View previous topic :: View next topic |
Author |
Message |
Apheus Guru
Joined: 12 Jul 2008 Posts: 422
|
Posted: Wed Aug 10, 2016 11:12 am Post subject: [SOLVED] Requested LUKS hash PBKDF2-sha256 is not supported. |
|
|
I always encrypt my partitions, usually with hash "ripemd160". However, I want to try PBKDF2 on a new partition:
Code: | cryptsetup luksFormat -c aes-xts-plain64 -h PBKDF2-sha256 -s 256 /dev/sda1 <keyfile> |
The result:
Code: | WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.
Are you sure? (Type uppercase yes): YES
Requested LUKS hash PBKDF2-sha256 is not supported. |
It is shown by "cryptsetup benchmark":
Code: | # cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 1219274 iterations per second
PBKDF2-sha256 837520 iterations per second
PBKDF2-sha512 672164 iterations per second
PBKDF2-ripemd160 774428 iterations per second
PBKDF2-whirlpool 312076 iterations per second
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 715.6 MiB/s 3026.9 MiB/s
serpent-cbc 128b 97.5 MiB/s 611.7 MiB/s
twofish-cbc 128b 201.9 MiB/s 389.5 MiB/s
aes-cbc 256b 529.5 MiB/s 2339.0 MiB/s
serpent-cbc 256b 97.7 MiB/s 612.0 MiB/s
twofish-cbc 256b 202.7 MiB/s 389.5 MiB/s
aes-xts 256b 2579.9 MiB/s 2565.6 MiB/s
serpent-xts 256b 611.5 MiB/s 594.4 MiB/s
twofish-xts 256b 378.6 MiB/s 386.0 MiB/s
aes-xts 512b 1992.9 MiB/s 1977.0 MiB/s
serpent-xts 512b 612.6 MiB/s 594.1 MiB/s
twofish-xts 512b 379.1 MiB/s 384.8 MiB/s |
I cannot find anything "PBKDF2" in kernel config.
"ripemd160" works.
kernel 4.4.6-gentoo, sys-fs/cryptsetup-1.6.5, amd64 system.
What is necessary to get PBKDF2 working?
Thanks.
Last edited by Apheus on Wed Aug 10, 2016 2:33 pm; edited 1 time in total |
|
Back to top |
|
|
freke l33t
Joined: 23 Jan 2003 Posts: 976 Location: Somewhere in Denmark
|
Posted: Wed Aug 10, 2016 12:49 pm Post subject: |
|
|
It's not just "sha256"? (If "ripemd160" equals PBKDF2-ripemd160?) |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Wed Aug 10, 2016 2:08 pm Post subject: |
|
|
PBKDF is implied... you probably want -h sha512, not that it matters much. [this only affects passphrase, not data encryption]
default should be fine too ( aes-xts-plain64, sha1 ) so you just don't have to specify these options with recent cryptsetup |
|
Back to top |
|
|
Apheus Guru
Joined: 12 Jul 2008 Posts: 422
|
Posted: Wed Aug 10, 2016 2:32 pm Post subject: |
|
|
Thank you. With your answers and some wikipedia reading, I know now that i confused the terms "cryptographic hash function" and "key derivation function". Both must be combined, and cryptsetup always uses PBKDF2 as key derivation function. |
|
Back to top |
|
|
|