# [SOLVED] Requested LUKS hash PBKDF2-sha256 is not supported.

## Apheus

I always encrypt my partitions, usually with hash "ripemd160". However, I want to try PBKDF2 on a new partition:

```
cryptsetup luksFormat -c aes-xts-plain64 -h PBKDF2-sha256 -s 256 /dev/sda1 <keyfile>
```

The result:

```
WARNING!

========

This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type uppercase yes): YES

Requested LUKS hash PBKDF2-sha256 is not supported.
```

It is shown by "cryptsetup benchmark":

```
# cryptsetup benchmark

# Tests are approximate using memory only (no storage IO).

PBKDF2-sha1      1219274 iterations per second

PBKDF2-sha256     837520 iterations per second

PBKDF2-sha512     672164 iterations per second

PBKDF2-ripemd160  774428 iterations per second

PBKDF2-whirlpool  312076 iterations per second

#  Algorithm | Key |  Encryption |  Decryption

     aes-cbc   128b   715.6 MiB/s  3026.9 MiB/s

 serpent-cbc   128b    97.5 MiB/s   611.7 MiB/s

 twofish-cbc   128b   201.9 MiB/s   389.5 MiB/s

     aes-cbc   256b   529.5 MiB/s  2339.0 MiB/s

 serpent-cbc   256b    97.7 MiB/s   612.0 MiB/s

 twofish-cbc   256b   202.7 MiB/s   389.5 MiB/s

     aes-xts   256b  2579.9 MiB/s  2565.6 MiB/s

 serpent-xts   256b   611.5 MiB/s   594.4 MiB/s

 twofish-xts   256b   378.6 MiB/s   386.0 MiB/s

     aes-xts   512b  1992.9 MiB/s  1977.0 MiB/s

 serpent-xts   512b   612.6 MiB/s   594.1 MiB/s

 twofish-xts   512b   379.1 MiB/s   384.8 MiB/s
```

I cannot find anything "PBKDF2" in kernel config.

"ripemd160" works.

kernel 4.4.6-gentoo, sys-fs/cryptsetup-1.6.5, amd64 system.

What is necessary to get PBKDF2 working?

Thanks.Last edited by Apheus on Wed Aug 10, 2016 2:33 pm; edited 1 time in total

----------

## freke

It's not just "sha256"?  (If "ripemd160" equals PBKDF2-ripemd160?)

----------

## frostschutz

PBKDF is implied... you probably want -h sha512, not that it matters much. [this only affects passphrase, not data encryption]

default should be fine too ( aes-xts-plain64, sha1 ) so you just don't have to specify these options with recent cryptsetup

----------

## Apheus

Thank you. With your answers and some wikipedia reading, I know now that i confused the terms "cryptographic hash function" and "key derivation function". Both must be combined, and cryptsetup always uses PBKDF2 as key derivation function.

----------

