Hide Forgot
Description of problem: If we format a device with this command: ====== cryptsetup -c aes-cbc-essiv:sha256 -s 512 luksFormat /dev/sdb ====== It will fail with this error message: ====== device-mapper: reload ioctl failed: Invalid argument Failed to setup dm-crypt key mapping for device /dev/sdb. Check that kernel supports aes-cbc-essiv:sha256 cipher (check syslog for more info). ====== Actually, it just a because use specify key-size both in cipher-mode and key-size rather than kernel support issue. Version-Release number of selected component (if applicable): cryptsetup-luks-1.2.0-3.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1. Kick off cryptsetup -c aes-cbc-essiv:sha256 -s 512 luksFormat /dev/sdb 2. Check the error message. Actual results: Fail with confusing error message. Expected results: Inform user that he is trying to specify keysize both in cipher-mode and key-size option. Additional info:
This is all related to how kernel dmcrypt reports problems if it is not able to create tpm - there is no additional info. I tried to add some hints in userspace when this happens, so we can add another one. (We cannot parse /proc/crypt in advance to check supported key sizes because modules are autoloaded per request - so the /proc.crypto could be empty before call.) But if user is specifying cipher/mode/key size yourself, he should know what he is doing. (here is aparent that AES-512 doesn't exists. 512bits key makes sense only on AES-XTS or similar mode, where is is split internaly to two AES-256 keys.) > Inform user that he is trying to specify keysize both in cipher-mode and key-size option. What do you mean by that? that command line is formally correct, just selected algorithm/mode combination does not support that key size. E.g. try cryptsetup -c aes-cbc-essiv:sha256 -s 128 luksFormat /dev/sdb cryptsetup -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/sdb cryptsetup -c blowfish-cbc-essiv:sha256 -s 448 luksFormat /dev/sdb cryptsetup -c aes-xts-plain64 -s 512 luksFormat /dev/sdb etc.
Thanks for the clarification. It's my misunderstanding about '-c aes-cbc-essiv:sha256 -s 128'. I was thinking "sha256" is the key size. For the /proc/crypt thing, how about warning user if command failed with specified the key size, so that they will check the "max keysize" in /proc/crypt.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux.
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.