# kernel level dm-crypt does not work?

## dE_logics

I've installed cryptsetup with kernel USE. The kernel configuration --

http://pastebin.com/Y5CFMnq3

Cryptsetup complaints 'Cannot initialize crypto backend'

dm-crypt is present, aes modules are loaded, urandom is there.

lsmod

Module                  Size  Used by

algif_skcipher          4984  0

ablk_helper             1336  0

cryptd                  4864  1 ablk_helper

xts                     2296  0

gf128mul                4664  1 xts

ecb                     1336  0

cbc                     2040  0

aes_x86_64              6904  0

crypto_null             2040  0

algif_hash              2552  0

af_alg                  3712  2 algif_hash,algif_skcipher

loop                   15048  1

dm_crypt               13696  0

dm_mod                 61312  1 dm_crypt

sr_mod                 12548  0

cdrom                  23039  1 sr_mod

desktopminer linux-3.17.1-gentoo # cryptsetup --debug -c aes-cbc-null

--key-size 256 create burn /dev/loop0

# cryptsetup 1.6.5 processing "cryptsetup --debug -c aes-cbc-null

--key-size 256 create burn /dev/loop0"

# Running command open.

# Locking memory.

# Installing SIGINT/SIGTERM handler.

# Unblocking interruption on signal.

# Allocating crypt device /dev/loop0 context.

# Trying to open and read device /dev/loop0.

# Initialising device-mapper backend library.

# Timeout set to 0 miliseconds.

# Password retry count set to 3.

# Formatting device /dev/loop0 as type PLAIN.

Cannot initialize crypto backend.

# Crypto backend () initialized.

# Releasing crypt device /dev/loop0 context.

# Releasing device-mapper backend.

# Unlocking memory.

Command failed with code 22: Cannot initialize crypto backend.

Thanks for any help!

----------

## Hu

Your problem is not with "kernel level" dm-crypt, since dm-crypt is always done at kernel level.  Your problem is that cryptsetup cannot access the kernel-provided cryptography that can be exported to user space.  Your configuration shows you built the user cryptographic APIs as modules, but your lsmod says they are not loaded.  Your hostname is desktopminer, which makes me think this is not an embedded system.  Note the warning in the cryptsetup ebuild:

```
        ewarn "Note that kernel backend is very slow for this type of operation"

        ewarn "and is provided mainly for embedded systems wanting to avoid"

        ewarn "userspace crypto libraries."

```

If you are using a full featured desktop, you would be better off using one of the other crypto backends.

----------

## frostschutz

Not sure why it says kernel backend is slow. The default gcrypt backend is actually the slowest, on my Haswell box.

http://www.metamorpher.de/files/cryptsetup-benchmark.html

Nettle is the fastest. It does not support whirlpool though.

For kernel backend to work, you must also enable sha1 in the kernel even if you're using sha512 for LUKS. sha1 is used for some initialization or other, so it won't work without... if in doubt, enable everything crypto in the kernel.

----------

## dE_logics

 *Hu wrote:*   

> Your problem is not with "kernel level" dm-crypt, since dm-crypt is always done at kernel level.  Your problem is that cryptsetup cannot access the kernel-provided cryptography that can be exported to user space.  Your configuration shows you built the user cryptographic APIs as modules, but your lsmod says they are not loaded.  Your hostname is desktopminer, which makes me think this is not an embedded system.  Note the warning in the cryptsetup ebuild:
> 
> ```
>         ewarn "Note that kernel backend is very slow for this type of operation"
> 
> ...

 

I suggest the warning be removed. That is not true.

@frostschutz

Yes, sha1 modules and USER_API_HASH

Thanks!

----------

