFIG_CRYPTO_USER_API=m           
CONFIG_CRYPTO_USER_API_HASH=m              
CONFIG_CRYPTO_USER_API_SKCIPHER=m
CONFIG_CRYPTO_USER_API_RNG=m
CONFIG_CRYPTO_USER_API_AEAD=m                            
CONFIG_CRYPTO_HASH_INFO=y                       
CONFIG_CRYPTO_HW=y          
CONFIG_CRYPTO_DEV_MARVELL_CESA=m
# CONFIG_CRYPTO_DEV_FSL_CAAM is not set                  
# CONFIG_CRYPTO_DEV_OMAP is not set
# CONFIG_CRYPTO_DEV_SAHARA is not set  
# CONFIG_CRYPTO_DEV_MXC_SCC is not set 
# CONFIG_CRYPTO_DEV_EXYNOS_RNG is not set
# CONFIG_CRYPTO_DEV_S5P is not set   
# CONFIG_CRYPTO_DEV_MXS_DCP is not set                            
CONFIG_CRYPTO_DEV_SUN4I_SS=m             
# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
# CONFIG_CRYPTO_DEV_ROCKCHIP is not set
CONFIG_CRYPTO_DEV_CHELSIO=m     
CONFIG_CRYPTO_DEV_VIRTIO=m                  
# CONFIG_CRYPTO_DEV_CCREE is not set   

This is starting to look like a bug in Debian’s configuration of the ARM kernel. If we find the missing configuration option we can file a bug report in Debian.

CALL: Sunday, May 26th at 17:00 UTC
#5

Not sure it helps, but on the freedombox:

$ cat /boot/config-4.19.0-4-armmp-lpae  | grep CRYPTO | grep -i aes
CONFIG_CRYPTO_AES=y
# CONFIG_CRYPTO_AES_TI is not set

And on a laptop (diff kernel version) that can mount the encrypted ext hdd:

$ cat /boot/config-4.15.0-48-generic | grep CRYPTO | grep -i aes
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_AES_TI=m
CONFIG_CRYPTO_AES_X86_64=m
CONFIG_CRYPTO_AES_NI_INTEL=m
CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m