我正在尝试使用 cryptsetup 加密一些分区,但出现错误IO error while decrypting keyslot.
命令和输出是:
root@rescue ~ # cryptsetup --debug --verbose --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 6000 luksFormat /dev/sda3
# cryptsetup 1.6.6 processing "cryptsetup --debug --verbose --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 6000 luksFormat /dev/sda3"
# Running command luksFormat.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.
Are you sure? (Type uppercase yes): YES
# Allocating crypt device /dev/sda3 context.
# Trying to open and read device /dev/sda3.
# Initialising device-mapper backend library.
# Timeout set to 0 miliseconds.
# Iteration time set to 6000 miliseconds.
# Interactive passphrase entry requested.
Enter passphrase:
Verify passphrase:
# Formatting device /dev/sda3 as type LUKS1.
# Crypto backend (gcrypt 1.6.3) initialized.
# Detected kernel Linux 4.9.85 x86_64.
# Topology: IO (512/0), offset = 0; Required alignment is 1048576 bytes.
# Checking if cipher aes-xts-plain64 is usable.
# Using userspace crypto wrapper to access keyslot area.
IO error while decrypting keyslot.
# Releasing crypt device /dev/sda3 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 5: IO error while decrypting keyslot.
我确实找到了引发此错误的代码,这里,但它没有给我提供任何见解。
从输出中可以看出,分区已被格式化,但是键槽尚未写入。
/dev/sda 是一个 3ware raid 阵列,分区表由 debian 安装程序写入设备。我(无意中)发现,我可以在整个设备上创建一个 LUKS 容器,但这对我来说不是一个可行的解决方法,因为它是服务器上唯一的存储设备,而我需要一个未加密的 /boot 分区。
答案1
我明白了这一点,在我的问题中的命令之前,我曾在通过 uuid 指定分区时尝试过同样的事情,例如:
cryptsetup <options> luksFormat /dev/disk/by-uuid/<disk uuid>
在此操作期间,uuid 将发生变化。我不明白其中的细节,但最终分区表损坏了。