singularity icon indicating copy to clipboard operation
singularity copied to clipboard

Published 20 hours ago verified publisher icon apptainer

Decryption can fail on devices with low RAM

Open dtrudg opened this issue 4 years ago • 4 comments

Version of Singularity:

master

Expected behavior

An encrypted SIF created on a machine with a lot of RAM can be used on a device with significantly less RAM.

Actual behavior

According to https://gitlab.com/cryptsetup/cryptsetup/issues/372 the RAM requirement of the Argon2i pkdf will be set partly according to how much RAM is on the machine that creates a LUKS2 container...

I set default 1G required memory but it is trimmed by half of available physical memory - but I guess you format the device on different system with more memory available.

If you make an encrypted container on an e.g. Raspberry Pi4 with 2GB RAM it cannot be used on e.g. a Pi Zero with 512MB of RAM. An OOM for cryptsetup can be seen.

Steps to reproduce behavior

Use an encrypted container on a device with...

  • < 2GB RAM
  • significantly less RAM than was on the machine that created the container

Notes

You can use cryptsetup --help to see how much RAM will be needed by the function if you are creating a LUKS2 volume on that host.

My desktop will create volumes requiring 1GB. The raspberry Pi4 with 2GB is the same:

Default PBKDF for LUKS2: argon2i
	Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4

The Pi Zero and RPi3 will fail to open these.

dtrudg avatar Aug 08 '19 13:08 dtrudg

From the issue upstream, the maintainer replies...

Solution is simple, either

    switch to LUKS1 (as you did), or
    use LUKS2, but switch to PBKDF2 (that is used in LUKS1),
    just add "--pbkdf pbkdf2" option to luksFormat (or to any command that creates keyslots), or
    use LUKS2 but decrease number of memory for Argon2i function,
    for example to use up to 256kB, just add "--pbkdf-memory 256".

dtrudg avatar Aug 08 '19 13:08 dtrudg

Hello,

This is a templated response that is being sent out to all open issues. We are working hard on 'rebuilding' the Singularity community, and a major task on the agenda is finding out what issues are still outstanding.

Please consider the following:

  1. Is this issue a duplicate, or has it been fixed/implemented since being added?
  2. Is the issue still relevant to the current state of Singularity's functionality?
  3. Would you like to continue discussing this issue or feature request?

Thanks, Carter

carterpeel avatar May 15 '21 16:05 carterpeel

This issue has been automatically marked as stale because it has not had activity in over 60 days. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 14 '21 22:07 stale[bot]

@dtrudg Still getting this problem ? Have this been solved already ? If yes, what work around have you followed and applied ?

We're looking into the issue carefully, soon will bring to community and discuss ways to better solve as well address this. Thankyou for keeping the interest in the subject.

pedroalvesbatista avatar Jul 16 '21 01:07 pedroalvesbatista

Migrated to the new Apptainer repo https://github.com/apptainer/apptainer/issues/1158

kmuriki avatar Mar 06 '23 03:03 kmuriki