[dm-crypt] SSD encryption using cryptsetup

[dm-crypt] SSD encryption using cryptsetup

[KRISHNAJA MENON]

[-- Attachment #1: Type: text/plain, Size: 482 bytes --]

Hi,

Setup details:
Machine 1: Ubuntu x86_64
Machine 2: Linux-aarch64 (arm)

1. luksFormat an external SDD on x86 using *aes-cbc-plain:ripemd160* on x86
machine
2. luksOpen, create partition and luksClose on x86 machine
3. luksOpen (decrypting/unlocking) on the SSD on an aarch64 machine using
the same password fed in step 1 fails

Also tried step 1 and 2 on aarch64 and 3 on x86 - fails
Does the cipher algorithm used while formatting depend on the architecture?

Thanks,
Krishna

[-- Attachment #2: Type: text/html, Size: 1239 bytes --]

Re: [dm-crypt] Opening container created on aarch64 fails on x86_64 and the other way around; was: SSD encryption using cryptsetup

[Michael Kjörling]

On 9 Oct 2020 20:06 -0700, from krishnajamenon92@gmail.com (KRISHNAJA MENON):
> Also tried step 1 and 2 on aarch64 and 3 on x86 - fails

"Fails" in what manner? Please show the exact output, preferably from
running cryptsetup with --debug. Also please specify the exact version
of both cryptsetup and the kernel that you're running on each system.
uname -a might be a good start.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
 “Remember when, on the Internet, nobody cared that you were a dog?”

Re: [dm-crypt] SSD encryption using cryptsetup

[Milan Broz]

On 10/10/2020 05:06, KRISHNAJA MENON wrote:
> Setup details:
> Machine 1: Ubuntu x86_64
> Machine 2: Linux-aarch64 (arm)
> 
> 1. luksFormat an external SDD on x86 using *aes-cbc-plain:ripemd160* on x86 machine

This cipher specification is nonsense, plain IV does not take arguments and it will
be rejected by a recent kernels.
(Moreover, CBC with plain IV mode is insecure due to predictable IV.)

Please *do* *not* change defaults if you do not understand security impact.
If you want CBC mode (XTS mode is default for LUKS), use aes-cbc-essiv:sha256

(It should fail even in luksFormat, but you did not send neither debug output nor version related...)

Milan

Re: [dm-crypt] SSD encryption using cryptsetup

[KRISHNAJA MENON]

[-- Attachment #1: Type: text/plain, Size: 1155 bytes --]

Thank you for the clarification.
For some reason luksFormat was successful and I was able to encrypt the
disk using plain cbc. The format command passed without errors on both x86
and aarch64 without issues and I was able to feed a password. Also checked
isluKsdevice and luksDump, both were successful.
I will retry aes-cbc-essiv:sha256 and update. Will also share logs.

Thanks

On Sat, Oct 10, 2020, 10:48 AM Milan Broz <gmazyland@gmail.com> wrote:

> On 10/10/2020 05:06, KRISHNAJA MENON wrote:
> > Setup details:
> > Machine 1: Ubuntu x86_64
> > Machine 2: Linux-aarch64 (arm)
> >
> > 1. luksFormat an external SDD on x86 using *aes-cbc-plain:ripemd160* on
> x86 machine
>
> This cipher specification is nonsense, plain IV does not take arguments
> and it will
> be rejected by a recent kernels.
> (Moreover, CBC with plain IV mode is insecure due to predictable IV.)
>
> Please *do* *not* change defaults if you do not understand security impact.
> If you want CBC mode (XTS mode is default for LUKS), use
> aes-cbc-essiv:sha256
>
> (It should fail even in luksFormat, but you did not send neither debug
> output nor version related...)
>
> Milan
>

[-- Attachment #2: Type: text/html, Size: 1713 bytes --]