[pkg-cryptsetup-devel] Bug#1119106: cryptsetup: encrypted swap unreliable due to blkid check
Thorsten Glaser
tg at mirbsd.de
Sun Oct 26 23:59:28 GMT 2025
Package: cryptsetup
Version: 2:2.3.7-1+deb11u1
Severity: normal
X-Debbugs-Cc: tg at mirbsd.de
I’ve got encrypted swap with protective tiny ext2fs (to provide
an anchor for LABEL=) set up, and today, my swapcycle script
complained. Manual checks confirm that…
tg at x61p:~ $ sudo cryptdisks_start cswp2
Starting crypto disk...cswp2 (starting)...cswp2: the precheck for '/dev/sda3' failed: - The device /dev/sda3 contains a filesystem type jbd at offset 65536. ... (warning).
failed.
… the device no longer comes up.
What happens here is that the encrypted part of the PREVIOUS
swap session (no longer readable due to random encryption key)
happens to mimic the magic of a jbd triggering these lines…
local out tmpdev
if [ "$CRYPTTAB_TYPE" != "luks" ] && [ "$CRYPTTAB_TYPE" != "bitlk" ]; then
# fail if the device has a filesystem and the disk encryption format doesn't
# verify the key digest (unlike LUKS); unless it's swap, otherwise people can't
# easily convert an existing plainttext swap partition to an encrypted one
if ! out="$(/lib/cryptsetup/checks/un_blkid "$CRYPTTAB_SOURCE" "" ${CRYPTTAB_OPTION_offset+"$offset_bytes"} 2>/dev/null)" &&
! /lib/cryptsetup/checks/blkid "$CRYPTTAB_SOURCE" swap ${CRYPTTAB_OPTION_offset+"$offset_bytes"} >/dev/null; then
log_warning_msg "$CRYPTTAB_NAME: the precheck for '$CRYPTTAB_SOURCE' failed: $out"
return 1
fi
fi
… from /lib/cryptsetup/cryptdisks-functions.
I’m a bit puzzled about how to proceed here. I mean, a dd(1) command
will make this work again for me, but there is a systematic bug: the
cryptsetup integration seems to have a hardcoded check for existing
(unencrypted) filesystems on the part of the storage that is later
encrypted, so if the encrypted value of what is actually written to
there after starting happens to match the magic of some known fs, it
won’t come up any more, AND there is no way to work around this with
a setting in crypttab(5) or a command-line option.
And, the more I read this, the more I believe that this can also happen
with real filesystems, not just encrypted swap; real filesystems will
of course use a consistent encryption key, not a random one.
So… while I understand the intent behind this check, I believe it is
completely bogus. I’m not even sure it can be rescued into something
that can stay without impacting normal operation. It just takes certain
conditions, rare at that, to trigger that.
So, well… let’s see… the cleaning needs to take the offset into account…
so maybe not a dd but given I have an SSD this works:
tg at x61p:~ $ sudo blkdiscard -o 65536 -f /dev/sda3
blkdiscard: /dev/sda3 contains existing file system (ext2).
blkdiscard: Operation forced, data will be lost!
tg at x61p:~ $ sudo cryptdisks_start cswp2
Starting crypto disk...cswp2 (starting)...cswp2 (started)...done.
tg at x61p:~ $ sudo swapon /dev/mapper/cswp2
(blkdiscard complains because the first 64 KiB of /dev/sda3 do indeed
contain an ext2fs… except it is only 64 KiB long, not the rest of the
partition, but it cannot easily know that.)
For more information on the setup of encrypted swap with protective
ext2fs and swapcycling to destroy old encryption keys, see:
https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=posix/sysadmin/swapcycle;hb=HEAD
(user=pass public due to “AI” scrapers) (and I need to update that to
suggest using multiple partitions, so some swap is always kept)
Full disclosure, I’m running a version of cryptsetup with the backports
to make offset= work applied, but I am 100% confident that they are not
part of the problem.
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-5.10.0-35-amd64 root=/dev/mapper/vg--x61p-lv--root ro net.ifnames=0 rootflags=defaults,relatime,lazytime,barrier=1,data=ordered,auto_da_alloc vga=792 TZ=:Europe/Berlin
-- /etc/crypttab
# <target name> <source device> <key file> <options>
cx61p LABEL=cx61p none discard,luks,initramfs
cswp1 LABEL=swp1_x61p /dev/urandom offset=128,discard,cipher=aes-xts-plain64,size=512,plain,swap
cswp2 LABEL=swp2_x61p /dev/urandom offset=128,discard,cipher=aes-xts-plain64,size=512,plain,swap
-- /etc/fstab
#spec 'file' vfstype mntopts freq passno
/dev/vg-x61p/lv-root / ext4 defaults,relatime,lazytime,barrier=1,data=ordered,auto_da_alloc 0 2
LABEL=ssdbootfs /boot ext4 defaults,noatime,lazytime,barrier=1,data=ordered,auto_da_alloc 0 1
swap /home/tg/.mnt tmpfs defaults,noatime,lazytime,noauto,user,uid=1000,mode=0750 0 0
swap /tmp tmpfs defaults,relatime,lazytime,nosuid,nodev 0 0
swap /var/cache/apt tmpfs defaults,noatime,lazytime,nosuid,nodev,uid=0,gid=0,mode=0755 0 0
/dev/mapper/cswp1 swap swap sw,discard 0 0
/dev/mapper/cswp2 swap swap sw,discard 0 0
-- lsmod
Module Size Used by
cpuid 16384 0
snd_seq_dummy 16384 0
snd_seq 94208 1 snd_seq_dummy
snd_seq_device 16384 1 snd_seq
fuse 172032 2
cpufreq_ondemand 16384 2
ctr 16384 3
ccm 20480 9
binfmt_misc 28672 1
cpufreq_powersave 20480 0
nft_reject_inet 16384 2
nf_reject_ipv4 16384 1 nft_reject_inet
nf_reject_ipv6 20480 1 nft_reject_inet
nft_reject 16384 1 nft_reject_inet
nf_tables 274432 10 nft_reject_inet,nft_reject
libcrc32c 16384 1 nf_tables
nfnetlink 20480 1 nf_tables
tp_smapi 45056 0
thinkpad_ec 16384 1 tp_smapi
msr 16384 0
snd_hda_codec_analog 20480 1
snd_hda_codec_generic 98304 1 snd_hda_codec_analog
i915 2777088 5
iwl4965 110592 0
iwlegacy 90112 1 iwl4965
snd_hda_intel 57344 4
snd_intel_dspcfg 28672 1 snd_hda_intel
drm_kms_helper 282624 1 i915
mac80211 995328 2 iwl4965,iwlegacy
soundwire_intel 45056 1 snd_intel_dspcfg
soundwire_generic_allocation 16384 1 soundwire_intel
coretemp 20480 0
snd_soc_core 319488 1 soundwire_intel
kvm_intel 327680 0
cec 61440 2 drm_kms_helper,i915
pcmcia 81920 0
snd_compress 32768 1 snd_soc_core
soundwire_cadence 36864 1 soundwire_intel
snd_hda_codec 176128 3 snd_hda_codec_generic,snd_hda_intel,snd_hda_codec_analog
drm 634880 6 drm_kms_helper,i915
snd_hda_core 110592 4 snd_hda_codec_generic,snd_hda_intel,snd_hda_codec_analog,snd_hda_codec
snd_hwdep 20480 1 snd_hda_codec
kvm 942080 1 kvm_intel
ppdev 24576 0
iTCO_wdt 16384 0
irqbypass 16384 1 kvm
soundwire_bus 94208 3 soundwire_intel,soundwire_generic_allocation,soundwire_cadence
cfg80211 987136 3 iwl4965,iwlegacy,mac80211
evdev 28672 15
intel_pmc_bxt 16384 1 iTCO_wdt
snd_pcm 143360 7 snd_hda_intel,snd_hda_codec,soundwire_intel,snd_compress,snd_soc_core,snd_hda_core
thinkpad_acpi 122880 0
yenta_socket 53248 0
iTCO_vendor_support 16384 1 iTCO_wdt
pcmcia_rsrc 24576 1 yenta_socket
serio_raw 20480 0
watchdog 32768 1 iTCO_wdt
libarc4 16384 1 mac80211
i2c_algo_bit 16384 1 i915
pcspkr 16384 0
snd_timer 49152 3 snd_seq,snd_pcm
sg 36864 0
nvram 16384 1 thinkpad_acpi
pcmcia_core 32768 3 pcmcia,pcmcia_rsrc,yenta_socket
ledtrig_audio 16384 2 snd_hda_codec_generic,thinkpad_acpi
snd 110592 18 snd_hda_codec_generic,snd_seq,snd_seq_device,snd_hwdep,snd_hda_intel,snd_hda_codec_analog,snd_hda_codec,snd_timer,snd_compress,thinkpad_acpi,snd_soc_core,snd_pcm
soundcore 16384 1 snd
parport_pc 40960 0
rfkill 32768 3 thinkpad_acpi,cfg80211
parport 73728 2 parport_pc,ppdev
ac 16384 0
button 24576 0
acpi_cpufreq 32768 1
ecb 16384 2
aes_generic 36864 10
libaes 16384 1 aes_generic
crypto_simd 16384 0
cryptd 24576 1 crypto_simd
glue_helper 16384 0
xts 16384 2
dm_crypt 57344 2
dm_mod 163840 8 dm_crypt
ext4 946176 2
crc16 16384 1 ext4
mbcache 16384 1 ext4
jbd2 151552 1 ext4
crc32c_generic 16384 5
sd_mod 61440 4
t10_pi 16384 1 sd_mod
crc_t10dif 20480 1 t10_pi
crct10dif_generic 16384 1
sr_mod 28672 0
cdrom 73728 1 sr_mod
crct10dif_common 16384 2 crct10dif_generic,crc_t10dif
ata_generic 16384 0
e1000e 311296 0
sdhci_pci 73728 0
cqhci 32768 1 sdhci_pci
sdhci 81920 1 sdhci_pci
uhci_hcd 57344 0
ahci 45056 3
ehci_pci 20480 0
ehci_hcd 98304 1 ehci_pci
i2c_i801 32768 0
ata_piix 36864 0
ptp 32768 1 e1000e
libahci 49152 1 ahci
libata 299008 4 ata_piix,libahci,ahci,ata_generic
usbcore 331776 3 ehci_pci,ehci_hcd,uhci_hcd
scsi_mod 270336 4 sd_mod,libata,sg,sr_mod
psmouse 184320 0
lpc_ich 28672 0
i2c_smbus 20480 1 i2c_i801
mmc_core 196608 3 sdhci,cqhci,sdhci_pci
usb_common 16384 3 usbcore,ehci_hcd,uhci_hcd
pps_core 24576 1 ptp
battery 24576 1 thinkpad_acpi
video 65536 2 thinkpad_acpi,i915
-- System Information:
Debian Release: 11.11
APT prefers oldoldstable-updates
APT policy: (500, 'oldoldstable-updates'), (500, 'oldoldstable-security'), (500, 'oldoldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-35-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:2.3.7-1+deb11u1wtf3
ii debconf [debconf-2.0] 1.5.77
ii dmsetup 2:1.02.175-2.1
ii libc6 2.31-13+deb11u13
Versions of packages cryptsetup recommends:
ii cryptsetup-initramfs 2:2.3.7-1+deb11u1wtf3
pn cryptsetup-run <none>
Versions of packages cryptsetup suggests:
ii dosfstools 4.2-1
pn keyutils <none>
ii liblocale-gettext-perl 1.07-4+b1
-- Configuration Files:
/etc/init.d/cryptdisks changed:
set -e
if [ -r /lib/cryptsetup/cryptdisks-functions ]; then
. /lib/cryptsetup/cryptdisks-functions
else
exit 0
fi
INITSTATE="remaining"
DEFAULT_LOUD="yes"
case "$CRYPTDISKS_ENABLE" in
[Nn]*)
exit 0
;;
esac
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart|reload|force-reload)
do_stop
do_start
;;
force-start)
FORCE_START="yes"
do_start
;;
*)
echo "Usage: cryptdisks {start|stop|restart|reload|force-reload|force-start}"
exit 1
;;
esac
-- debconf information:
cryptsetup/prerm_active_mappings: true
More information about the pkg-cryptsetup-devel
mailing list