Getting VeraCrypt running on a custom build Kernel

Having your own compiled Linux Kernel is a nice thing for various reasons. First, you are not stuck with the (depending on your distribution possibly outdated) Kernel versions your distribution and you highly customize your experience. Some people want to have a super-fast lightweight Kernel, I'm more on the other side of the spectrum. But that's a matter of flavor.

A side-effect is that you learn a lot more about Linux - inevitably issues will arise, from not working KVM (upcoming post) because of iptable issues to VeraCrypt that cannot operate with Kernel support.


Getting your custom Kernel ready for VeraCrypt

I've encountered the following error

device-mapper: reload ioctl on veracrypt1 failed: Invalid argument
Command failed

I've started with that. ioctl based errors normally are a good indicator that something in your Kernel configuration is or missing or misconfigured.
In this case it was the missing support for crypto targets in the device mapper (I suppose).

Fortunately the Gentoo-Forums provide some very useful informations. Make sure you have configured the following options in your Kernel

Device Drivers --->
[*] Multiple devices driver support (RAID and LVM) --->
<*> Device mapper support
<*> Crypt target support
[*] Block Devices --->
<*> Loopback device support
File systems --->
<*> FUSE (Filesystem in Userspace) support
[*] Cryptographic API --->
<*> RIPEMD-160 digest algorithm
<*> SHA384 and SHA512 digest algorithms
<*> Whirlpool digest algorithms
<*> LRW support
<*> XTS support
<*> AES cipher algorithms
<*> Serpent cipher algorithm
<*> Twofish cipher algorithm

Re-build your Kernel, and everything should work fine 🙂

SHA-1 is dead

SHA1, the old secure hashing algorithm is now broken in practice. See the Google Security blog post on the first SHA1 collision.

SHA1 was already theoretically broken 2005, when Prof. Xiaoyun Wang announced a differential attack. By 2010 the NIST decided to announce SHA-1 as deprecated.

SHA1 is still in use in BitTorrent and on some https sites. As far as I know, Chrome is currently the only Browser, who considers SHA-1 signed certificates as not secure. Firefox is about to phase it out as well and Edge wants to do this in mid of this year.

BitTorrent uses SHA-1 as well. Since we now have the first proven collisions, this could become interesting in lawsuits coming from the content industry ...


SHA-1 is proven broken and must not be used anymore.