LUKS

From David's Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
\( \newcommand{\P}[]{\unicode{xB6}} \newcommand{\AA}[]{\unicode{x212B}} \newcommand{\empty}[]{\emptyset} \newcommand{\O}[]{\emptyset} \newcommand{\Alpha}[]{Α} \newcommand{\Beta}[]{Β} \newcommand{\Epsilon}[]{Ε} \newcommand{\Iota}[]{Ι} \newcommand{\Kappa}[]{Κ} \newcommand{\Rho}[]{Ρ} \newcommand{\Tau}[]{Τ} \newcommand{\Zeta}[]{Ζ} \newcommand{\Mu}[]{\unicode{x039C}} \newcommand{\Chi}[]{Χ} \newcommand{\Eta}[]{\unicode{x0397}} \newcommand{\Nu}[]{\unicode{x039D}} \newcommand{\Omicron}[]{\unicode{x039F}} \DeclareMathOperator{\sgn}{sgn} \def\oiint{\mathop{\vcenter{\mathchoice{\huge\unicode{x222F}\,}{\unicode{x222F}}{\unicode{x222F}}{\unicode{x222F}}}\,}\nolimits} \def\oiiint{\mathop{\vcenter{\mathchoice{\huge\unicode{x2230}\,}{\unicode{x2230}}{\unicode{x2230}}{\unicode{x2230}}}\,}\nolimits} \)

LUKS encryption

Getting Started

See Archwiki: dm-crypt/Device encryption.

Install cryptsetup

sudo apt install cryptsetup

Encrypting a device

# Examples
DEVICE=/dev/sda
NAME=arr1

# Setup encryption
cryptsetup --type luks2 -v luksFormat "${DEVICE}"

# Open encrypted drive to /dev/mapper/$NAME
cryptsetup open "${DEVICE}" "${NAME}"

# Create a partition
mkfs.btrfs /dev/mapper/${NAME}

# Create a mountpoint and mount
mkdir -p /media/${NAME}
mount -t btrfs /dev/mapper/${NAME} /media/${NAME}

# Fill the drive to overwrite any existing raw data (optional)
dd if=/dev/zero of=/media/$NAME/file status=progress

Mounting

# Open the encrypted drive
cryptsetup open "${DEVICE}" "${NAME}"
# Mount your partition
mount -t btrfs /dev/mapper/${NAME} "${MOUNT_LOCATION}"

Unmounting

# Unmount your partition
umount "${MOUNT_LOCATION}"
# Close the decrypted drive
cryptsetup close ${NAME}

Encrpytion Options

  • You can see defaults using cryptsetup --help.
  • --type options
    • luks defaults to luks1 on cryptsetup < 2.1.0, luks2 on cryptsetup >= 2.1.0
    • luks1 is the old version of LUKS.
    • luks2 is the current version released in Dec 2017. Older versions of Grub (before 2.06 or June 2020) do not support booting from LUKS2.
    • plain is dm-crypt plain mode. Avoid this unless you know what you're doing.
    • loopaes Avoid this as well.
    • tcrypt Use this for mounting older truecrypt volumes.
  • --iter-time dynamically determines the number of iterations used to hash your password. The number of iterations is determined when creating the luks key. E.g. 5000 means hash for 5 seconds worth of iterations on your particular CPU. You can see the number of iterations for each key with cryptsetup luksDump <device>.
defaults

Benchmark

cryptsetup benchmark
Example Output (i7-12700K)

Adiantum

If you're running a device which does not support hardware accelerated AES instructions (e.g. Raspberry Pi), you may be interested in Adiantum[1].
Adiantum is an encryption mode by Google which uses ChaCha12 for block encryption. It is included in Linux kernel v5.0.

Creation
cryptsetup -v --type luks2 --cipher xchacha12,aes-adiantum --sector-size 4096 \
           --key-size 256 --hash sha512 --iter-time 5000 --use-urandom \
           --verify-passphrase luksFormat <device>
Benchmark[2]
cryptsetup benchmark -c xchacha12,aes-adiantum

Scripts

mount_drives.sh
unmount_drives.sh

Resources

References