LUKS: Difference between revisions
| Line 10: | Line 10: | ||
===Encrypting a device=== | ===Encrypting a device=== | ||
<syntaxhighlight lang="bash"> | |||
# Examples | |||
DEVICE=/dev/sda | |||
NAME=arr1 | |||
# Setup encryption | |||
cryptsetup -v --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 \ | cryptsetup -v --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 \ | ||
--iter-time 5000 --use-urandom --verify-passphrase luksFormat "${DEVICE}" | --iter-time 5000 --use-urandom --verify-passphrase luksFormat "${DEVICE}" | ||
# Open encrypted drive to /dev/mapper/$NAME | |||
cryptsetup open "${DEVICE}" "${NAME}" | cryptsetup open "${DEVICE}" "${NAME}" | ||
# Create a partition | |||
mkfs.btrfs /dev/mapper/${NAME} | mkfs.btrfs /dev/mapper/${NAME} | ||
mount -t btrfs /dev/mapper/${NAME} /media/${NAME} | |||
# Fill the drive to overwrite any existing raw data (optional) | |||
dd if=/dev/zero of=/media/$NAME/file status=progress | |||
</syntaxhighlight> | |||
dd if=/dev/zero of= | |||
</ | |||
===Mounting=== | ===Mounting=== | ||
Revision as of 18:34, 15 January 2023
LUKS encryption
Getting Started
See Archwiki: dm-crypt/Device encryption.
Install cryptsetup
sudo apt install cryptsetup
Encrypting a device
# Examples
DEVICE=/dev/sda
NAME=arr1
# Setup encryption
cryptsetup -v --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 \
--iter-time 5000 --use-urandom --verify-passphrase luksFormat "${DEVICE}"
# Open encrypted drive to /dev/mapper/$NAME
cryptsetup open "${DEVICE}" "${NAME}"
# Create a partition
mkfs.btrfs /dev/mapper/${NAME}
mount -t btrfs /dev/mapper/${NAME} /media/${NAME}
# Fill the drive to overwrite any existing raw data (optional)
dd if=/dev/zero of=/media/$NAME/file status=progress
Mounting
# Open the encrypted drive
cryptsetup open "${DEVICE}" "${NAME}"
# Mount your partition
mount -t btrfs /dev/mapper/${NAME} "${MOUNT_LOCATION}"
Unmounting
# Unmount your partition
umount "${MOUNT_LOCATION}"
# Close the decrypted drive
cryptsetup close ${NAME}
Encrpytion Options
- You can see defaults using
cryptsetup --help. --typeoptionsluksdefaults toluks1on cryptsetup < 2.1.0,luks2on cryptsetup >= 2.1.0luks1is the standard version of LUKS.luks2is a new version released in Dec 2017. Older versions of Grub (before 2.06 or June 2020) do not support booting from LUKS2.plainis dm-crypt plain mode. Avoid this unless you know what you're doing.loopaesAvoid this as well.tcryptUse this for mounting older truecrypt volumes.
--iter-timedynamically determines the number of iterations used to hash your password. The number of iterations is determined when creating the luks key. E.g.5000means hash for 5 seconds worth of iterations on your particular CPU. You can see the number of iterations for each key withcryptsetup luksDump <device>.
defaults
Benchmark
cryptsetup benchmark
Example Output
Adiantum
If you're running a device which does not support hardware accelerated AES instructions (e.g. Raspberry Pi), you may be interested in Adiantum[1].
Adiantum is an encryption mode by Google which uses ChaCha12 for block encryption.
It is included in Linux kernel v5.0.
- Creation
cryptsetup -v --type luks2 --cipher xchacha12,aes-adiantum --sector-size 4096 \
--key-size 256 --hash sha512 --iter-time 5000 --use-urandom \
--verify-passphrase luksFormat <device>
- Benchmark[2]
cryptsetup benchmark -c xchacha12,aes-adiantum -s 512
Scripts
mount_drives.sh
unmount_drives.sh
Resources
References
- ↑ Google Blog: Introducing Adiantum: Encryption for the Next Billion Users https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html
- ↑ https://www.reddit.com/r/crypto/comments/b3we04/aesadiantum_new_mode_in_linux_kernel_5/