cryptsetup / installation and reencryption

Topic: cryptsetup / installation and reencryption (Read 822 times) previous topic - next topic

0 Members and 3 Guests are viewing this topic.

cryptsetup / installation and reencryption

07 November 2022, 13:05:34

I was wondering if I'm the only one whos system just broke down because of the Artix-Installation guide to full encryption?

It states there:

Code: [Select]

 # [CaseA]
 cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sdX2
 # [CaseB]
 cryptsetup --verbose --type luks1 --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sdX1

This is bad. The whirlpool hash has been discontinued for security reason for many years now. I wasn't aware of that until tomorrow and I suppose no one is.

Also... there doesn't seem to be a way to install or even FIND cryptsetup-reencrypt for reencrypting or even removing encryption for luks1 partitions.

Yesterday was a many hour long sprint in figuring out why my fully encrypted system broke down and it seems to boil down to the whirlpool hash. Is no one else running a fully encrypted system or is artix linux on its way out?

Re: cryptsetup / installation and reencryption

Reply #1 – 07 November 2022, 13:21:36

Quote

because of the Artix-Installation guide to full encryption

The guide also features a link to a feedback/support forum thread maybe it would be better to request changing the hashing algorithm used in the guide there.

Quote

Also... there doesn't seem to be a way to install or even FIND cryptsetup-reencrypt for reencrypting or even removing encryption for luks1 partitions.

Code: [Select]

cryptsetup reencrypt <device> --keep-key --hash <algorithm>

Works perfectly fine (as I had to fix my install as well after following the guide).

Quote

Is no one else running a fully encrypted system or is artix linux on its way out?

As you saw from the thread you were active in yesterday I believe you are aware that other people ran into the same problems as you.

Re: cryptsetup / installation and reencryption

Reply #2 – 07 November 2022, 14:06:59

Thanks for the reply... so all the tutorials (I've found so far) regarding using cryptsetup-reencrypt instead of cryptsetup reencrypt for LUKS1 are outdated? I'll try that.

Re: cryptsetup / installation and reencryption

Reply #3 – 08 November 2022, 19:50:20

Hey, I hit the same issue.
I reencrypted disks to use sha512.
Because I was using keyfile to decrypt disk, I had to kill slot and add key again after reencrypting. It's still added in `FILES=()` in `mkinitcpio.conf` and I regenerated file.
After that, grub complains:

Code: [Select]

Couldn't load sha512 hash.
no such cryptodisk found.
disk 'cryptouuid/56e....' not found.

I tried to recreate grub config after that as well, but that didn't help either.
Any suggestions what should I do for grub to properly decrypt my drive?

Re: cryptsetup / installation and reencryption

Reply #4 – 09 November 2022, 16:10:52

Quote from: random_bash – on 08 November 2022, 19:50:20

Hey, I hit the same issue.
I reencrypted disks to use sha512.
Because I was using keyfile to decrypt disk, I had to kill slot and add key again after reencrypting. It's still added in `FILES=()` in `mkinitcpio.conf` and I regenerated file.
After that, grub complains:
Code: [Select]
Couldn't load sha512 hash.
no such cryptodisk found.
disk 'cryptouuid/56e....' not found.
I tried to recreate grub config after that as well, but that didn't help either.
Any suggestions what should I do for grub to properly decrypt my drive?

This might be helpful: https://forum.artixlinux.org/index.php/topic,4772.msg30513/topicseen.html
Make sure to read until the end.

Re: cryptsetup / installation and reencryption

Reply #5 – 25 December 2022, 20:58:17

Quote from: eNTi – on 07 November 2022, 13:05:34

I was wondering if I'm the only one whos system just broke down because of the Artix-Installation guide to full encryption?

I am really sorry for your problems, and have replied to you in the official support thread for this manual.

Quote from: eNTi – on 07 November 2022, 13:05:34

Yesterday was a many hour long sprint in figuring out why my fully encrypted system broke down and it seems to boil down to the whirlpool hash. Is no one else running a fully encrypted system or is artix linux on its way out?

Maybe it's just you have upgraded your Artix at the unfortunate time... See: I am using a "whirlpool" installation of Artix myself and I upgrade it from time to time, but it is still working fine without any re-encryptions or any other interference. Although, for the fresh installs, I see there was an error regardless of if you are using whirlpool or sha512. Now I have fixed this FDE manual for both hashing methods, but still have decided to use sha512

@blackyy , @random_bash , @Lancia - I believe all the problems have been fixed