[Whonix-devel] [dm-crypt] Troubleshooting: Header Conversion to argon2id

Thu Sep 13 16:13:00 CEST 2018

Guilhem Moulin:
> On Thu, 13 Sep 2018 at 00:47:00 +0000, procmem wrote:
>> Guilhem Moulin:
>>> On Wed, 12 Sep 2018 at 15:21:00 +0000, procmem wrote:
>>>> cryptsetup convert /dev/vda5 --type luks2 --debug
>>>> […]
>>>> Cannot convert device /dev/vda5 which is still in use.
>>>> […]
>>>> Command failed with code -5 (device already exists or device is busy).
>>>
>>> As the error message indicates, you need to remove (ie, close) the
>>> mapped device first.  If that device is required for your system to run
>>> (for instance if it's holding the root file system) you won't be able to
>>> run `cryptsetup luksClose $name` from the main system; however you
>>> should be able to perform `cryptsetup convert` from a live CD, or from
>>> the initramfs image.
>>
>> initramfs sounds like the most versatile option. Any pointers on how to
>> to this? Searching SE turns up irrelevant results.
> 
> Before rebooting you might want to make sure the ‘algif_skcipher’ kernel
> module is included in the initramfs image, otherwise you might not be
> able to open LUKS2 volumes.  (See https://bugs.debian.org/896968 for
> details.)  To do so, run the following two commands:
> 
>     echo algif_skcipher | sudo tee -a /etc/initramfs-tools/modules
>     sudo update-initramfs -u
> 
> Now assuming your bootloader is GRUB, reboot, press <E> to obtain an
> emacs-like screen, append “ break=premount” to the line starting with
> “initrd”, and press <Ctrl>+<X> to boot.  (The edit is transient and
> won't survive the next reboot.)  You should land into an initramfs debug
> shell; see initramfs-tools(7) for details.
> 
> That has probably become off-topic for the dm-crypt list, by the way
> (discussing how to reboot into an initramfs shell has nothing to do with
> dm-crypt, LUKS, or cryptsetup(8) per se); the user support channels of
> your distro might be a better venue for this.
> 

Appending break=premount to the line starting with "linux" worked for
converting the header to v2. However changing it to argon2id still
failed with a -1 error code.

So I ended up bypassing this process by creating a new keyslot with the
same passphrase - which happens to use the best parameters by default
(argon2id in this case) and then going back and deleting the legacy keyslot:

# cryptsetup luksAddKey /dev/vda5 -S 1

# cryptsetup luksKillSlot /dev/vda5 0

Everything continues to boot up. I think this is the best way to do
things unless anyone has any reservations*

* As long as no SSDs are used I don't think users have to worry about
the old header floating around. Though I'm unsure if in-place conversion
would have been a security advantage in that case.