LUKS : the Linux encryption standard
Posted on July 21, 2022 • 4 minutes • 707 words • Other languages: Français
In this article I will introduce LUKS, for Linux Unified Key Setup, which is the encryption standard for GNU/Linux based systems. Of course there are alternatives, but we can still talk about LUKS as a must.
In our example, we use Debian 11. I recommend you to use LVM to manage your partitions and especially if there is encryption. But you can use physical partitions on your disks if you wish.
- Create the logical volume
datasLuks
in the volume groupVG1
:
|
|
- Preparation of the LUKS container :
|
|
You can specify various options available in the cryptsetup man
. However, the default options are state of the art if your distribution is recent and your version of cryptsetup.
It is at this stage that you must choose the passphrase that will allow you to decrypt the score. Do yourself a favor on random generation: at least 150 bits of entropy for this passphrase that will protect your data. Store it in your password manager.
Note that you can put up to 8 different keys/passphrases because there are 8 slots (to have different passphrases for different users for example).
- Opening the LUKS container:
|
|
- Let’s put a file system in place in this container :
|
|
- Finally, we mount the file system :
|
|
You are then free to adapt your fstab
. Your encrypted partition is now ready for use 👍
LUKS header management
The LUKS header contains the metadata needed to decrypt the partition:
- the LUKS version
- the cryptographic suite used and its mode
- the hash algorithm used for the passphrase
- the UUID of the device
- etc.
The header is placed at the beginning of the partition, if it is lost or unreadable (due to a faulty disk sector for example) then your entire encrypted partition will be lost because it will no longer be openable.
The LUKS header must be saved as well as your passphrase
Show LUKS header
Here is the output of the command cryptsetup luksDump /dev/VG1/datasLuksLV
:
|
|
Save the LUKS header
|
|
Restore the LUKS header
|
|
Delete the LUKS header
It is possible to delete the header and thus make the data permanently inaccessible if there is no backup. This can also be useful if the data in this header is corrupted and you want to restore it.
|
|
You now have the basics to encrypt your partitions with LUKS. In my next article, I will present you :
- A bash script to automate the remounting of your encrypted partitions after a reboot.
- A bash script to alert in case of unmounted encrypted partition on a server.
UPDATE 12/08/2022: I just put the article online, click here!
Resources :