Raven - Blog
July 21, 2022

LUKS : the Linux encryption standard

Posted on July 21, 2022  •  4 minutes  • 707 words  • Other languages:  Français

In this article I will introduce LUKS, for Linux Unified Key Setup, which is the encryption standard for GNU/Linux based systems. Of course there are alternatives, but we can still talk about LUKS as a must.

In our example, we use Debian 11. I recommend you to use LVM to manage your partitions and especially if there is encryption. But you can use physical partitions on your disks if you wish.

1

lvcreate -L 500M -n datasLuksLV VG1

1

cryptsetup luksFormat /dev/VG1/datasLuksLV

You can specify various options available in the cryptsetup man. However, the default options are state of the art if your distribution is recent and your version of cryptsetup.

It is at this stage that you must choose the passphrase that will allow you to decrypt the score. Do yourself a favor on random generation: at least 150 bits of entropy for this passphrase that will protect your data. Store it in your password manager.

Note that you can put up to 8 different keys/passphrases because there are 8 slots (to have different passphrases for different users for example).

1

cryptsetup luksOpen /dev/VG1/datasLuksLV datasLuks

1

mkfs.ext4 /dev/mapper/datasLuks

1

mount /dev/mapper/datasLuks /mnt/datasLuks

You are then free to adapt your fstab. Your encrypted partition is now ready for use 👍

LUKS header management

The LUKS header contains the metadata needed to decrypt the partition:

The header is placed at the beginning of the partition, if it is lost or unreadable (due to a faulty disk sector for example) then your entire encrypted partition will be lost because it will no longer be openable.

The LUKS header must be saved as well as your passphrase

Show LUKS header

Here is the output of the command cryptsetup luksDump /dev/VG1/datasLuksLV :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

LUKS header information
Version:       	2
Epoch:         	3
Metadata area: 	16384 [bytes]
Keyslots area: 	16744448 [bytes]
UUID:          	66490eef-77e1-4271-ba81-ab70466a3962
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 16777216 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  0: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2i
	Time cost:  18
	Memory:     242178
	Threads:    2
	Salt:       83 a5 d8 a1 24 c6 7d db 8b 18 51 51 8a f7 3c 2a
	            e6 cd 37 e3 24 2b 9f 13 77 ee 6c 16 14 9e cd ed
	AF stripes: 4000
	AF hash:    sha256
	Area offset:32768 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 125547
	Salt:       ba 52 04 a7 cd 7e 7d b1 51 28 c9 35 b8 8f 03 ac
	            09 43 97 03 01 16 ad d3 b6 3c 5d d3 7b 3a 44 d0
	Digest:     9c de 6f c5 4d b7 c5 35 86 4a ac c3 ea 64 36 3c
	            8a 49 8d fe 0f 16 35 9e 2d 1c e2 8d 79 70 20 6a

Save the LUKS header

1

cryptsetup luksHeaderBackup /dev/VG1/datasLuksLV --header-backup-file headerLuks.backup

Restore the LUKS header

1

cryptsetup luksHeaderRestore /dev/VG1/datasLuksLV --header-backup-file headerLuks.backup

Delete the LUKS header

It is possible to delete the header and thus make the data permanently inaccessible if there is no backup. This can also be useful if the data in this header is corrupted and you want to restore it.

1

cryptsetup luksErase /dev/VG1/datasLuksLV

You now have the basics to encrypt your partitions with LUKS. In my next article, I will present you :

UPDATE 12/08/2022: I just put the article online, click here!

Resources :

Follow me

Subscribe to my RSS feed !