SSimon South wrote on 4 Jan 2022 15:36
(address . email@example.com)
Currently cryptsetup from the "cryptsetup-static" package is unable to
open LUKS2 encrypted volumes that use the Argon2i key-derivation
algorithm, the default for LUKS2. It catches SIGABRT and exits without
opening the volume.
This appears to be a regression following the merge of the
core-updates-frozen branch and because of it, I'm unable to boot into an
up-to-date system as there is no way to get past the "Enter passphrase"
prompt at startup.
I've verified this on both AArch64 and x86-64. To reproduce:
1. Ensure the "cryptsetup" package is installed in your profile and that
"cryptsetup-static", the statically-linked equivalent added to the
initrd and used during startup, is available on your system:
guix install cryptsetup
guix build --verbosity=2 cryptsetup-static
2. Create a file containing a dummy LUKS2 volume:
truncate -s 32M ./dummy-luks-volume
cryptsetup luksFormat --type luks2 ./dummy-luks-volume
Make sure the Argon2i PBKDF algorithm was selected during formatting:
cryptsetup luksDump ./dummy-luks-volume | grep argon
This should output "PBKDF: argon2i".
3. Verify the volume can be opened using the regular cryptsetup tool:
sudo cryptsetup open --type luks ./dummy-luks-volume dummy-volume
sudo cryptsetup close /dev/mapper/dummy-volume
4. Now try opening the volume using the statically-linked cryptsetup:
sudo `guix build cryptsetup-static`/sbin/cryptsetup open \
--type luks ./dummy-luks-volume dummy-volume
You should find (on most runs, at least) after you enter the passphrase
the tool exits with "Aborted" and with no entry added beneath