[dm-crypt] LUKS2 AES-GCM-random erroring with key size issue.

[dm-crypt] LUKS2 AES-GCM-random erroring with key size issue.

[vinay paduru]

[-- Attachment #1: Type: text/plain, Size: 672 bytes --]

Hello Team,

I am trying to encrypt a volume with LUKS2 AES-GCM-Random cipher and I am seeing an error saying “key size 256 bits” not available. I tried changing the key size but same error repeats for whatever the key size we give.

Could you please help us solve this problem.



# cryptsetup --verbose luksFormat --type luks2 --cipher aes-gcm-random --integrity aead /dev/sdb2


WARNING!

========

This will overwrite data on /dev/sdb2 irrevocably.


Are you sure? (Type 'yes' in capital letters): YES

Enter passphrase for /dev/sdb2:

Verify passphrase:

Cipher aes-gcm-random (key size 256 bits) is not available.



Regards,
Vinay

[-- Attachment #2: Type: text/html, Size: 3085 bytes --]

Re: [dm-crypt] LUKS2 AES-GCM-random erroring with key size issue.

[Michael Kjörling]

On 27 Feb 2020 05:37 +0000, from vinay.paduru@live.com (vinay paduru):
> Could you please help us solve this problem.
> 
> # cryptsetup --verbose luksFormat --type luks2 --cipher aes-gcm-random --integrity aead /dev/sdb2

> [...]

> Cipher aes-gcm-random (key size 256 bits) is not available.

Try running the same command with --debug and send the full output of
that.

The exact kernel and cryptsetup version and build you're using
(including distribution package version, if applicable), and the
contents of /proc/crypto immediately after running cryptsetup, might
also be useful.

Especially if you're building from source, it's also a good idea to
double-check that the cryptsetup binary that you're running is the one
you expect.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
 “Remember when, on the Internet, nobody cared that you were a dog?”

Re: [dm-crypt] LUKS2 AES-GCM-random erroring with key size issue.

[Milan Broz]

On 27/02/2020 06:37, vinay paduru wrote:
> I am trying to encrypt a volume with *LUKS2* *AES-GCM-Random* cipher
> and I am seeing an error saying “key size 256 bits” not available. I
> tried changing the key size but same error repeats for whatever the
> key size we give.

Do you have kernel with gcm crypto module enabled?

Milan

Re: [dm-crypt] LUKS2 AES-GCM-random erroring with key size issue.

[vinay paduru]

[-- Attachment #1: Type: text/plain, Size: 1657 bytes --]

Hello Milan,

Yes, I have the module installed and enabled.


# lsmod | grep -i gcm

gcm                    24576  0


# modprobe gcm


# modinfo gcm

filename:       /lib/modules/4.1.12-61.1.19.el7uek.x86_64/kernel/crypto/gcm.ko

alias:          crypto-gcm

alias:          gcm

alias:          crypto-rfc4543

alias:          rfc4543

alias:          crypto-rfc4106

alias:          rfc4106

alias:          crypto-gcm_base

alias:          gcm_base

author:         Mikko Herranen <mh1@iki.fi>

description:    Galois/Counter Mode

license:        GPL

srcversion:     0805471CE9244CDA1D08732

depends:

intree:         Y

vermagic:       4.1.12-61.1.19.el7uek.x86_64 SMP mod_unload modversions

signer:         Oracle CA Server

sig_key:        99:0C:6B:AD:6E:20:40:AB:2F:AC:19:2B:13:86:80:73:E1:2A:95:FB

sig_hashalgo:   sha512


#cryptsetup luksFormat --type luks2 /dev/sdb2 --cipher aes-gcm-random --integrity aead


WARNING!

========

This will overwrite data on /dev/sdb2 irrevocably.


Are you sure? (Type 'yes' in capital letters): YES

Enter passphrase for /dev/sdb2:

Verify passphrase:

Cipher aes-gcm-random (key size 256 bits) is not available.

#

Vinay
On 28 Feb 2020, 4:51 PM +0530, Milan Broz <gmazyland@gmail.com>, wrote:
On 27/02/2020 06:37, vinay paduru wrote:
I am trying to encrypt a volume with *LUKS2* *AES-GCM-Random* cipher
and I am seeing an error saying “key size 256 bits” not available. I
tried changing the key size but same error repeats for whatever the
key size we give.

Do you have kernel with gcm crypto module enabled?

Milan

[-- Attachment #2: Type: text/html, Size: 9575 bytes --]

Re: [dm-crypt] LUKS2 AES-GCM-random erroring with key size issue.

[Milan Broz]

On 02/03/2020 06:30, vinay paduru wrote:
> Yes, I have the module installed and enabled.
> 
> filename:       /lib/modules/4.1.12-61.1.19.el7uek.x86_64/kernel/crypto/gcm.ko

Hi,

as suggested, also check --debug output and syslog. 

I cannot provide you support for commercial kernel with possibly (not) backported patches,
please contact your vendor if it is not working properly.
(Couldn't resist, but it is Oracle unbreakable kernel (uek) so it have to work, obviously!)

More seriously, it is quite possible that you are missing more things here (dm-integrity)
that is required for authenticated encryption etc.

We do not support dm-integrity in RHEL7 at all, do not expect it to work in distro clones
even with updated kernel.

Milan

Re: [dm-crypt] LUKS2 AES-GCM-random erroring with key size issue.

[vinay paduru]

[-- Attachment #1: Type: text/plain, Size: 1064 bytes --]

Thank you for the detailed explanation Milan and apologies for late response. We were trying it on OEL-7 distro. Any chance of supporting OEL-7 distro in future as OEL-6 is almost EOL ?

Vinay
On 2 Mar 2020, 12:53 PM +0530, Milan Broz <gmazyland@gmail.com>, wrote:
> On 02/03/2020 06:30, vinay paduru wrote:
> > Yes, I have the module installed and enabled.
> >
> > filename:       /lib/modules/4.1.12-61.1.19.el7uek.x86_64/kernel/crypto/gcm.ko
>
> Hi,
>
> as suggested, also check --debug output and syslog.
>
> I cannot provide you support for commercial kernel with possibly (not) backported patches,
> please contact your vendor if it is not working properly.
> (Couldn't resist, but it is Oracle unbreakable kernel (uek) so it have to work, obviously!)
>
> More seriously, it is quite possible that you are missing more things here (dm-integrity)
> that is required for authenticated encryption etc.
>
> We do not support dm-integrity in RHEL7 at all, do not expect it to work in distro clones
> even with updated kernel.
>
> Milan

[-- Attachment #2: Type: text/html, Size: 1744 bytes --]