Skip to main content
Topic: cryptsetup / installation and reencryption (Read 833 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

cryptsetup / installation and reencryption

I was wondering if I'm the only one whos system just broke down because of the Artix-Installation guide to full encryption?

It states there:
Code: [Select]
 # [CaseA]
 cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sdX2
 # [CaseB]
 cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sdX1

This is bad. The whirlpool hash has been discontinued for security reason for many years now. I wasn't aware of that until tomorrow and I suppose no one is.

Also... there doesn't seem to be a way to install or even FIND cryptsetup-reencrypt for reencrypting or even removing encryption for luks1 partitions.

Yesterday was a many hour long sprint in figuring out why my fully encrypted system broke down and it seems to boil down to the whirlpool hash. Is no one else running a fully encrypted system or is artix linux on its way out?

Re: cryptsetup / installation and reencryption

Reply #1
Quote
because of the Artix-Installation guide to full encryption
The guide also features a link to a feedback/support forum thread maybe it would be better to request changing the hashing algorithm used in the guide there.
Quote
Also... there doesn't seem to be a way to install or even FIND cryptsetup-reencrypt for reencrypting or even removing encryption for luks1 partitions.
Code: [Select]
cryptsetup reencrypt <device> --keep-key --hash <algorithm>
Works perfectly fine (as I had to fix my install as well after following the guide).
Quote
Is no one else running a fully encrypted system or is artix linux on its way out?
As you saw from the thread you were active in yesterday I believe you are aware that other people ran into the same problems as you.

Re: cryptsetup / installation and reencryption

Reply #2
Thanks for the reply... so all the tutorials (I've found so far) regarding using cryptsetup-reencrypt instead of cryptsetup reencrypt for LUKS1 are outdated? I'll try that.

Re: cryptsetup / installation and reencryption

Reply #3
Hey, I hit the same issue.
I reencrypted disks to use sha512.
Because I was using keyfile to decrypt disk, I had to kill slot and add key again after reencrypting. It's still added in `FILES=()` in `mkinitcpio.conf` and I regenerated file.
After that, grub complains:
Code: [Select]
Couldn't load sha512 hash.
no such cryptodisk found.
disk 'cryptouuid/56e....' not found.
I tried to recreate grub config after that as well, but that didn't help either.
Any suggestions what should I do for grub to properly decrypt my drive?

Re: cryptsetup / installation and reencryption

Reply #4
Hey, I hit the same issue.
I reencrypted disks to use sha512.
Because I was using keyfile to decrypt disk, I had to kill slot and add key again after reencrypting. It's still added in `FILES=()` in `mkinitcpio.conf` and I regenerated file.
After that, grub complains:
Code: [Select]
Couldn't load sha512 hash.
no such cryptodisk found.
disk 'cryptouuid/56e....' not found.
I tried to recreate grub config after that as well, but that didn't help either.
Any suggestions what should I do for grub to properly decrypt my drive?

This might be helpful: https://forum.artixlinux.org/index.php/topic,4772.msg30513/topicseen.html
Make sure to read until the end.

Re: cryptsetup / installation and reencryption

Reply #5
I was wondering if I'm the only one whos system just broke down because of the Artix-Installation guide to full encryption?
I am really sorry for your problems, and have replied to you in the official support thread for this manual.
Yesterday was a many hour long sprint in figuring out why my fully encrypted system broke down and it seems to boil down to the whirlpool hash. Is no one else running a fully encrypted system or is artix linux on its way out?
Maybe it's just you have upgraded your Artix at the unfortunate time... See: I am using a "whirlpool" installation of Artix myself and I upgrade it from time to time, but it is still working fine without any re-encryptions or any other interference. Although, for the fresh installs, I see there was an error regardless of if you are using whirlpool or sha512. Now I have fixed this FDE manual for both hashing methods, but still have decided to use sha512

@blackyy , @random_bash , @Lancia - I believe all the problems have been fixed ;)