LUKS: Difference between revisions

(8 intermediate revisions by the same user not shown)

Line 16:

# Setup encryption

cryptsetup -v --type luks2 -~~-cipher aes-xts-plain64 --key-size 512 --hash sha512 \~~

cryptsetup --type luks2 -v luksFormat "${DEVICE}"

~~--iter-time 5000 --use-urandom --verify-passphrase~~ luksFormat "${DEVICE}"

# Open encrypted drive to /dev/mapper/$NAME

Line 24:

Line 23:

# Create a partition

mkfs.btrfs /dev/mapper/${NAME}

# Create a mountpoint and mount

mkdir -p /media/${NAME}

mount -t btrfs /dev/mapper/${NAME} /media/${NAME}

Line 31:

Line 33:

===Mounting===

<~~pre~~>

# Open the encrypted drive

cryptsetup open "${DEVICE}" "${NAME}"

# Mount your partition

mount -t btrfs /dev/mapper/${NAME} "${MOUNT_LOCATION}"

</~~pre~~>

</syntaxhighlight>

===Unmounting===

<~~pre~~>

# Unmount your partition

umount "${MOUNT_LOCATION}"

# Close the decrypted drive

cryptsetup close ${NAME}

</~~pre~~>

</syntaxhighlight>

===Encrpytion Options===

Line 51:

Line 53:

* <code>--type</code> [https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_with_dm-crypt options]

** <code>luks</code> defaults to <code>luks1</code> on cryptsetup < 2.1.0, <code>luks2</code> on cryptsetup >= 2.1.0

** <code>luks1</code> is the ~~standard~~ version of LUKS.

** <code>luks1</code> is the old version of LUKS.

** <code>luks2</code> is ~~a new~~ version released in Dec 2017. Older versions of Grub (before 2.06 or June 2020) do not support booting from LUKS2.

** <code>luks2</code> is the current version released in Dec 2017. Older versions of Grub (before 2.06 or June 2020) do not support booting from LUKS2.

** <code>plain</code> is dm-crypt plain mode. Avoid this unless you know what you're doing.

** <code>loopaes</code> Avoid this as well.

Line 74:

Line 76:

</pre>

{{ hidden | Example Output |

{{ hidden | Example Output (i7-12700K) |

<pre>

# Tests are approximate using memory only (no storage IO).

PBKDF2-sha1 ~~1213629~~ iterations per second for 256-bit key

PBKDF2-sha1 3057072 iterations per second for 256-bit key

PBKDF2-sha256 ~~1524093~~ iterations per second for 256-bit key

PBKDF2-sha256 6452775 iterations per second for 256-bit key

PBKDF2-sha512 ~~1082121~~ iterations per second for 256-bit key

PBKDF2-sha512 2432890 iterations per second for 256-bit key

PBKDF2-ripemd160 ~~648069~~ iterations per second for 256-bit key

PBKDF2-ripemd160 1289761 iterations per second for 256-bit key

PBKDF2-whirlpool ~~421453~~ iterations per second for 256-bit key

PBKDF2-whirlpool 1148495 iterations per second for 256-bit key

argon2i 4 iterations, ~~875179~~ memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

argon2i 13 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

argon2id 4 iterations, ~~889195~~ memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

argon2id 13 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

# Algorithm | Key | Encryption | Decryption

aes-cbc 128b ~~542~~.7 MiB/s ~~2192~~.7 MiB/s

aes-cbc 128b 1976.6 MiB/s 7781.1 MiB/s

serpent-cbc 128b 67.3 MiB/s ~~459~~.9 MiB/s

serpent-cbc 128b 136.8 MiB/s 993.0 MiB/s

twofish-cbc 128b ~~140~~.6 MiB/s ~~285~~.8 MiB/s

twofish-cbc 128b 291.3 MiB/s 646.8 MiB/s

aes-cbc 256b ~~405~~.3 MiB/s ~~1701~~.8 MiB/s

aes-cbc 256b 1507.6 MiB/s 6406.3 MiB/s

serpent-cbc 256b 71.6 MiB/s ~~459~~.5 MiB/s

serpent-cbc 256b 138.2 MiB/s 984.0 MiB/s

twofish-cbc 256b ~~146~~.6 MiB/s ~~287~~.1 MiB/s

twofish-cbc 256b 295.3 MiB/s 647.1 MiB/s

aes-xts 256b ~~1421~~.6 MiB/s ~~1449~~.2 MiB/s

aes-xts 256b 6021.9 MiB/s 5909.9 MiB/s

serpent-xts 256b ~~455~~.9 MiB/s ~~444~~.0 MiB/s

serpent-xts 256b 855.7 MiB/s 887.4 MiB/s

twofish-xts 256b ~~284~~.2 MiB/s ~~286~~.3 MiB/s

twofish-xts 256b 597.8 MiB/s 608.0 MiB/s

aes-xts 512b ~~1187~~.2 MiB/s ~~1177~~.9 MiB/s

aes-xts 512b 5521.2 MiB/s 5505.7 MiB/s

serpent-xts 512b ~~454~~.7 MiB/s ~~446~~.1 MiB/s

serpent-xts 512b 870.2 MiB/s 897.9 MiB/s

twofish-xts 512b ~~284~~.9 MiB/s ~~286~~.5 MiB/s

twofish-xts 512b 602.9 MiB/s 607.1 MiB/s

</pre>

}}

Line 114:

Line 116:

;Benchmark<ref>[https://www.reddit.com/r/crypto/comments/b3we04/aesadiantum_new_mode_in_linux_kernel_5/ https://www.reddit.com/r/crypto/comments/b3we04/aesadiantum_new_mode_in_linux_kernel_5/]</ref>

<pre>

cryptsetup benchmark -c xchacha12,aes-adiantum ~~-s 512~~

cryptsetup benchmark -c xchacha12,aes-adiantum

</pre>

@@ Line 16: / Line 16: @@
 # Setup encryption
-cryptsetup -v --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 \
+cryptsetup --type luks2 -v luksFormat "${DEVICE}"
-           --iter-time 5000 --use-urandom --verify-passphrase luksFormat "${DEVICE}"
 # Open encrypted drive to /dev/mapper/$NAME
@@ Line 24: / Line 23: @@
 # Create a partition
 mkfs.btrfs /dev/mapper/${NAME}
+# Create a mountpoint and mount
+mkdir -p /media/${NAME}
 mount -t btrfs /dev/mapper/${NAME} /media/${NAME}
@@ Line 31: / Line 33: @@
 ===Mounting===
-<pre>
+<syntaxhighlight lang="bash">
 # Open the encrypted drive
 cryptsetup open "${DEVICE}" "${NAME}"
 # Mount your partition
 mount -t btrfs /dev/mapper/${NAME} "${MOUNT_LOCATION}"
-</pre>
+</syntaxhighlight>
 ===Unmounting===
-<pre>
+<syntaxhighlight lang="bash">
 # Unmount your partition
 umount "${MOUNT_LOCATION}"
 # Close the decrypted drive
 cryptsetup close ${NAME}
-</pre>
+</syntaxhighlight>
 ===Encrpytion Options===
@@ Line 51: / Line 53: @@
 * <code>--type</code> [https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_with_dm-crypt options]
 ** <code>luks</code> defaults to <code>luks1</code> on cryptsetup < 2.1.0, <code>luks2</code> on cryptsetup >= 2.1.0
-** <code>luks1</code> is the standard version of LUKS.
+** <code>luks1</code> is the old version of LUKS.
-** <code>luks2</code> is a new version released in Dec 2017. Older versions of Grub (before 2.06 or June 2020) do not support booting from LUKS2.
+** <code>luks2</code> is the current version released in Dec 2017. Older versions of Grub (before 2.06 or June 2020) do not support booting from LUKS2.
 ** <code>plain</code> is dm-crypt plain mode. Avoid this unless you know what you're doing.
 ** <code>loopaes</code> Avoid this as well.
@@ Line 74: / Line 76: @@
 </pre>
-{{ hidden | Example Output |
+{{ hidden | Example Output (i7-12700K) |
 <pre>
 # Tests are approximate using memory only (no storage IO).
-PBKDF2-sha1      1213629 iterations per second for 256-bit key
+PBKDF2-sha1      3057072 iterations per second for 256-bit key
-PBKDF2-sha256    1524093 iterations per second for 256-bit key
+PBKDF2-sha256    6452775 iterations per second for 256-bit key
-PBKDF2-sha512    1082121 iterations per second for 256-bit key
+PBKDF2-sha512    2432890 iterations per second for 256-bit key
-PBKDF2-ripemd160  648069 iterations per second for 256-bit key
+PBKDF2-ripemd160 1289761 iterations per second for 256-bit key
-PBKDF2-whirlpool  421453 iterations per second for 256-bit key
+PBKDF2-whirlpool 1148495 iterations per second for 256-bit key
-argon2i       4 iterations, 875179 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
+argon2i      13 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
-argon2id      4 iterations, 889195 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
+argon2id     13 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
 #     Algorithm |       Key |      Encryption |      Decryption
-         aes-cbc        128b       542.7 MiB/s      2192.7 MiB/s
+         aes-cbc        128b      1976.6 MiB/s      7781.1 MiB/s
-     serpent-cbc        128b        67.3 MiB/s       459.9 MiB/s
+     serpent-cbc        128b       136.8 MiB/s       993.0 MiB/s
-     twofish-cbc        128b       140.6 MiB/s       285.8 MiB/s
+     twofish-cbc        128b       291.3 MiB/s       646.8 MiB/s
-         aes-cbc        256b       405.3 MiB/s      1701.8 MiB/s
+         aes-cbc        256b      1507.6 MiB/s      6406.3 MiB/s
-     serpent-cbc        256b        71.6 MiB/s       459.5 MiB/s
+     serpent-cbc        256b       138.2 MiB/s       984.0 MiB/s
-     twofish-cbc        256b       146.6 MiB/s       287.1 MiB/s
+     twofish-cbc        256b       295.3 MiB/s       647.1 MiB/s
-         aes-xts        256b      1421.6 MiB/s      1449.2 MiB/s
+         aes-xts        256b      6021.9 MiB/s      5909.9 MiB/s
-     serpent-xts        256b       455.9 MiB/s       444.0 MiB/s
+     serpent-xts        256b       855.7 MiB/s       887.4 MiB/s
-     twofish-xts        256b       284.2 MiB/s       286.3 MiB/s
+     twofish-xts        256b       597.8 MiB/s       608.0 MiB/s
-         aes-xts        512b      1187.2 MiB/s      1177.9 MiB/s
+         aes-xts        512b      5521.2 MiB/s      5505.7 MiB/s
-     serpent-xts        512b       454.7 MiB/s       446.1 MiB/s
+     serpent-xts        512b       870.2 MiB/s       897.9 MiB/s
-     twofish-xts        512b       284.9 MiB/s       286.5 MiB/s
+     twofish-xts        512b       602.9 MiB/s       607.1 MiB/s
 </pre>
 }}
@@ Line 114: / Line 116: @@
 ;Benchmark<ref>[https://www.reddit.com/r/crypto/comments/b3we04/aesadiantum_new_mode_in_linux_kernel_5/ https://www.reddit.com/r/crypto/comments/b3we04/aesadiantum_new_mode_in_linux_kernel_5/]</ref>
 <pre>
-cryptsetup benchmark -c xchacha12,aes-adiantum -s 512
+cryptsetup benchmark -c xchacha12,aes-adiantum
 </pre>