Linux – Booting encrypted root partion fails after system update

bootcryptsetupencryptionkernellinux

I have a problem booting my Debian Linux server. After a system update, GRUB loads the initrd and the system should ask for the password, but it doesn't. Instead, I get dropped to BusyBox. After trying to mount the encrypted volume manually with cryptsetup luksOpen, I get this error:

device-mapper: table: 254:0: crypt: Error allocating crypto tfm
device-mapper: reload ioctl failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/sda3
Check that the kernel supports aes-cbc-essiv:sha256 cipher (check syslog for more info).

Images

Best Answer

Your kernel lacks support for aes-cbc-essiv:sha256. “Error allocating crypto tfm” refers to the kernel's cryptographic subsystem: some necessary cryptographic data structure couldn't be initialized. Your support for cryptographic algorithms comes in modules, and you have a module for the AES algorithm and a module for the SHA-256 algorithm, but no module for the CBC mode. You will not be able to mount your encrypted device without it.

If you compiled your own kernel, make sure to enable all necessary crypto algorithms. If your kernel comes from your distribution, this may be a bug that you need to report. In either case, there must be a module /lib/modules/2.6.32-5-amd64/kernel/crypto/cbc.ko. If the module exists, then your problem is instead with the initramfs generation script.

In addition to the cbc module, you need other kernel components to tie the crypto together. Check that CRYPTO_MANAGER, CRYPTO_RNG2 and CRYPTO_BLKCIPHER2 are set in your kernel configuration. Debian's initramfs building script should take care of these even if they're compiled as modules. As the crypto subsystem is rather complex, there may be other vital components that are missing from the initramfs script. If you need further help, read through the discussion of bug #541835, and post your exact kernel version, as well as your kernel configuration if you compiled it yourself.

You will need to boot from a rescue system with the requisite crypto support to repair this. Mount your root filesystem, chroot into it, mount /boot, and run dpkg-reconfigure linux-image-… to regenerate the initramfs.

Related Solutions

Linux – Arch Linux not booting after system update

This is how I fixed this problem :

I've booted into an arch installation CD and mounted my root partition under /mnt/arch.

mkdir /mnt/arch
mount /dev/sda4 /mnt/arch

I then ran the following commands:

cd /mnt/arch
mount -t proc proc proc/
mount -t sysfs sys sys/
mount -o bind /dev dev/

I then issued the chroot command and configured my network:

chroot . /bin/bash
dhcpcd eth0

I'm not sure if all of these commands are required, but I didn't feel like continuously rebooting/chrooting, so I did them all at once and it fixed the issue we both were having:

pacman -Syy
pacman -Syu
pacman -S udev
pacman -S mkinitcpio
mkinitcpio -p linux
reboot

Remove the CD or USB drive and ta-da! Now, I'll be honest and admit that I don't fully understand this fix. Some of the posts also suggested doing a “pacman -S linux”, however that was not necessary for me.

Encrypted Booting

Yes, using Grub2 you can do this: It has been patched to support not only AES, Twofish, Serpent and CAST5 encryption, but a number of hashing routines such as SHA1, SHA256, SHA512, and RIPEMD160. There is also support for the LUKS on-disk encryption format.

Check out this xercestech post for a full manual walkthrough, but in a nutshell everything is encrypted except for the actual bootloader, which you could have on a USB stick if you really wanted to stay safe.

The LUKS patches to support grub are here.

Best Answer

Related Solutions

Linux – Arch Linux not booting after system update

Encrypted Booting

Related Question