singularity
singularity copied to clipboard
Decryption can fail on devices with low RAM
Version of Singularity:
master
Expected behavior
An encrypted SIF created on a machine with a lot of RAM can be used on a device with significantly less RAM.
Actual behavior
According to https://gitlab.com/cryptsetup/cryptsetup/issues/372 the RAM requirement of the Argon2i pkdf will be set partly according to how much RAM is on the machine that creates a LUKS2 container...
I set default 1G required memory but it is trimmed by half of available physical memory - but I guess you format the device on different system with more memory available.
If you make an encrypted container on an e.g. Raspberry Pi4 with 2GB RAM it cannot be used on e.g. a Pi Zero with 512MB of RAM. An OOM for cryptsetup
can be seen.
Steps to reproduce behavior
Use an encrypted container on a device with...
- < 2GB RAM
- significantly less RAM than was on the machine that created the container
Notes
You can use cryptsetup --help
to see how much RAM will be needed by the function if you are creating a LUKS2 volume on that host.
My desktop will create volumes requiring 1GB. The raspberry Pi4 with 2GB is the same:
Default PBKDF for LUKS2: argon2i
Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4
The Pi Zero and RPi3 will fail to open these.
From the issue upstream, the maintainer replies...
Solution is simple, either
switch to LUKS1 (as you did), or
use LUKS2, but switch to PBKDF2 (that is used in LUKS1),
just add "--pbkdf pbkdf2" option to luksFormat (or to any command that creates keyslots), or
use LUKS2 but decrease number of memory for Argon2i function,
for example to use up to 256kB, just add "--pbkdf-memory 256".
Hello,
This is a templated response that is being sent out to all open issues. We are working hard on 'rebuilding' the Singularity community, and a major task on the agenda is finding out what issues are still outstanding.
Please consider the following:
- Is this issue a duplicate, or has it been fixed/implemented since being added?
- Is the issue still relevant to the current state of Singularity's functionality?
- Would you like to continue discussing this issue or feature request?
Thanks, Carter
This issue has been automatically marked as stale because it has not had activity in over 60 days. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.
@dtrudg Still getting this problem ? Have this been solved already ? If yes, what work around have you followed and applied ?
We're looking into the issue carefully, soon will bring to community and discuss ways to better solve as well address this. Thankyou for keeping the interest in the subject.
Migrated to the new Apptainer repo https://github.com/apptainer/apptainer/issues/1158