| View previous topic :: View next topic |
| Author |
Message |
Apheus
Guru
Joined: 12 Jul 2008
Posts: 422
|
 Posted: Wed Aug 10, 2016 11:12 am Post subject: [SOLVED] Requested LUKS hash PBKDF2-sha256 is not supported. |
 |
|
I always encrypt my partitions, usually with hash "ripemd160". However, I want to try PBKDF2 on a new partition:
| Code: | | cryptsetup luksFormat -c aes-xts-plain64 -h PBKDF2-sha256 -s 256 /dev/sda1 <keyfile> |
The result:
| Code: | WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.
Are you sure? (Type uppercase yes): YES
Requested LUKS hash PBKDF2-sha256 is not supported. |
It is shown by "cryptsetup benchmark":
| Code: | # cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 1219274 iterations per second
PBKDF2-sha256 837520 iterations per second
PBKDF2-sha512 672164 iterations per second
PBKDF2-ripemd160 774428 iterations per second
PBKDF2-whirlpool 312076 iterations per second
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 715.6 MiB/s 3026.9 MiB/s
serpent-cbc 128b 97.5 MiB/s 611.7 MiB/s
twofish-cbc 128b 201.9 MiB/s 389.5 MiB/s
aes-cbc 256b 529.5 MiB/s 2339.0 MiB/s
serpent-cbc 256b 97.7 MiB/s 612.0 MiB/s
twofish-cbc 256b 202.7 MiB/s 389.5 MiB/s
aes-xts 256b 2579.9 MiB/s 2565.6 MiB/s
serpent-xts 256b 611.5 MiB/s 594.4 MiB/s
twofish-xts 256b 378.6 MiB/s 386.0 MiB/s
aes-xts 512b 1992.9 MiB/s 1977.0 MiB/s
serpent-xts 512b 612.6 MiB/s 594.1 MiB/s
twofish-xts 512b 379.1 MiB/s 384.8 MiB/s |
I cannot find anything "PBKDF2" in kernel config.
"ripemd160" works.
kernel 4.4.6-gentoo, sys-fs/cryptsetup-1.6.5, amd64 system.
What is necessary to get PBKDF2 working?
Thanks.
Last edited by Apheus on Wed Aug 10, 2016 2:33 pm; edited 1 time in total |
|
| Back to top |
|
 |
freke
l33t
Joined: 23 Jan 2003
Posts: 976
Location: Somewhere in Denmark
|
| Posted: Wed Aug 10, 2016 12:49 pm Post subject: |
|
|
| It's not just "sha256"? (If "ripemd160" equals PBKDF2-ripemd160?) |
|
| Back to top |
|
|
frostschutz
Advocate
Joined: 22 Feb 2005
Posts: 2977
Location: Germany
|
| Posted: Wed Aug 10, 2016 2:08 pm Post subject: |
|
|
PBKDF is implied... you probably want -h sha512, not that it matters much. [this only affects passphrase, not data encryption]
default should be fine too ( aes-xts-plain64, sha1 ) so you just don't have to specify these options with recent cryptsetup |
|
| Back to top |
|
|
Apheus
Guru
Joined: 12 Jul 2008
Posts: 422
|
| Posted: Wed Aug 10, 2016 2:32 pm Post subject: |
|
|
| Thank you. With your answers and some wikipedia reading, I know now that i confused the terms "cryptographic hash function" and "key derivation function". Both must be combined, and cryptsetup always uses PBKDF2 as key derivation function. |
|
| Back to top |
|
|
|
Networking & Security
