1

I have an almost fresh Kali linux installation in an Hyper-V virtual machine. It is configured with hard disk encryption during installation.

After some working days, I reduced the amount of RAM memory reserved for the VM, but when I boot up the reconfigured machine, the password used to decrypt the hard drive is reported as invalid.

The reported error is:

cryptsetup: ERROR: sdaX_crypt: cryptsetup failed, bad password or options?

If I undo the configuration change the password is valid again...

Does exist a relation between the LUKS decryption algorithm and the machine memory size? It doesn't have sense, in my opinion.

Which can be the reason?

Thanks in advance.

MarMarAba
  • 13
  • 2
  • the message does not say that only the password is wrong ... it says that options may also be the cause of the failure – jsotola Nov 04 '21 at 03:56

1 Answers1

1

LUKS2 by default uses the argon2 key derivation function which is so called memory hard -- it intentionally uses a lot of RAM (up to 1 GiB with cryptsetup) when unlocking the device to prevent brute force attacks on GPUs. Exact amount of RAM it requires depends on the amount of RAM you have when creating the LUKS device so if you reduce the amount of RAM later you won't be able to unlock it.

You can change it using cryptsetup luksChangeKey <device> (which is usually used to change the password but it also allows changing the key derivation function) either with --pbkdf-memory <RAM in kilobytes> to lower the argon2 required memory or with --pbkdf pbkdf2 to use the older PBKDF2 key derivation function that doesn't use memory at all.

Vojtech Trefny
  • 16,922
  • 6
  • 24
  • 48