[Bug 1647004] [NEW] invalid crypttab generated when using XTS mode
Simon Déziel
1647004 at bugs.launchpad.net
Sat Dec 3 02:44:58 UTC 2016
Public bug reported:
While installing Xenial with the latest daily ISO, I created a
cryptsetup partition to be used for swap. I used a random key and picked
AES 128 in XTS mode. This resulted in this line of crypttab
nvme0n1p3_crypt /dev/nvme0n1p3 /dev/urandom cipher=aes-xts-
plain64,swap,size=128,discard
During boot, systemd asked me to provide the passphrase to unlock that
partition (duh). Here is how to manually reproduce the problem (replace
nvme0n1p3 to match your system):
# /lib/systemd/systemd-cryptsetup attach 'nvme0n1p3_crypt' '/dev/nvme0n1p3' '/dev/urandom' 'cipher=aes-xts-plain64,swap,size=128,discard'
Set cipher aes, mode xts-plain64, key size 128 bits for device /dev/nvme0n1p3.
Failed to activate with key file '/dev/urandom': Invalid argument
Please enter passphrase for disk nvme0n1p3_crypt on none!
After much fiddling, it appears that "size=128" is too small for XTS
mode. According to the cryptsetup man page, XTS requires the key to be
twice as long as the cipher. Here is some evidence to back the man page:
# /lib/systemd/systemd-cryptsetup attach 'nvme0n1p3_crypt' '/dev/nvme0n1p3' '/dev/urandom' 'cipher=aes-xts-plain64,size=256,swap,discard'
Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/nvme0n1p3.
# /lib/systemd/systemd-cryptsetup attach 'nvme0n1p3_crypt' '/dev/nvme0n1p3' '/dev/urandom' 'cipher=aes-xts-plain64,size=512,swap,discard'
Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/nvme0n1p3.
Workaround:
sed -i '/swap/ s/size=128/size=256/' /etc/crypttab
systemctl daemon-reload
systemctl start systemd-cryptsetup at nvme0n1p3_crypt
Finally, I opened the bug on cryptsetup but I feel it belongs to the installer but don't know which package exactly.
** Affects: cryptsetup (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1647004
Title:
invalid crypttab generated when using XTS mode
Status in cryptsetup package in Ubuntu:
New
Bug description:
While installing Xenial with the latest daily ISO, I created a
cryptsetup partition to be used for swap. I used a random key and
picked AES 128 in XTS mode. This resulted in this line of crypttab
nvme0n1p3_crypt /dev/nvme0n1p3 /dev/urandom cipher=aes-xts-
plain64,swap,size=128,discard
During boot, systemd asked me to provide the passphrase to unlock that
partition (duh). Here is how to manually reproduce the problem
(replace nvme0n1p3 to match your system):
# /lib/systemd/systemd-cryptsetup attach 'nvme0n1p3_crypt' '/dev/nvme0n1p3' '/dev/urandom' 'cipher=aes-xts-plain64,swap,size=128,discard'
Set cipher aes, mode xts-plain64, key size 128 bits for device /dev/nvme0n1p3.
Failed to activate with key file '/dev/urandom': Invalid argument
Please enter passphrase for disk nvme0n1p3_crypt on none!
After much fiddling, it appears that "size=128" is too small for XTS
mode. According to the cryptsetup man page, XTS requires the key to be
twice as long as the cipher. Here is some evidence to back the man
page:
# /lib/systemd/systemd-cryptsetup attach 'nvme0n1p3_crypt' '/dev/nvme0n1p3' '/dev/urandom' 'cipher=aes-xts-plain64,size=256,swap,discard'
Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/nvme0n1p3.
# /lib/systemd/systemd-cryptsetup attach 'nvme0n1p3_crypt' '/dev/nvme0n1p3' '/dev/urandom' 'cipher=aes-xts-plain64,size=512,swap,discard'
Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/nvme0n1p3.
Workaround:
sed -i '/swap/ s/size=128/size=256/' /etc/crypttab
systemctl daemon-reload
systemctl start systemd-cryptsetup at nvme0n1p3_crypt
Finally, I opened the bug on cryptsetup but I feel it belongs to the installer but don't know which package exactly.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1647004/+subscriptions
More information about the foundations-bugs
mailing list