LUKS

From David's Wiki
\( \newcommand{\P}[]{\unicode{xB6}} \newcommand{\AA}[]{\unicode{x212B}} \newcommand{\empty}[]{\emptyset} \newcommand{\O}[]{\emptyset} \newcommand{\Alpha}[]{Α} \newcommand{\Beta}[]{Β} \newcommand{\Epsilon}[]{Ε} \newcommand{\Iota}[]{Ι} \newcommand{\Kappa}[]{Κ} \newcommand{\Rho}[]{Ρ} \newcommand{\Tau}[]{Τ} \newcommand{\Zeta}[]{Ζ} \newcommand{\Mu}[]{\unicode{x039C}} \newcommand{\Chi}[]{Χ} \newcommand{\Eta}[]{\unicode{x0397}} \newcommand{\Nu}[]{\unicode{x039D}} \newcommand{\Omicron}[]{\unicode{x039F}} \DeclareMathOperator{\sgn}{sgn} \def\oiint{\mathop{\vcenter{\mathchoice{\huge\unicode{x222F}\,}{\unicode{x222F}}{\unicode{x222F}}{\unicode{x222F}}}\,}\nolimits} \def\oiiint{\mathop{\vcenter{\mathchoice{\huge\unicode{x2230}\,}{\unicode{x2230}}{\unicode{x2230}}{\unicode{x2230}}}\,}\nolimits} \)

LUKS encryption

Getting Started

See Archwiki: dm-crypt/Device encryption.

Install cryptsetup

sudo apt install cryptsetup

Encrypting a device

# Examples
DEVICE=/dev/sda
NAME=arr1

# Setup encryption
cryptsetup --type luks2 -v luksFormat "${DEVICE}"

# Open encrypted drive to /dev/mapper/$NAME
cryptsetup open "${DEVICE}" "${NAME}"

# Create a partition
mkfs.btrfs /dev/mapper/${NAME}

# Create a mountpoint and mount
mkdir -p /media/${NAME}
mount -t btrfs /dev/mapper/${NAME} /media/${NAME}

# Fill the drive to overwrite any existing raw data (optional)
dd if=/dev/zero of=/media/$NAME/file status=progress

Mounting

# Open the encrypted drive
cryptsetup open "${DEVICE}" "${NAME}"
# Mount your partition
mount -t btrfs /dev/mapper/${NAME} "${MOUNT_LOCATION}"

Unmounting

# Unmount your partition
umount "${MOUNT_LOCATION}"
# Close the decrypted drive
cryptsetup close ${NAME}

Encrpytion Options

  • You can see defaults using cryptsetup --help.
  • --type options
    • luks defaults to luks1 on cryptsetup < 2.1.0, luks2 on cryptsetup >= 2.1.0
    • luks1 is the old version of LUKS.
    • luks2 is the current version released in Dec 2017. Older versions of Grub (before 2.06 or June 2020) do not support booting from LUKS2.
    • plain is dm-crypt plain mode. Avoid this unless you know what you're doing.
    • loopaes Avoid this as well.
    • tcrypt Use this for mounting older truecrypt volumes.
  • --iter-time dynamically determines the number of iterations used to hash your password. The number of iterations is determined when creating the luks key. E.g. 5000 means hash for 5 seconds worth of iterations on your particular CPU. You can see the number of iterations for each key with cryptsetup luksDump <device>.
defaults

Benchmark

cryptsetup benchmark
Example Output (i7-12700K)

Adiantum

If you're running a device which does not support hardware accelerated AES instructions (e.g. Raspberry Pi), you may be interested in Adiantum[1].
Adiantum is an encryption mode by Google which uses ChaCha12 for block encryption. It is included in Linux kernel v5.0.

Creation
cryptsetup -v --type luks2 --cipher xchacha12,aes-adiantum --sector-size 4096 \
           --key-size 256 --hash sha512 --iter-time 5000 --use-urandom \
           --verify-passphrase luksFormat <device>
Benchmark[2]
cryptsetup benchmark -c xchacha12,aes-adiantum

Scripts

mount_drives.sh
unmount_drives.sh

Resources

References

  1. Google Blog: Introducing Adiantum: Encryption for the Next Billion Users https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html
  2. https://www.reddit.com/r/crypto/comments/b3we04/aesadiantum_new_mode_in_linux_kernel_5/
Retrieved from "https://wiki.davidl.me/index.php?title=LUKS&oldid=7103"