I’ve been using luks on boot for a while to encrypt / (/boot is not encrypted).
My configuration looked like this:
boot.initrd.luks.devices = [
{ name = "root"; device = "/dev/sda6"; }
];
I haven’t updated for a while. Now, I finally did. It looks like the fields changed, so I put this:
boot.initrd.luks.devices = {
root = { device = "/dev/sda6"; };
}
However, when I reboot, I get the message
device-mapper: error allocating crypto tfm
device-mapper: reload ioctl on root (254:0) failed: No such file or directory
For reference, “root” is the name of the encrypted section in the partition and 254:0 is the block device for dm-0, normally /dev/dm-0.
If I put in something other than my password, I get a message saying that no such key is found. So, it is able to read the partition and the keys in the partition. So, I’m not sure where it is failing. I tried using the kernel argv options to get a shell, but none of them worked, so I ended up putting sh -i in the luks initrd script. That worked. If I put in the same cryptsetup command, I get the same error. It only shows the same message as above in dmesg.
Looking at what was being used:
cryptsetup luksDump /dev/sda6
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
I checked from initrd which modules it had, and it had dm_mod and dm_crypt. /proc/crypto had aes, cbc, and sha256. So, it seemed to have the necessary parts.
So, where else should I look for error messages to find why it’s unhappy? Is this likely to be caused by missing modules or what else?