LUKS: Difference between revisions

LUKS encryption

Getting Started

See Archwiki: dm-crypt/Device encryption.

Encrypting a device

• Setup encryption

cryptsetup -v --type luks --cipher aes-xts-plain64 --key-size 512 --hash sha512 \
           --iter-time 3000 --use-urandom --verify-passphrase luksFormat <device>

• Open encrypted drive

cryptsetup open <device> <name>

• Create a partition

mkfs.fstype /dev/mapper/<name>
# E.g.
# mkfs.ext4 /dev/mapper/luksdrive1

• Securely wipe the unused portion of the drive
  • Do this to prevent cryptographic attacks and to overwrite existing data on the drive

dd if=/dev/zero of=<file_somewhere> status=progress
# Delete the file afterwards

Notes

• You can see defaults using cryptsetup --help.
• --type

Default compiled-in device cipher parameters:
	loop-AES: aes, Key 256 bits
	plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
	LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom

Mounting

# Open the encrypted drive
cryptsetup open <device> <name>
# Mount your partition
mount -t <fstype> /dev/mapper/<name> <mountlocation>

Unmounting

# Unmount your partition
umount <mountlocation>
# Close the decrypted drive
cryptsetup close <name>

Resources

• nixCraft How To Linux Hard Disk Encryption With LUKS