Luks broken after update

I’ve been using luks on boot for a while to encrypt / (/boot is not encrypted).
My configuration looked like this:

  boot.initrd.luks.devices = [
    { name = "root"; device = "/dev/sda6"; }

I haven’t updated for a while. Now, I finally did. It looks like the fields changed, so I put this:

  boot.initrd.luks.devices = {
    root = { device = "/dev/sda6"; };

However, when I reboot, I get the message

device-mapper: error allocating crypto tfm
device-mapper: reload ioctl on root (254:0) failed: No such file or directory

For reference, “root” is the name of the encrypted section in the partition and 254:0 is the block device for dm-0, normally /dev/dm-0.

If I put in something other than my password, I get a message saying that no such key is found. So, it is able to read the partition and the keys in the partition. So, I’m not sure where it is failing. I tried using the kernel argv options to get a shell, but none of them worked, so I ended up putting sh -i in the luks initrd script. That worked. If I put in the same cryptsetup command, I get the same error. It only shows the same message as above in dmesg.

Looking at what was being used:

cryptsetup luksDump /dev/sda6
Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1

I checked from initrd which modules it had, and it had dm_mod and dm_crypt. /proc/crypto had aes, cbc, and sha256. So, it seemed to have the necessary parts.

So, where else should I look for error messages to find why it’s unhappy? Is this likely to be caused by missing modules or what else?

This looks related: linux - Booting encrypted root partion fails after system update - Unix & Linux Stack Exchange

Does essiv have to be explicitly enabled as well? I wonder if nixos-generate-config --show-hardware-config would print something slightly different than what you have now.

Thank you! That was it. I am finally on the new kernel. Apparently essiv is in a separate module now and needs to be explicitly loaded if you have a disk using it.

  boot.initrd.kernelModules = [ "essiv" ];