So, I use cryptsetup to encrypt a drive I have, so I would really like to continue using cryptsetup.
It is easy to emerge cryptsetup with emerge --ask sys-fs/cryptsetup
.
Then, trying to run it, for example cryptsetup benchmark
, I got the error:
Required kernel crypto interface not available.
Ensure you have algif_skcipher kernel module loaded.
I searched and found this thread. I extracted the parts I needed for it to work for me:
The following kernel configuration options needed to be enabled:
(If I recall correctly)
CONFIG_CRYPTO_XTS
CONFIG_CRYPTO_AES_X86_64
CONFIG_CRYPTO_AES_NI_INTEL
The first two are for my encryption algorithm xts-plain64
. The Intel option is because I have an Intel CPU.
Still no go, I found I had to enable some hashes as well (logically):
CONFIG_CRYPTO_SHA1
CONFIG_CRYPTO_SHA1_SSSE3
CONFIG_CRYPTO_SHA256_SSSE3
CONFIG_CRYPTO_SHA512_SSSE3
CONFIG_CRYPTO_SHA1_MB
CONFIG_CRYPTO_SHA256
CONFIG_CRYPTO_SHA512
Still no go. Later in the thread I found that I needed these options as well (Yes, I am using it as a block device):
CONFIG_BLK_DEV_DM
CONFIG_DM_CRYPT
Still no go. I started to get really annoyed, because, I had chosen to include a lot of the options in the kernel, so for each new try, I had to reboot the kernel. So, I searched for ‘algif’ in the thread and found that these options might also be needed:
CONFIG_CRYPTO_USER_API
.
CONFIG_CRYPTO_USER_API_HASH
CONFIG_CRYPTO_USER_API_SKCIPHER
I chose these options to be modules, and could load that module in right away, without a reboot. That did the trick.
There was some debate in the thread, whether you needed to include options in the kernel, or not, to be able to boot if your root is encrypted. I don’t have it setup that way, so it didn’t bother me, but somebody said it should be able to boot with the crypto options as modules, because modules can be loaded during boot.