LUKS: Difference between revisions

From David's Wiki
Line 65: Line 65:
# Close the decrypted drive
# Close the decrypted drive
cryptsetup close <name>
cryptsetup close <name>
</pre>
==Benchmark==
<pre>
cryptsetup benchmark
</pre>
{{ hidden | Example Output |
<pre>
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1      1213629 iterations per second for 256-bit key
PBKDF2-sha256    1524093 iterations per second for 256-bit key
PBKDF2-sha512    1082121 iterations per second for 256-bit key
PBKDF2-ripemd160  648069 iterations per second for 256-bit key
PBKDF2-whirlpool  421453 iterations per second for 256-bit key
argon2i      4 iterations, 875179 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id      4 iterations, 889195 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
#    Algorithm |      Key |      Encryption |      Decryption
        aes-cbc        128b      542.7 MiB/s      2192.7 MiB/s
    serpent-cbc        128b        67.3 MiB/s      459.9 MiB/s
    twofish-cbc        128b      140.6 MiB/s      285.8 MiB/s
        aes-cbc        256b      405.3 MiB/s      1701.8 MiB/s
    serpent-cbc        256b        71.6 MiB/s      459.5 MiB/s
    twofish-cbc        256b      146.6 MiB/s      287.1 MiB/s
        aes-xts        256b      1421.6 MiB/s      1449.2 MiB/s
    serpent-xts        256b      455.9 MiB/s      444.0 MiB/s
    twofish-xts        256b      284.2 MiB/s      286.3 MiB/s
        aes-xts        512b      1187.2 MiB/s      1177.9 MiB/s
    serpent-xts        512b      454.7 MiB/s      446.1 MiB/s
    twofish-xts        512b      284.9 MiB/s      286.5 MiB/s
</pre>
}}
==Adiantum==
If you're running a device which does not support AES instructions (e.g. Raspberry Pi), you may be interested in Adiantum<ref name="adiantum">Google Blog: Introducing Adiantum: Encryption for the Next Billion Users [https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html]</ref>. 
Adiantum
;Creation
<pre>
cryptsetup -v --type luks2 --cipher xchacha12,aes-adiantum --sector-size 4096 \
          --key-size 256 --hash sha512 --iter-time 5000 --use-urandom \
          --verify-passphrase luksFormat <device>
</pre>
;Benchmark<ref>[https://www.reddit.com/r/crypto/comments/b3we04/aesadiantum_new_mode_in_linux_kernel_5/ https://www.reddit.com/r/crypto/comments/b3we04/aesadiantum_new_mode_in_linux_kernel_5/]</ref>
<pre>
cryptsetup benchmark -c xchacha12,aes-adiantum -s 512
</pre>
</pre>



Revision as of 05:03, 3 August 2020

LUKS encryption

Getting Started

See Archwiki: dm-crypt/Device encryption.

Encrypting a device

  • Setup encryption
cryptsetup -v --type luks1 --cipher aes-xts-plain64 --key-size 512 --hash sha512 \
           --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device>
  • Open encrypted drive
cryptsetup open <device> <name>
  • Create a partition
mkfs.fstype /dev/mapper/<name>
# E.g.
# mkfs.ext4 /dev/mapper/luksdrive1
  • Securely wipe the unused portion of the drive
    • Do this to prevent cryptographic attacks and to overwrite existing data on the drive
dd if=/dev/zero of=<file_somewhere> status=progress
# Delete the file afterwards


Notes
  • You can see defaults using cryptsetup --help.
  • --type options
    • luks defaults to luks1 on cryptsetup < 2.1.0, luks2 on cryptsetup >= 2.1.0
    • luks1 is the standard version of LUKS.
    • luks2 is a new version released in Dec 2017. Older versions of Grub (before 2.06 or June 2020) do not support booting from LUKS2.
    • plain is dm-crypt plain mode. Avoid this unless you know what you're doing.
    • loopaes Avoid this as well.
    • tcrypt Use this for mounting older truecrypt volumes.
defaults

defaults on Ubuntu 18.04

Default compiled-in device cipher parameters:
	loop-AES: aes, Key 256 bits
	plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
	LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom

Mounting

# Open the encrypted drive
cryptsetup open <device> <name>
# Mount your partition
mount -t <fstype> /dev/mapper/<name> <mountlocation>

Unmounting

# Unmount your partition
umount <mountlocation>
# Close the decrypted drive
cryptsetup close <name>

Benchmark

cryptsetup benchmark
Example Output
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1      1213629 iterations per second for 256-bit key
PBKDF2-sha256    1524093 iterations per second for 256-bit key
PBKDF2-sha512    1082121 iterations per second for 256-bit key
PBKDF2-ripemd160  648069 iterations per second for 256-bit key
PBKDF2-whirlpool  421453 iterations per second for 256-bit key
argon2i       4 iterations, 875179 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id      4 iterations, 889195 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
#     Algorithm |       Key |      Encryption |      Decryption
        aes-cbc        128b       542.7 MiB/s      2192.7 MiB/s
    serpent-cbc        128b        67.3 MiB/s       459.9 MiB/s
    twofish-cbc        128b       140.6 MiB/s       285.8 MiB/s
        aes-cbc        256b       405.3 MiB/s      1701.8 MiB/s
    serpent-cbc        256b        71.6 MiB/s       459.5 MiB/s
    twofish-cbc        256b       146.6 MiB/s       287.1 MiB/s
        aes-xts        256b      1421.6 MiB/s      1449.2 MiB/s
    serpent-xts        256b       455.9 MiB/s       444.0 MiB/s
    twofish-xts        256b       284.2 MiB/s       286.3 MiB/s
        aes-xts        512b      1187.2 MiB/s      1177.9 MiB/s
    serpent-xts        512b       454.7 MiB/s       446.1 MiB/s
    twofish-xts        512b       284.9 MiB/s       286.5 MiB/s

Adiantum

If you're running a device which does not support AES instructions (e.g. Raspberry Pi), you may be interested in Adiantum[1].
Adiantum

Creation
cryptsetup -v --type luks2 --cipher xchacha12,aes-adiantum --sector-size 4096 \
           --key-size 256 --hash sha512 --iter-time 5000 --use-urandom \
           --verify-passphrase luksFormat <device>
Benchmark[2]
cryptsetup benchmark -c xchacha12,aes-adiantum -s 512

Scripts

mount_drives.sh
#!/bin/bash

function mount_luks {
    local fstype=$1
    local device=$2
    local name=$3
    local mountpoint=$4
    if [ ! -b /dev/mapper/"$name" ]
    then
        sudo cryptsetup open "$device" "$name"
    fi
    sudo mkdir -p "$mountpoint"
    sudo mount -t $fstype /dev/mapper/"$name" "$mountpoint"
}

mount_luks ext4 /dev/disk/by-id/<drive> lukscrypt1 /media/lukscrypt1
unmount_drives.sh
#!/bin/bash

function unmount_luks {
    local name=$1
    local mountlocation=$2
    sudo umount "$mountlocation" && \
    sudo rm -r "$mountlocation"
    sudo cryptsetup close "$name"
}

unmount_luks lukscrypt1 /media/lukscrypt1

Resources