Hi Guix,

There is currently a bug in libgcrypt affecting cryptsetup, that can
cause it to fail to create and open containers in some cases:

https://gitlab.com/cryptsetup/cryptsetup/-/issues/922

I encountered this when using the Guix installer and trying to open and
retrieve stuff from some very old containers of mine. The issue linked
above specifies `--pbkdf argon2i`, but I can confirm it also happens if
the container was created with `--pbkdf pbkdf2`. The current packaged
version of libgcrypt is 1.10.1, so I can confirm that this issue goes
back at least that far.

While the issue is fixed upstream [1], the fix came after the 1.11.0
release. 1.11.0 was released only six months ago [2], so the next
release may not be for a while.

For now, you can work around this by building cryptsetup with openssl,
and using that:

--8<---------------cut here---------------start------------->8---
(define-public cryptsetup-openssl
  (package
    (inherit cryptsetup)
    (name "cryptsetup-openssl")
    (arguments
     (substitute-keyword-arguments (package-arguments cryptsetup)
       ((#:configure-flags flags ''())
        `(map
          (lambda (s)
            (if (equal? s "--with-crypto_backend=gcrypt")
                "--with-crypto_backend=openssl"
                s))
          ,flags))))
    (inputs (modify-inputs (package-inputs cryptsetup)
              (delete libgcrypt)
              (append openssl)))))
--8<---------------cut here---------------end--------------->8---

(I could send a patch to add this in Guix, but I'm currently waiting
either until my open patch [5] gets reviewed and into Guix, or to figure
out how to do an authenticated personal fork that I can apply my
not-yet-accepted patches to and pull from [3][4], before I contribute
new ones. Anyone who thinks this package makes sense in Guix is welcome
to do so themselves. Or you can just throw this into your system config,
like I did.)

At any rate - I'm sending this here because I found it really hard to
turn up that cryptsetup issue via a web search, and then to realize that
it's relevant to me. I haven't seen it reported in any of the popular
linux or distro-specific forums, probably because most distros build
cryptsetup with openssl. Hopefully this helps with that. I nearly gave
up on installing Guix because of it.

Good luck,
45mg

[1] https://dev.gnupg.org/rC28327dba6b5ffae4a5e33da827fe0e2b48e99adb
[2] https://dev.gnupg.org/rC9d94d7846cde272b8b1519ba96e53967bf0b90d2
[3] https://lists.gnu.org/archive/html/help-guix/2023-09/msg00010.html
[4] https://lists.gnu.org/archive/html/help-guix/2025-01/msg00093.html
[5] https://issues.guix.gnu.org/75145

Reply via email to