LUKS Automatic decrypt of hdd fails, but only for number of drives greater than 7

mcflym · Nov 27th 2021

Hi,

I'm using luks for drive encryption. I decrypt the drives at bootup via usb-stick, /etc/crypttab:

Code

sda-crypt UUID=fbc503de-a359-41e8-9f74-bd009a4ff5b6 /dev/disk/by-id/usb luks,tries=3,keyfile-size=8192,keyfile-offset=512
sdb-crypt UUID=eea24687-f2f4-4738-b47d-a2b8840a815e /dev/disk/by-id/usb luks,tries=3,keyfile-size=8192,keyfile-offset=512
sdc-crypt UUID=1d51afa7-6ee0-4a0d-b568-7f4b9e0f7ada /dev/disk/by-id/usb luks,tries=3,keyfile-size=8192,keyfile-offset=512
sdd-crypt UUID=01139fc6-56bc-42b2-b863-199695d68d1e /dev/disk/by-id/usb luks,tries=3,keyfile-size=8192,keyfile-offset=512
sde-crypt UUID=5826dfc3-bfe4-4f62-a266-f169870dec75 /dev/disk/by-id/usb luks,tries=3,keyfile-size=8192,keyfile-offset=512
sdf-crypt UUID=3757d17b-a7e0-4bba-828d-53f87becafa5 /dev/disk/by-id/usb luks,tries=3,keyfile-size=8192,keyfile-offset=512
sdi-crypt UUID=07d49183-b216-44fb-b016-88951c4a6036 /dev/disk/by-id/usb luks,tries=3,keyfile-size=8192,keyfile-offset=512
sdj-crypt UUID=1b9f32c0-10f1-4cf3-84b1-b065d86aabfd /dev/disk/by-id/usb luks,tries=3,keyfile-size=8192,keyfile-offset=512

as you can see, the number of drives are 8 and this doesn't work. If I reduce this number to 7 or lower, the bootup works as expected.

Here are some log infos.

Code

root@omv:~# systemctl --state=failed
  UNIT                                    LOAD   ACTIVE SUB    DESCRIPTION
● systemd-cryptsetup@sda\x2dcrypt.service loaded failed failed Cryptography Setup for sda-crypt
● systemd-cryptsetup@sdf\x2dcrypt.service loaded failed failed Cryptography Setup for sdf-crypt

The drives are different at every boot:

Code

root@omv:~# systemctl --state=failed
  UNIT                                    LOAD   ACTIVE SUB    DESCRIPTION
● systemd-cryptsetup@sda\x2dcrypt.service loaded failed failed Cryptography Setup for sda-crypt
● systemd-cryptsetup@sdb\x2dcrypt.service loaded failed failed Cryptography Setup for sdb-crypt
● systemd-cryptsetup@sdd\x2dcrypt.service loaded failed failed Cryptography Setup for sdd-crypt
● systemd-cryptsetup@sde\x2dcrypt.service loaded failed failed Cryptography Setup for sde-crypt
● systemd-cryptsetup@sdf\x2dcrypt.service loaded failed failed Cryptography Setup for sdf-crypt

bootup:

Code

Nov 27 16:09:36 omv systemd[1]: Starting Cryptography Setup for sdd-crypt...
Nov 27 16:09:36 omv systemd[1]: Starting Cryptography Setup for sdj-crypt...
Nov 27 16:09:36 omv systemd[1]: Starting Cryptography Setup for sdc-crypt...
Nov 27 16:09:36 omv systemd[1]: Starting Cryptography Setup for sdb-crypt...
Nov 27 16:09:36 omv systemd[1]: Starting Cryptography Setup for sda-crypt...
Nov 27 16:09:36 omv systemd[1]: Starting Cryptography Setup for sde-crypt...
Nov 27 16:09:36 omv systemd[1]: Starting Cryptography Setup for sdi-crypt...
Nov 27 16:09:36 omv systemd[1]: Starting Cryptography Setup for sdf-crypt...
Nov 27 16:09:36 omv systemd-cryptsetup[642]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/fbc503de-a359-41e8-9f74-bd009a4ff5b6.
Nov 27 16:09:36 omv systemd-cryptsetup[646]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/07d49183-b216-44fb-b016-88951c4a6036.
Nov 27 16:09:36 omv systemd-cryptsetup[638]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/01139fc6-56bc-42b2-b863-199695d68d1e.
Nov 27 16:09:36 omv systemd-cryptsetup[645]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/5826dfc3-bfe4-4f62-a266-f169870dec75.
Nov 27 16:09:36 omv systemd-cryptsetup[647]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/3757d17b-a7e0-4bba-828d-53f87becafa5.
Nov 27 16:09:36 omv systemd-cryptsetup[640]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/1d51afa7-6ee0-4a0d-b568-7f4b9e0f7ada.
Nov 27 16:09:36 omv systemd-cryptsetup[639]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/1b9f32c0-10f1-4cf3-84b1-b065d86aabfd.
Nov 27 16:09:36 omv systemd-cryptsetup[641]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/eea24687-f2f4-4738-b47d-a2b8840a815e.
Nov 27 16:09:36 omv systemd[1]: Started Raise network interfaces.
Nov 27 16:09:36 omv systemd[1]: systemd-cryptsetup@sdd\x2dcrypt.service: Main process exited, code=killed, status=9/KILL
Nov 27 16:09:36 omv systemd[1]: systemd-cryptsetup@sdd\x2dcrypt.service: Failed with result 'signal'.
Nov 27 16:09:36 omv systemd[1]: Failed to start Cryptography Setup for sdd-crypt.
Nov 27 16:09:36 omv systemd[1]: Dependency failed for Local Encrypted Volumes.
Nov 27 16:09:36 omv systemd[1]: cryptsetup.target: Job cryptsetup.target/start failed with result 'dependency'.
Nov 27 16:09:36 omv systemd[1]: systemd-cryptsetup@sdb\x2dcrypt.service: Main process exited, code=killed, status=9/KILL
Nov 27 16:09:36 omv systemd[1]: systemd-cryptsetup@sdb\x2dcrypt.service: Failed with result 'signal'.
Nov 27 16:09:36 omv systemd[1]: Failed to start Cryptography Setup for sdb-crypt.
Nov 27 16:09:36 omv systemd[1]: systemd-cryptsetup@sda\x2dcrypt.service: Main process exited, code=killed, status=9/KILL
Nov 27 16:09:36 omv systemd[1]: systemd-cryptsetup@sda\x2dcrypt.service: Failed with result 'signal'.
Nov 27 16:09:36 omv systemd[1]: Failed to start Cryptography Setup for sda-crypt.
Nov 27 16:09:36 omv systemd[1]: systemd-cryptsetup@sde\x2dcrypt.service: Main process exited, code=killed, status=9/KILL
Nov 27 16:09:36 omv systemd[1]: systemd-cryptsetup@sde\x2dcrypt.service: Failed with result 'signal'.
Nov 27 16:09:36 omv systemd[1]: Failed to start Cryptography Setup for sde-crypt.
Nov 27 16:09:36 omv systemd[1]: systemd-cryptsetup@sdf\x2dcrypt.service: Main process exited, code=killed, status=9/KILL
Nov 27 16:09:36 omv systemd[1]: systemd-cryptsetup@sdf\x2dcrypt.service: Failed with result 'signal'.
Nov 27 16:09:36 omv systemd[1]: Failed to start Cryptography Setup for sdf-crypt.

Display More

What's going on here?

Are there some timing issues?

mcflym · Nov 28th 2021

I tried to boot with two usb-sticks and use one stick for four drives... Same issue.

I think there is a "limit" of decrypting at bootup in luks?!

Is there anyone who is decrypting more than 7 drives at bootup?

Code

systemctl status "systemd-cryptsetup@sda\\x2dcrypt.service"
Warning: The unit file, source configuration file or drop-ins of systemd-cryptsetup@sda\x2dcrypt.service changed on disk. Run 'systemctl daemon-reload' to reload units.
● systemd-cryptsetup@sda\x2dcrypt.service - Cryptography Setup for sda-crypt
   Loaded: loaded (/etc/crypttab; generated)
   Active: failed (Result: signal) since Sun 2021-11-28 11:57:30 CET; 3min 41s ago
     Docs: man:crypttab(5)
           man:systemd-cryptsetup-generator(8)
           man:systemd-cryptsetup@.service(8)
  Process: 644 ExecStart=/lib/systemd/systemd-cryptsetup attach sda-crypt /dev/disk/by-uuid/fbc503de-a359-41e8-9f74-bd009a4ff5b6 /dev/disk/by-id/usb luks,tries=3,keyfil
 Main PID: 644 (code=killed, signal=KILL)

Nov 28 11:57:15 omv systemd[1]: Starting Cryptography Setup for sda-crypt...
Nov 28 11:57:15 omv systemd-cryptsetup[644]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/fbc503de-a359-41e8-9f74-bd009a4ff5b6.
Nov 28 11:57:30 omv systemd[1]: systemd-cryptsetup@sda\x2dcrypt.service: Main process exited, code=killed, status=9/KILL
Nov 28 11:57:30 omv systemd[1]: systemd-cryptsetup@sda\x2dcrypt.service: Failed with result 'signal'.
Nov 28 11:57:30 omv systemd[1]: Failed to start Cryptography Setup for sda-crypt.

Display More

mcflym · Nov 29th 2021

There was an answer at the project-homepage

Quote

I'd need debug output to 100% sure but this is most probably caused by running out of system memory by running argon2 kdf in parallel (since systemd-cryptsetup processes are being killed by SIGKILL). It should be evident from syslog.

There's patch for it in systemd v244+ already (and it requires upstream cryptsetup v2.2.0 or later). See https://github.com/systemd/sys…dfbff1c95ce3210d06f256e58.

So it's related to the cryptsetup and systemd version (I'm using 2.2 and 241) and the memory-size I allocated to openmediavault. I have 8 GB of RAM, so I increase in the first step the allocated RAM to get the errors away and in future there will be a fix hopefully.

ryecoaaron · Nov 29th 2021

cryptsetup 2.3.5 and systemd 247 can be installed from backports on Debian 10.

LUKS Automatic decrypt of hdd fails, but only for number of drives greater than 7

mcflym Nov 27th 2021

mcflym Nov 28th 2021

ryecoaaron Nov 29th 2021

Participate now!