[pkg-cryptsetup-devel] Bug#768407: cryptsetup: dm-crypt disk unlocks on older Debian, does not on current testing

Fri Nov 7 13:56:34 UTC 2014

Hi Milan,

On Fri, 07 Nov 2014 11:08:31 +0100
Milan Broz <gmazyland at gmail.com> wrote:

> > backcrypt /dev/sdb2 none
> > cipher=aes-cbc-plain,size=256,hash=ripemd160,noauto,loud
> 
> If it is not passphrase, are you sure these were the correct
> parameters? Who added them there? (mainly check mode:
> -plain /-essiv:sha256, key size 128/256 ?)

I created that crypttab in 2010 under the advice of Jonas Meurer per

	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586120

and my /etc is under git/etckeeper. That file has not changed since the
initial install on this machine more than a year ago, and it has worked
many times before & since then on this and other machines. Until now.

I will try those other parameters next time I get a chance, but I am
not optimistic because....

> (it should be, these are old cryptsetup plain defaults but you should
> check old crypttab backups for sure... 

....like I said that file has not changed. The same partition unlocks
using an older cryptsetup on an older Debian and EXACTLY the same
crypttab. Therefore, something ails the new version of cryptsetup -or-
there is some kind of new undocumented default behavior.

> really better use LUKS to avoid this problem, 

Yes, I use LUKS on all new installs, but this disk was built many years
ago. I am sure there will be a few Wheezy --> Jessie upgrades with
similar legacy disks.

> or even better - if you have systtem which opens
> it correctly, use cryptsetup status for active device and check it)
> 
> See
> https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#8._Issues_with_Specific_Versions_of_cryptsetup

Like you said,

	cipher=aes-cbc-plain,size=256,hash=ripemd160

are the old old defaults and should work. And they still do. With a
slightly older version of crytpsetup, same encrypted partition.

Clayton