LUKS : the Linux encryption standard
Posted on July 21, 2022 • 4 minutes • 657 words • Other languages: Français
In this article I will introduce LUKS, for Linux Unified Key Setup, which is the encryption standard for GNU/Linux based systems. Of course there are alternatives, but we can still talk about LUKS as a must.
In our example, we use Debian 11. I recommend you to use LVM to manage your partitions and especially if there is encryption. But you can use physical partitions on your disks if you wish.
- Create the logical volume
datasLuksin the volume groupVG1:
lvcreate -L 500M -n datasLuksLV VG1
- Preparation of the LUKS container :
cryptsetup luksFormat /dev/VG1/datasLuksLV
You can specify various options available in the cryptsetup man. However, the default options are state of the art if your distribution is recent and your version of cryptsetup.
It is at this stage that you must choose the passphrase that will allow you to decrypt the score. Do yourself a favor on random generation: at least 150 bits of entropy for this passphrase that will protect your data. Store it in your password manager.
Note that you can put up to 8 different keys/passphrases because there are 8 slots (to have different passphrases for different users for example).
- Opening the LUKS container:
cryptsetup luksOpen /dev/VG1/datasLuksLV datasLuks
- Let’s put a file system in place in this container :
mkfs.ext4 /dev/mapper/datasLuks
- Finally, we mount the file system :
mount /dev/mapper/datasLuks /mnt/datasLuks
You are then free to adapt your fstab. Your encrypted partition is now ready for use 👍
LUKS header management
The LUKS header contains the metadata needed to decrypt the partition:
- the LUKS version
- the cryptographic suite used and its mode
- the hash algorithm used for the passphrase
- the UUID of the device
- etc.
The header is placed at the beginning of the partition, if it is lost or unreadable (due to a faulty disk sector for example) then your entire encrypted partition will be lost because it will no longer be openable.
The LUKS header must be saved as well as your passphrase
Show LUKS header
Here is the output of the command cryptsetup luksDump /dev/VG1/datasLuksLV :
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 66490eef-77e1-4271-ba81-ab70466a3962
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 18
Memory: 242178
Threads: 2
Salt: 83 a5 d8 a1 24 c6 7d db 8b 18 51 51 8a f7 3c 2a
e6 cd 37 e3 24 2b 9f 13 77 ee 6c 16 14 9e cd ed
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 125547
Salt: ba 52 04 a7 cd 7e 7d b1 51 28 c9 35 b8 8f 03 ac
09 43 97 03 01 16 ad d3 b6 3c 5d d3 7b 3a 44 d0
Digest: 9c de 6f c5 4d b7 c5 35 86 4a ac c3 ea 64 36 3c
8a 49 8d fe 0f 16 35 9e 2d 1c e2 8d 79 70 20 6a
Save the LUKS header
cryptsetup luksHeaderBackup /dev/VG1/datasLuksLV --header-backup-file headerLuks.backup
Restore the LUKS header
cryptsetup luksHeaderRestore /dev/VG1/datasLuksLV --header-backup-file headerLuks.backup
Delete the LUKS header
It is possible to delete the header and thus make the data permanently inaccessible if there is no backup. This can also be useful if the data in this header is corrupted and you want to restore it.
cryptsetup luksErase /dev/VG1/datasLuksLV
You now have the basics to encrypt your partitions with LUKS. In my next article, I will present you :
- A bash script to automate the remounting of your encrypted partitions after a reboot.
- A bash script to alert in case of unmounted encrypted partition on a server.
UPDATE 12/08/2022: I just put the article online, click here !
Resources :