unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* To anyone experiencing weird 'keyslot open failed' issues with cryptsetup
@ 2025-01-12  8:17 45mg
  0 siblings, 0 replies; only message in thread
From: 45mg @ 2025-01-12  8:17 UTC (permalink / raw)
  To: guix-devel, help-guix

Hi Guix,

There is currently a bug in libgcrypt affecting cryptsetup, that can
cause it to fail to create and open containers in some cases:

https://gitlab.com/cryptsetup/cryptsetup/-/issues/922

I encountered this when using the Guix installer and trying to open and
retrieve stuff from some very old containers of mine. The issue linked
above specifies `--pbkdf argon2i`, but I can confirm it also happens if
the container was created with `--pbkdf pbkdf2`. The current packaged
version of libgcrypt is 1.10.1, so I can confirm that this issue goes
back at least that far.

While the issue is fixed upstream [1], the fix came after the 1.11.0
release. 1.11.0 was released only six months ago [2], so the next
release may not be for a while.

For now, you can work around this by building cryptsetup with openssl,
and using that:

--8<---------------cut here---------------start------------->8---
(define-public cryptsetup-openssl
  (package
    (inherit cryptsetup)
    (name "cryptsetup-openssl")
    (arguments
     (substitute-keyword-arguments (package-arguments cryptsetup)
       ((#:configure-flags flags ''())
        `(map
          (lambda (s)
            (if (equal? s "--with-crypto_backend=gcrypt")
                "--with-crypto_backend=openssl"
                s))
          ,flags))))
    (inputs (modify-inputs (package-inputs cryptsetup)
              (delete libgcrypt)
              (append openssl)))))
--8<---------------cut here---------------end--------------->8---

(I could send a patch to add this in Guix, but I'm currently waiting
either until my open patch [5] gets reviewed and into Guix, or to figure
out how to do an authenticated personal fork that I can apply my
not-yet-accepted patches to and pull from [3][4], before I contribute
new ones. Anyone who thinks this package makes sense in Guix is welcome
to do so themselves. Or you can just throw this into your system config,
like I did.)

At any rate - I'm sending this here because I found it really hard to
turn up that cryptsetup issue via a web search, and then to realize that
it's relevant to me. I haven't seen it reported in any of the popular
linux or distro-specific forums, probably because most distros build
cryptsetup with openssl. Hopefully this helps with that. I nearly gave
up on installing Guix because of it.

Good luck,
45mg

[1] https://dev.gnupg.org/rC28327dba6b5ffae4a5e33da827fe0e2b48e99adb
[2] https://dev.gnupg.org/rC9d94d7846cde272b8b1519ba96e53967bf0b90d2
[3] https://lists.gnu.org/archive/html/help-guix/2023-09/msg00010.html
[4] https://lists.gnu.org/archive/html/help-guix/2025-01/msg00093.html
[5] https://issues.guix.gnu.org/75145


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2025-01-12  8:18 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-12  8:17 To anyone experiencing weird 'keyslot open failed' issues with cryptsetup 45mg

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).