|
Packit |
94f725 |
Frequently Asked Questions Cryptsetup/LUKS
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Sections
|
|
Packit |
94f725 |
1. General Questions
|
|
Packit |
94f725 |
2. Setup
|
|
Packit |
94f725 |
3. Common Problems
|
|
Packit |
94f725 |
4. Troubleshooting
|
|
Packit |
94f725 |
5. Security Aspects
|
|
Packit |
94f725 |
6. Backup and Data Recovery
|
|
Packit |
94f725 |
7. Interoperability with other Disk Encryption Tools
|
|
Packit |
94f725 |
8. Issues with Specific Versions of cryptsetup
|
|
Packit |
94f725 |
9. The Initrd question
|
|
Packit |
94f725 |
10. LUKS2 Questions
|
|
Packit |
94f725 |
11. References and Further Reading
|
|
Packit |
94f725 |
A. Contributors
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
1. General Questions
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 1.1 What is this?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This is the FAQ (Frequently Asked Questions) for cryptsetup. It covers
|
|
Packit |
94f725 |
Linux disk encryption with plain dm-crypt (one passphrase, no
|
|
Packit |
94f725 |
management, no metadata on disk) and LUKS (multiple user keys with one
|
|
Packit |
94f725 |
master key, anti-forensic features, metadata block at start of device,
|
|
Packit |
94f725 |
...). The latest version of this FAQ should usually be available at
|
|
Packit |
94f725 |
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 1.2 WARNINGS
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS2 COMPATIBILITY: This FAQ was originally written for LUKS1, not
|
|
Packit |
94f725 |
LUKS2. Hence regarding LUKS2, some of the answers found here may not
|
|
Packit |
94f725 |
apply. Updates for LUKS2 have been done and anything not applying to
|
|
Packit |
94f725 |
LUKS2 should clearly say LUKS1. However, this is a Frequently Asked
|
|
Packit |
94f725 |
Questions, and questions for LUKS2 are limited at this time or at least
|
|
Packit |
94f725 |
those that have reached me are. In the following, "LUKS" refers to both
|
|
Packit |
94f725 |
LUKS1 and LUKS2.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The LUKS1 on-disk format specification is at
|
|
Packit |
94f725 |
https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf
|
|
Packit |
94f725 |
The LUKS2 on-disk format specification is at
|
|
Packit |
94f725 |
https://gitlab.com/cryptsetup/LUKS2-docs
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
ATTENTION: If you are going to read just one thing, make it the section
|
|
Packit |
94f725 |
on Backup and Data Recovery. By far the most questions on the
|
|
Packit |
94f725 |
cryptsetup mailing list are from people that managed to damage the start
|
|
Packit |
94f725 |
of their LUKS partitions, i.e. the LUKS header. In most cases, there
|
|
Packit |
94f725 |
is nothing that can be done to help these poor souls recover their data.
|
|
Packit |
94f725 |
Make sure you understand the problem and limitations imposed by the LUKS
|
|
Packit |
94f725 |
security model BEFORE you face such a disaster! In particular, make
|
|
Packit |
94f725 |
sure you have a current header backup before doing any potentially
|
|
Packit |
94f725 |
dangerous operations. The LUKS2 header should be a bit more resilient
|
|
Packit |
94f725 |
as critical data starts later and is stored twice, but you can decidely
|
|
Packit |
94f725 |
still destroy it or a keyslot permanently by accident.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
DEBUG COMMANDS: While the --debug and --debug-json options should not
|
|
Packit |
94f725 |
leak secret data, "strace" and the like can leak your full passphrase.
|
|
Packit |
94f725 |
Do not post an strace output with the correct passphrase to a
|
|
Packit |
94f725 |
mailing-list or online! See Item 4.5 for more explanation.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
SSDs/FLASH DRIVES: SSDs and Flash are different. Currently it is
|
|
Packit |
94f725 |
unclear how to get LUKS or plain dm-crypt to run on them with the full
|
|
Packit |
94f725 |
set of security assurances intact. This may or may not be a problem,
|
|
Packit |
94f725 |
depending on the attacker model. See Section 5.19.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
BACKUP: Yes, encrypted disks die, just as normal ones do. A full backup
|
|
Packit |
94f725 |
is mandatory, see Section "6. Backup and Data Recovery" on options for
|
|
Packit |
94f725 |
doing encrypted backup.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
CLONING/IMAGING: If you clone or image a LUKS container, you make a copy
|
|
Packit |
94f725 |
of the LUKS header and the master key will stay the same! That means
|
|
Packit |
94f725 |
that if you distribute an image to several machines, the same master key
|
|
Packit |
94f725 |
will be used on all of them, regardless of whether you change the
|
|
Packit |
94f725 |
passphrases. Do NOT do this! If you do, a root-user on any of the
|
|
Packit |
94f725 |
machines with a mapped (decrypted) container or a passphrase on that
|
|
Packit |
94f725 |
machine can decrypt all other copies, breaking security. See also Item
|
|
Packit |
94f725 |
6.15.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
DISTRIBUTION INSTALLERS: Some distribution installers offer to create
|
|
Packit |
94f725 |
LUKS containers in a way that can be mistaken as activation of an
|
|
Packit |
94f725 |
existing container. Creating a new LUKS container on top of an existing
|
|
Packit |
94f725 |
one leads to permanent, complete and irreversible data loss. It is
|
|
Packit |
94f725 |
strongly recommended to only use distribution installers after a
|
|
Packit |
94f725 |
complete backup of all LUKS containers has been made.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
UBUNTU INSTALLER: In particular the Ubuntu installer seems to be quite
|
|
Packit |
94f725 |
willing to kill LUKS containers in several different ways. Those
|
|
Packit |
94f725 |
responsible at Ubuntu seem not to care very much (it is very easy to
|
|
Packit |
94f725 |
recognize a LUKS container), so treat the process of installing Ubuntu
|
|
Packit |
94f725 |
as a severe hazard to any LUKS container you may have.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
NO WARNING ON NON-INTERACTIVE FORMAT: If you feed cryptsetup from STDIN
|
|
Packit |
94f725 |
(e.g. via GnuPG) on LUKS format, it does not give you the warning that
|
|
Packit |
94f725 |
you are about to format (and e.g. will lose any pre-existing LUKS
|
|
Packit |
94f725 |
container on the target), as it assumes it is used from a script. In
|
|
Packit |
94f725 |
this scenario, the responsibility for warning the user and possibly
|
|
Packit |
94f725 |
checking for an existing LUKS header is shifted to the script. This is
|
|
Packit |
94f725 |
a more general form of the previous item.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS PASSPHRASE IS NOT THE MASTER KEY: The LUKS passphrase is not used
|
|
Packit |
94f725 |
in deriving the master key. It is used in decrypting a master key that
|
|
Packit |
94f725 |
is randomly selected on header creation. This means that if you create
|
|
Packit |
94f725 |
a new LUKS header on top of an old one with exactly the same parameters
|
|
Packit |
94f725 |
and exactly the same passphrase as the old one, it will still have a
|
|
Packit |
94f725 |
different master key and your data will be permanently lost.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
PASSPHRASE CHARACTER SET: Some people have had difficulties with this
|
|
Packit |
94f725 |
when upgrading distributions. It is highly advisable to only use the 95
|
|
Packit |
94f725 |
printable characters from the first 128 characters of the ASCII table,
|
|
Packit |
94f725 |
as they will always have the same binary representation. Other
|
|
Packit |
94f725 |
characters may have different encoding depending on system configuration
|
|
Packit |
94f725 |
and your passphrase will not work with a different encoding. A table of
|
|
Packit |
94f725 |
the standardized first 128 ASCII characters can, e.g. be found on
|
|
Packit |
94f725 |
http://en.wikipedia.org/wiki/ASCII
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
KEYBOARD NUM-PAD: Apparently some pre-boot authentication environments
|
|
Packit |
94f725 |
(these are done by the distro, not by cryptsetup, so complain there)
|
|
Packit |
94f725 |
treat digits entered on the num-pad and ones entered regularly
|
|
Packit |
94f725 |
different. This may be because the BIOS USB keyboard driver is used and
|
|
Packit |
94f725 |
that one may have bugs on some computers. If you cannot open your
|
|
Packit |
94f725 |
device in pre-boot, try entering the digits over the regular digit keys.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 1.3 System specific warnings
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- The Ubuntu Natty uinstaller has a "won't fix" defect that may destroy
|
|
Packit |
94f725 |
LUKS containers. This is quite old an not relevant for most people.
|
|
Packit |
94f725 |
Reference:
|
|
Packit |
94f725 |
https://bugs.launchpad.net/ubuntu/+source/partman-crypto/+bug/420080
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 1.4 My LUKS-device is broken! Help!
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First: Do not panic! In many cases the data is still recoverable.
|
|
Packit |
94f725 |
Do not do anything hasty! Steps:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Take some deep breaths. Maybe add some relaxing music. This may
|
|
Packit |
94f725 |
sound funny, but I am completely serious. Often, critical damage is
|
|
Packit |
94f725 |
done only after the initial problem.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Do not reboot. The keys may still be in the kernel if the device is
|
|
Packit |
94f725 |
mapped.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Make sure others do not reboot the system.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Do not write to your disk without a clear understanding why this will
|
|
Packit |
94f725 |
not make matters worse. Do a sector-level backup before any writes.
|
|
Packit |
94f725 |
Often you do not need to write at all to get enough access to make a
|
|
Packit |
94f725 |
backup of the data.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Relax some more.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Read section 6 of this FAQ.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Ask on the mailing-list if you need more help.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 1.5 Who wrote this?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Current FAQ maintainer is Arno Wagner <arno@wagner.name>. If you want
|
|
Packit |
94f725 |
to send me encrypted email, my current PGP key is DSA key CB5D9718,
|
|
Packit |
94f725 |
fingerprint 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Other contributors are listed at the end. If you want to contribute,
|
|
Packit |
94f725 |
send your article, including a descriptive headline, to the maintainer,
|
|
Packit |
94f725 |
or the dm-crypt mailing list with something like "FAQ ..."
|
|
Packit |
94f725 |
in the subject. You can also send more raw information and have
|
|
Packit |
94f725 |
me write the section. Please note that by contributing to this FAQ,
|
|
Packit |
94f725 |
you accept the license described below.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This work is under the "Attribution-Share Alike 3.0 Unported" license,
|
|
Packit |
94f725 |
which means distribution is unlimited, you may create derived works, but
|
|
Packit |
94f725 |
attributions to original authors and this license statement must be
|
|
Packit |
94f725 |
retained and the derived work must be under the same license. See
|
|
Packit |
94f725 |
http://creativecommons.org/licenses/by-sa/3.0/ for more details of the
|
|
Packit |
94f725 |
license.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Side note: I did text license research some time ago and I think this
|
|
Packit |
94f725 |
license is best suited for the purpose at hand and creates the least
|
|
Packit |
94f725 |
problems.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 1.6 Where is the project website?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There is the project website at
|
|
Packit |
94f725 |
https://gitlab.com/cryptsetup/cryptsetup/ Please do not post
|
|
Packit |
94f725 |
questions there, nobody will read them. Use the mailing-list
|
|
Packit |
94f725 |
instead.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 1.7 Is there a mailing-list?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Instructions on how to subscribe to the mailing-list are at on the
|
|
Packit |
94f725 |
project website. People are generally helpful and friendly on the
|
|
Packit |
94f725 |
list.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The question of how to unsubscribe from the list does crop up sometimes.
|
|
Packit |
94f725 |
For this you need your list management URL, which is sent to you
|
|
Packit |
94f725 |
initially and once at the start of each month. Go to the URL mentioned
|
|
Packit |
94f725 |
in the email and select "unsubscribe". This page also allows you to
|
|
Packit |
94f725 |
request a password reminder.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Alternatively, you can send an Email to dm-crypt-request@saout.de with
|
|
Packit |
94f725 |
just the word "help" in the subject or message body. Make sure to send
|
|
Packit |
94f725 |
it from your list address.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The mailing list archive is here:
|
|
Packit |
94f725 |
https://marc.info/?l=dm-crypt
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 1.8 Unsubscribe from the mailing-list
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Send mail to dm-crypt-unsubscribe@saout.de from the subscribed account.
|
|
Packit |
94f725 |
You will get an email with instructions.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Basically, you just have to respond to it unmodified to get
|
|
Packit |
94f725 |
unsubscribed. The listserver admin functions are not very fast. It can
|
|
Packit |
94f725 |
take 15 minutes or longer for a reply to arrive (I suspect greylisting
|
|
Packit |
94f725 |
is in use), so be patient.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Also note that nobody on the list can unsubscribe you, sending demands
|
|
Packit |
94f725 |
to be unsubscribed to the list just annoys people that are entirely
|
|
Packit |
94f725 |
blameless for you being subscribed.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you are subscribed, a subscription confirmation email was sent to
|
|
Packit |
94f725 |
your email account and it had to be answered before the subscription
|
|
Packit |
94f725 |
went active. The confirmation emails from the listserver have subjects
|
|
Packit |
94f725 |
like these (with other numbers):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Subject: confirm 9964cf10.....
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
and are sent from dm-crypt-request@saout.de. You should check whether
|
|
Packit |
94f725 |
you have anything like it in your sent email folder. If you find
|
|
Packit |
94f725 |
nothing and are sure you did not confirm, then you should look into a
|
|
Packit |
94f725 |
possible compromise of your email account.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
2. Setup
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.1 LUKS Container Setup mini-HOWTO
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This item tries to give you a very brief list of all the steps you
|
|
Packit |
94f725 |
should go though when creating a new LUKS encrypted container, i.e.
|
|
Packit |
94f725 |
encrypted disk, partition or loop-file.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
01) All data will be lost, if there is data on the target, make a
|
|
Packit |
94f725 |
backup.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
02) Make very sure you use the right target disk, partition or
|
|
Packit |
94f725 |
loop-file.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
03) If the target was in use previously, it is a good idea to wipe it
|
|
Packit |
94f725 |
before creating the LUKS container in order to remove any trace of old
|
|
Packit |
94f725 |
file systems and data. For example, some users have managed to run
|
|
Packit |
94f725 |
e2fsck on a partition containing a LUKS container, possibly because of
|
|
Packit |
94f725 |
residual ext2 superblocks from an earlier use. This can do arbitrary
|
|
Packit |
94f725 |
damage up to complete and permanent loss of all data in the LUKS
|
|
Packit |
94f725 |
container.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To just quickly wipe file systems (old data may remain), use
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
wipefs -a <target device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To wipe file system and data, use something like
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cat /dev/zero > <target device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This can take a while. To get a progress indicator, you can use the
|
|
Packit |
94f725 |
tool dd_rescue (->google) instead or use my stream meter "wcs" (source
|
|
Packit |
94f725 |
here: http://www.tansi.org/tools/index.html) in the following fashion:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cat /dev/zero | wcs > <target device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Plain "dd" also gives you the progress on a SIGUSR1, see its man-page.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Be very sure you have the right target, all data will be lost!
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note that automatic wiping is on the TODO list for cryptsetup, so at
|
|
Packit |
94f725 |
some time in the future this will become unnecessary.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Alternatively, plain dm-crypt can be used for a very fast wipe with
|
|
Packit |
94f725 |
crypto-grade randomness, see Item 2.19
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
04) Create the LUKS container.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS1:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksFormat --type luks1 <target device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS2:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksFormat --type luks2 <target device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Just follow the on-screen instructions.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: Passprase iteration count is based on time and hence security
|
|
Packit |
94f725 |
level depends on CPU power of the system the LUKS container is created
|
|
Packit |
94f725 |
on. For example on a Raspberry Pi and LUKS1, I found some time ago that
|
|
Packit |
94f725 |
the iteration count is 15 times lower than for a regular PC (well, for
|
|
Packit |
94f725 |
my old one). Depending on security requirements, this may need
|
|
Packit |
94f725 |
adjustment. For LUKS1, you can just look at the iteration count on
|
|
Packit |
94f725 |
different systems and select one you like. You can also change the
|
|
Packit |
94f725 |
benchmark time with the -i parameter to create a header for a slower
|
|
Packit |
94f725 |
system.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For LUKS2, the parameters are more complex. ARGON2 has iteration,
|
|
Packit |
94f725 |
parallelism and memory parameter. cryptsetup actually may adjust the
|
|
Packit |
94f725 |
memory parameter for time scaling. Hence to use -i is the easiest way
|
|
Packit |
94f725 |
to get slower or faster opening (default: 2000 = 2sec). Just make sure
|
|
Packit |
94f725 |
to not drop this too low or you may get a memory parameter that is to
|
|
Packit |
94f725 |
small to be secure. The luksDump command lists the memory parameter of
|
|
Packit |
94f725 |
a created LUKS2 keyslot in kB. That parameter should probably be not
|
|
Packit |
94f725 |
much lower than 100000, i.e. 100MB, but don't take my word for it.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
05) Map the container. Here it will be mapped to /dev/mapper/c1:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksOpen <target device> c1
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
06) (Optionally) wipe the container (make sure you have the right
|
|
Packit |
94f725 |
target!):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cat /dev/zero > /dev/mapper/c1
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This will take a while. Note that this creates a small information
|
|
Packit |
94f725 |
leak, as an attacker can determine whether a 512 byte block is zero if
|
|
Packit |
94f725 |
the attacker has access to the encrypted container multiple times.
|
|
Packit |
94f725 |
Typically a competent attacker that has access multiple times can
|
|
Packit |
94f725 |
install a passphrase sniffer anyways, so this leakage is not very
|
|
Packit |
94f725 |
significant. For getting a progress indicator, see step 03.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
07) Create a file system in the mapped container, for example an
|
|
Packit |
94f725 |
ext3 file system (any other file system is possible):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
mke2fs -j /dev/mapper/c1
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
08) Mount your encrypted file system, here on /mnt:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
mount /dev/mapper/c1 /mnt
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
09) Make a LUKS header backup and plan for a container backup.
|
|
Packit |
94f725 |
See Section 6 for details.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Done. You can now use the encrypted file system to store data. Be sure
|
|
Packit |
94f725 |
to read though the rest of the FAQ, these are just the very basics. In
|
|
Packit |
94f725 |
particular, there are a number of mistakes that are easy to make, but
|
|
Packit |
94f725 |
will compromise your security.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.2 LUKS on partitions or raw disks? What about RAID?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Also see Item 2.8.
|
|
Packit |
94f725 |
This is a complicated question, and made more so by the availability of
|
|
Packit |
94f725 |
RAID and LVM. I will try to give some scenarios and discuss advantages
|
|
Packit |
94f725 |
and disadvantages. Note that I say LUKS for simplicity, but you can do
|
|
Packit |
94f725 |
all the things described with plain dm-crypt as well. Also note that
|
|
Packit |
94f725 |
your specific scenario may be so special that most or even all things I
|
|
Packit |
94f725 |
say below do not apply.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Be aware that if you add LVM into the mix, things can get very
|
|
Packit |
94f725 |
complicated. Same with RAID but less so. In particular, data recovery
|
|
Packit |
94f725 |
can get exceedingly difficult. Only add LVM if you have a really good
|
|
Packit |
94f725 |
reason and always remember KISS is what separates an engineer from an
|
|
Packit |
94f725 |
amateur. Of course, if you really need the added complexity, KISS is
|
|
Packit |
94f725 |
satisfied. But be very sure as there is a price to pay for it. In
|
|
Packit |
94f725 |
engineering, complexity is always the enemy and needs to be fought
|
|
Packit |
94f725 |
without mercy when encountered.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Also consider using RAID instead of LVM, as at least with the old
|
|
Packit |
94f725 |
superblock format 0.90, the RAID superblock is in the place (end of
|
|
Packit |
94f725 |
disk) where the risk of it damaging the LUKS header is smallest and you
|
|
Packit |
94f725 |
can have your array assembled by the RAID controller (i.e. the kernel),
|
|
Packit |
94f725 |
as it should be. Use partition type 0xfd for that. I recommend staying
|
|
Packit |
94f725 |
away from superblock formats 1.0, 1.1 and 1.2 unless you really need
|
|
Packit |
94f725 |
them.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Scenarios:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
(1) Encrypted partition: Just make a partition to your liking, and put
|
|
Packit |
94f725 |
LUKS on top of it and a filesystem into the LUKS container. This gives
|
|
Packit |
94f725 |
you isolation of differently-tasked data areas, just as ordinary
|
|
Packit |
94f725 |
partitioning does. You can have confidential data, non-confidential
|
|
Packit |
94f725 |
data, data for some specific applications, user-homes, root, etc.
|
|
Packit |
94f725 |
Advantages are simplicity as there is a 1:1 mapping between partitions
|
|
Packit |
94f725 |
and filesystems, clear security functionality and the ability to
|
|
Packit |
94f725 |
separate data into different, independent (!) containers.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note that you cannot do this for encrypted root, that requires an
|
|
Packit |
94f725 |
initrd. On the other hand, an initrd is about as vulnerable to a
|
|
Packit |
94f725 |
competent attacker as a non-encrypted root, so there really is no
|
|
Packit |
94f725 |
security advantage to doing it that way. An attacker that wants to
|
|
Packit |
94f725 |
compromise your system will just compromise the initrd or the kernel
|
|
Packit |
94f725 |
itself. The better way to deal with this is to make sure the root
|
|
Packit |
94f725 |
partition does not store any critical data and to move that to
|
|
Packit |
94f725 |
additional encrypted partitions. If you really are concerned your root
|
|
Packit |
94f725 |
partition may be sabotaged by somebody with physical access (who would
|
|
Packit |
94f725 |
however strangely not, say, sabotage your BIOS, keyboard, etc.), protect
|
|
Packit |
94f725 |
it in some other way. The PC is just not set-up for a really secure
|
|
Packit |
94f725 |
boot-chain (whatever some people may claim).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
(2) Fully encrypted raw block device: For this, put LUKS on the raw
|
|
Packit |
94f725 |
device (e.g. /dev/sdb) and put a filesystem into the LUKS container, no
|
|
Packit |
94f725 |
partitioning whatsoever involved. This is very suitable for things like
|
|
Packit |
94f725 |
external USB disks used for backups or offline data-storage.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
(3) Encrypted RAID: Create your RAID from partitions and/or full
|
|
Packit |
94f725 |
devices. Put LUKS on top of the RAID device, just if it were an
|
|
Packit |
94f725 |
ordinary block device. Applications are just the same as above, but you
|
|
Packit |
94f725 |
get redundancy. (Side note as many people seem to be unaware of it: You
|
|
Packit |
94f725 |
can do RAID1 with an arbitrary number of components in Linux.) See also
|
|
Packit |
94f725 |
Item 2.8.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
(4) Now, some people advocate doing the encryption below the RAID layer.
|
|
Packit |
94f725 |
That has several serious problems. One is that suddenly debugging RAID
|
|
Packit |
94f725 |
issues becomes much harder. You cannot do automatic RAID assembly
|
|
Packit |
94f725 |
anymore. You need to keep the encryption keys for the different RAID
|
|
Packit |
94f725 |
components in sync or manage them somehow. The only possible advantage
|
|
Packit |
94f725 |
is that things may run a little faster as more CPUs do the encryption,
|
|
Packit |
94f725 |
but if speed is a priority over security and simplicity, you are doing
|
|
Packit |
94f725 |
this wrong anyways. A good way to mitigate a speed issue is to get a
|
|
Packit |
94f725 |
CPU that does hardware AES as most do today.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.3 How do I set up encrypted swap?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
As things that are confidential can end up in swap (keys, passphrases,
|
|
Packit |
94f725 |
etc. are usually protected against being swapped to disk, but other
|
|
Packit |
94f725 |
things may not be), it may be advisable to do something about the issue.
|
|
Packit |
94f725 |
One option is to run without swap, which generally works well in a
|
|
Packit |
94f725 |
desktop-context. It may cause problems in a server-setting or under
|
|
Packit |
94f725 |
special circumstances. The solution to that is to encrypt swap with a
|
|
Packit |
94f725 |
random key at boot-time.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
NOTE: This is for Debian, and should work for Debian-derived
|
|
Packit |
94f725 |
distributions. For others you may have to write your own startup script
|
|
Packit |
94f725 |
or use other mechanisms.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
01) Add the swap partition to /etc/crypttab. A line like the
|
|
Packit |
94f725 |
following should do it:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
swap /dev/<partition> /dev/urandom swap,noearly
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Warning: While Debian refuses to overwrite partitions with a filesystem
|
|
Packit |
94f725 |
or RAID signature on it, as your disk IDs may change (adding or removing
|
|
Packit |
94f725 |
disks, failure of disk during boot, etc.), you may want to take
|
|
Packit |
94f725 |
additional precautions. Yes, this means that your kernel device names
|
|
Packit |
94f725 |
like sda, sdb, ... can change between reboots! This is not a concern
|
|
Packit |
94f725 |
if you have only one disk. One possibility is to make sure the
|
|
Packit |
94f725 |
partition number is not present on additional disks or also swap there.
|
|
Packit |
94f725 |
Another is to encapsulate the swap partition (by making it a 1-partition
|
|
Packit |
94f725 |
RAID1 or by using LVM), as that gets a persistent identifier.
|
|
Packit |
94f725 |
Specifying it directly by UUID does not work, unfortunately, as the UUID
|
|
Packit |
94f725 |
is part of the swap signature and that is not visible from the outside
|
|
Packit |
94f725 |
due to the encryption and in addition changes on each reboot with this
|
|
Packit |
94f725 |
setup.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: Use /dev/random if you are paranoid or in a potential low-entropy
|
|
Packit |
94f725 |
situation (embedded system, etc.). This may cause the operation to take
|
|
Packit |
94f725 |
a long time during boot however. If you are in a "no entropy"
|
|
Packit |
94f725 |
situation, you cannot encrypt swap securely. In this situation you
|
|
Packit |
94f725 |
should find some entropy, also because nothing else using crypto will be
|
|
Packit |
94f725 |
secure, like ssh, ssl or GnuPG.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: The "noearly" option makes sure things like LVM, RAID, etc. are
|
|
Packit |
94f725 |
running. As swap is non-critical for boot, it is fine to start it late.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
02) Add the swap partition to /etc/fstab. A line like the following
|
|
Packit |
94f725 |
should do it:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
/dev/mapper/swap none swap sw 0 0
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That is it. Reboot or start it manually to activate encrypted swap.
|
|
Packit |
94f725 |
Manual start would look like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
/etc/init.d/crypdisks start
|
|
Packit |
94f725 |
swapon /dev/mapper/swap
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.4 What is the difference between "plain" and LUKS format?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First, unless you happen to understand the cryptographic background
|
|
Packit |
94f725 |
well, you should use LUKS. It does protect the user from a lot of
|
|
Packit |
94f725 |
common mistakes. Plain dm-crypt is for experts.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Plain format is just that: It has no metadata on disk, reads all
|
|
Packit |
94f725 |
parameters from the commandline (or the defaults), derives a master-key
|
|
Packit |
94f725 |
from the passphrase and then uses that to de-/encrypt the sectors of the
|
|
Packit |
94f725 |
device, with a direct 1:1 mapping between encrypted and decrypted
|
|
Packit |
94f725 |
sectors.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Primary advantage is high resilience to damage, as one damaged encrypted
|
|
Packit |
94f725 |
sector results in exactly one damaged decrypted sector. Also, it is not
|
|
Packit |
94f725 |
readily apparent that there even is encrypted data on the device, as an
|
|
Packit |
94f725 |
overwrite with crypto-grade randomness (e.g. from
|
|
Packit |
94f725 |
/dev/urandom) looks exactly the same on disk.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Side-note: That has limited value against the authorities. In civilized
|
|
Packit |
94f725 |
countries, they cannot force you to give up a crypto-key anyways. In
|
|
Packit |
94f725 |
quite a few countries around the world, they can force you to give up
|
|
Packit |
94f725 |
the keys (using imprisonment or worse to pressure you, sometimes without
|
|
Packit |
94f725 |
due process), and in the worst case, they only need a nebulous
|
|
Packit |
94f725 |
"suspicion" about the presence of encrypted data. Sometimes this
|
|
Packit |
94f725 |
applies to everybody, sometimes only when you are suspected of having
|
|
Packit |
94f725 |
"illicit data" (definition subject to change) and sometimes specifically
|
|
Packit |
94f725 |
when crossing a border. Note that this is going on in countries like
|
|
Packit |
94f725 |
the US and the UK to different degrees and sometimes with courts
|
|
Packit |
94f725 |
restricting what the authorities can actually demand.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
My advice is to either be ready to give up the keys or to not have
|
|
Packit |
94f725 |
encrypted data when traveling to those countries, especially when
|
|
Packit |
94f725 |
crossing the borders. The latter also means not having any high-entropy
|
|
Packit |
94f725 |
(random) data areas on your disk, unless you can explain them and
|
|
Packit |
94f725 |
demonstrate that explanation. Hence doing a zero-wipe of all free
|
|
Packit |
94f725 |
space, including unused space, may be a good idea.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Disadvantages are that you do not have all the nice features that the
|
|
Packit |
94f725 |
LUKS metadata offers, like multiple passphrases that can be changed, the
|
|
Packit |
94f725 |
cipher being stored in the metadata, anti-forensic properties like
|
|
Packit |
94f725 |
key-slot diffusion and salts, etc..
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS format uses a metadata header and 8 key-slot areas that are being
|
|
Packit |
94f725 |
placed at the beginning of the disk, see below under "What does the LUKS
|
|
Packit |
94f725 |
on-disk format looks like?". The passphrases are used to decrypt a
|
|
Packit |
94f725 |
single master key that is stored in the anti-forensic stripes. LUKS2
|
|
Packit |
94f725 |
adds some more flexibility.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Advantages are a higher usability, automatic configuration of
|
|
Packit |
94f725 |
non-default crypto parameters, defenses against low-entropy passphrases
|
|
Packit |
94f725 |
like salting and iterated PBKDF2 or ARGON 2 passphrase hashing, the
|
|
Packit |
94f725 |
ability to change passphrases, and others.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Disadvantages are that it is readily obvious there is encrypted data on
|
|
Packit |
94f725 |
disk (but see side note above) and that damage to the header or
|
|
Packit |
94f725 |
key-slots usually results in permanent data-loss. See below under "6.
|
|
Packit |
94f725 |
Backup and Data Recovery" on how to reduce that risk. Also the sector
|
|
Packit |
94f725 |
numbers get shifted by the length of the header and key-slots and there
|
|
Packit |
94f725 |
is a loss of that size in capacity. Unless you have a specific need,
|
|
Packit |
94f725 |
use LUKS2.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.5 Can I encrypt an existing, non-empty partition to use LUKS?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There is no converter, and it is not really needed. The way to do this
|
|
Packit |
94f725 |
is to make a backup of the device in question, securely wipe the device
|
|
Packit |
94f725 |
(as LUKS device initialization does not clear away old data), do a
|
|
Packit |
94f725 |
luksFormat, optionally overwrite the encrypted device, create a new
|
|
Packit |
94f725 |
filesystem and restore your backup on the now encrypted device. Also
|
|
Packit |
94f725 |
refer to sections "Security Aspects" and "Backup and Data Recovery".
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For backup, plain GNU tar works well and backs up anything likely to be
|
|
Packit |
94f725 |
in a filesystem.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.6 How do I use LUKS with a loop-device?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This can be very handy for experiments. Setup is just the same as with
|
|
Packit |
94f725 |
any block device. If you want, for example, to use a 100MiB file as
|
|
Packit |
94f725 |
LUKS container, do something like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
head -c 100M /dev/zero > luksfile # create empty file
|
|
Packit |
94f725 |
losetup /dev/loop0 luksfile # map file to /dev/loop0
|
|
Packit |
94f725 |
cryptsetup luksFormat --type luks2 /dev/loop0 # create LUKS2 container
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Afterwards just use /dev/loop0 as a you would use a LUKS partition.
|
|
Packit |
94f725 |
To unmap the file when done, use "losetup -d /dev/loop0".
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.7 When I add a new key-slot to LUKS, it asks for a passphrase
|
|
Packit |
94f725 |
but then complains about there not being a key-slot with that
|
|
Packit |
94f725 |
passphrase?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That is as intended. You are asked a passphrase of an existing key-slot
|
|
Packit |
94f725 |
first, before you can enter the passphrase for the new key-slot.
|
|
Packit |
94f725 |
Otherwise you could break the encryption by just adding a new key-slot.
|
|
Packit |
94f725 |
This way, you have to know the passphrase of one of the already
|
|
Packit |
94f725 |
configured key-slots in order to be able to configure a new key-slot.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.8 Encryption on top of RAID or the other way round?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Also see Item 2.2.
|
|
Packit |
94f725 |
Unless you have special needs, place encryption between RAID and
|
|
Packit |
94f725 |
filesystem, i.e. encryption on top of RAID. You can do it the other
|
|
Packit |
94f725 |
way round, but you have to be aware that you then need to give the
|
|
Packit |
94f725 |
passphrase for each individual disk and RAID auto-detection will not
|
|
Packit |
94f725 |
work anymore. Therefore it is better to encrypt the RAID device, e.g.
|
|
Packit |
94f725 |
/dev/dm0 .
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This means that the typical layering looks like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Filesystem <- top
|
|
Packit |
94f725 |
|
|
|
Packit |
94f725 |
Encryption (LUKS)
|
|
Packit |
94f725 |
|
|
|
Packit |
94f725 |
RAID
|
|
Packit |
94f725 |
|
|
|
Packit |
94f725 |
Raw partitions (optional)
|
|
Packit |
94f725 |
|
|
|
Packit |
94f725 |
Raw disks <- bottom
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The big advantage of this is that you can manage the RAID container just
|
|
Packit |
94f725 |
like any other regular RAID container, it does not care that its content
|
|
Packit |
94f725 |
is encrypted. This strongly cuts down on complexity, something very
|
|
Packit |
94f725 |
valuable with storage encryption.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.9 How do I read a dm-crypt key from file?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Use the --key-file option, like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup create --key-file keyfile e1 /dev/loop0
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This will read the binary key from file, i.e. no hashing or
|
|
Packit |
94f725 |
transformation will be applied to the keyfile before its bits are used
|
|
Packit |
94f725 |
as key. Extra bits (beyond the length of the key) at the end are
|
|
Packit |
94f725 |
ignored. Note that if you read from STDIN, the data will be hashed,
|
|
Packit |
94f725 |
just as a key read interactively from the terminal. See the man-page
|
|
Packit |
94f725 |
sections "NOTES ON PASSPHRASE PROCESSING..." for more detail.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.10 How do I read a LUKS slot key from file?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
What you really do here is to read a passphrase from file, just as you
|
|
Packit |
94f725 |
would with manual entry of a passphrase for a key-slot. You can add a
|
|
Packit |
94f725 |
new passphrase to a free key-slot, set the passphrase of an specific
|
|
Packit |
94f725 |
key-slot or put an already configured passphrase into a file. Make sure
|
|
Packit |
94f725 |
no trailing newline (0x0a) is contained in the input key file, or the
|
|
Packit |
94f725 |
passphrase will not work because the whole file is used as input.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To add a new passphrase to a free key slot from file, use something
|
|
Packit |
94f725 |
like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksAddKey /dev/loop0 keyfile
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To add a new passphrase to a specific key-slot, use something
|
|
Packit |
94f725 |
like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksAddKey --key-slot 7 /dev/loop0 keyfile
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To supply a key from file to any LUKS command, use the --key-file
|
|
Packit |
94f725 |
option, e.g. like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksOpen --key-file keyfile /dev/loop0 e1
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.11 How do I read the LUKS master key from file?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The question you should ask yourself first is why you would want to do
|
|
Packit |
94f725 |
this. The only legitimate reason I can think of is if you want to have
|
|
Packit |
94f725 |
two LUKS devices with the same master key. Even then, I think it would
|
|
Packit |
94f725 |
be preferable to just use key-slots with the same passphrase, or to use
|
|
Packit |
94f725 |
plain dm-crypt instead. If you really have a good reason, please tell
|
|
Packit |
94f725 |
me. If I am convinced, I will add how to do this here.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.12 What are the security requirements for a key read from file?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
A file-stored key or passphrase has the same security requirements as
|
|
Packit |
94f725 |
one entered interactively, however you can use random bytes and thereby
|
|
Packit |
94f725 |
use bytes you cannot type on the keyboard. You can use any file you
|
|
Packit |
94f725 |
like as key file, for example a plain text file with a human readable
|
|
Packit |
94f725 |
passphrase. To generate a file with random bytes, use something like
|
|
Packit |
94f725 |
this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
head -c 256 /dev/random > keyfile
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.13 If I map a journaled file system using dm-crypt/LUKS, does
|
|
Packit |
94f725 |
it still provide its usual transactional guarantees?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Yes, it does, unless a very old kernel is used. The required flags come
|
|
Packit |
94f725 |
from the filesystem layer and are processed and passed onward by
|
|
Packit |
94f725 |
dm-crypt (regardless of direct key management or LUKS key management).
|
|
Packit |
94f725 |
A bit more information on the process by which transactional guarantees
|
|
Packit |
94f725 |
are implemented can be found here:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
http://lwn.net/Articles/400541/
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Please note that these "guarantees" are weaker than they appear to be.
|
|
Packit |
94f725 |
One problem is that quite a few disks lie to the OS about having flushed
|
|
Packit |
94f725 |
their buffers. This is likely still true with SSDs. Some other things
|
|
Packit |
94f725 |
can go wrong as well. The filesystem developers are aware of these
|
|
Packit |
94f725 |
problems and typically can make it work anyways. That said,
|
|
Packit |
94f725 |
dm-crypt/LUKS will not make things worse.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
One specific problem you can run into is that you can get short freezes
|
|
Packit |
94f725 |
and other slowdowns due to the encryption layer. Encryption takes time
|
|
Packit |
94f725 |
and forced flushes will block for that time. For example, I did run
|
|
Packit |
94f725 |
into frequent small freezes (1-2 sec) when putting a vmware image on
|
|
Packit |
94f725 |
ext3 over dm-crypt. When I went back to ext2, the problem went away.
|
|
Packit |
94f725 |
This seems to have gotten better with kernel 2.6.36 and the reworking of
|
|
Packit |
94f725 |
filesystem flush locking mechanism (less blocking of CPU activity during
|
|
Packit |
94f725 |
flushes). This should improve further and eventually the problem should
|
|
Packit |
94f725 |
go away.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.14 Can I use LUKS or cryptsetup with a more secure (external)
|
|
Packit |
94f725 |
medium for key storage, e.g. TPM or a smartcard?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Yes, see the answers on using a file-supplied key. You do have to write
|
|
Packit |
94f725 |
the glue-logic yourself though. Basically you can have cryptsetup read
|
|
Packit |
94f725 |
the key from STDIN and write it there with your own tool that in turn
|
|
Packit |
94f725 |
gets the key from the more secure key storage.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For TPM support, you may want to have a look at tpm-luks at
|
|
Packit |
94f725 |
https://github.com/shpedoikal/tpm-luks. Note that tpm-luks is not
|
|
Packit |
94f725 |
related to the cryptsetup project.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.15 Can I resize a dm-crypt or LUKS container?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Yes, you can, as neither dm-crypt nor LUKS1 stores partition size and
|
|
Packit |
94f725 |
LUKS2 uses a generic "whole device" size as default. Note that LUKS2
|
|
Packit |
94f725 |
can use specified data-area sizes as a non-standard case and that these
|
|
Packit |
94f725 |
may cause issues when resizing a LUKS2 container if set to a specific
|
|
Packit |
94f725 |
value.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Whether you should do this is a different question. Personally I
|
|
Packit |
94f725 |
recommend backup, recreation of the dm-crypt or LUKS container with new
|
|
Packit |
94f725 |
size, recreation of the filesystem and restore. This gets around the
|
|
Packit |
94f725 |
tricky business of resizing the filesystem. Resizing a dm-crypt or LUKS
|
|
Packit |
94f725 |
container does not resize the filesystem in it. A backup is really
|
|
Packit |
94f725 |
non-optional here, as a lot can go wrong, resulting in partial or
|
|
Packit |
94f725 |
complete data loss. But if you have that backup, you can also just
|
|
Packit |
94f725 |
recreate everything.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
You also need to be aware of size-based limitations. The one currently
|
|
Packit |
94f725 |
relevant is that aes-xts-plain should not be used for encrypted
|
|
Packit |
94f725 |
container sizes larger than 2TiB. Use aes-xts-plain64 for that.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.16 How do I Benchmark the Ciphers, Hashes and Modes?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Since version 1.60 cryptsetup supports the "benchmark" command.
|
|
Packit |
94f725 |
Simply run as root:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup benchmark
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
You can get more than the default benchmarks, see the man-page for the
|
|
Packit |
94f725 |
relevant parameters. Note that XTS mode takes two keys, hence the
|
|
Packit |
94f725 |
listed key sizes are double that for other modes and half of it is the
|
|
Packit |
94f725 |
cipher key, the other half is the XTS key.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.17 How do I Verify I have an Authentic cryptsetup Source Package?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Current maintainer is Milan Broz and he signs the release packages with
|
|
Packit |
94f725 |
his PGP key. The key he currently uses is the "RSA key ID D93E98FC",
|
|
Packit |
94f725 |
fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC. While I
|
|
Packit |
94f725 |
have every confidence this really is his key and that he is who he
|
|
Packit |
94f725 |
claims to be, don't depend on it if your life is at stake. For that
|
|
Packit |
94f725 |
matter, if your life is at stake, don't depend on me being who I claim
|
|
Packit |
94f725 |
to be either.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That said, as cryptsetup is under good version control and a malicious
|
|
Packit |
94f725 |
change should be noticed sooner or later, but it may take a while.
|
|
Packit |
94f725 |
Also, the attacker model makes compromising the sources in a non-obvious
|
|
Packit |
94f725 |
way pretty hard. Sure, you could put the master-key somewhere on disk,
|
|
Packit |
94f725 |
but that is rather obvious as soon as somebody looks as there would be
|
|
Packit |
94f725 |
data in an empty LUKS container in a place it should not be. Doing this
|
|
Packit |
94f725 |
in a more nefarious way, for example hiding the master-key in the salts,
|
|
Packit |
94f725 |
would need a look at the sources to be discovered, but I think that
|
|
Packit |
94f725 |
somebody would find that sooner or later as well.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That said, this discussion is really a lot more complicated and longer
|
|
Packit |
94f725 |
as an FAQ can sustain. If in doubt, ask on the mailing list.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.18 Is there a concern with 4k Sectors?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Not from dm-crypt itself. Encryption will be done in 512B blocks, but
|
|
Packit |
94f725 |
if the partition and filesystem are aligned correctly and the filesystem
|
|
Packit |
94f725 |
uses multiples of 4kiB as block size, the dm-crypt layer will just
|
|
Packit |
94f725 |
process 8 x 512B = 4096B at a time with negligible overhead. LUKS does
|
|
Packit |
94f725 |
place data at an offset, which is 2MiB per default and will not break
|
|
Packit |
94f725 |
alignment. See also Item 6.12 of this FAQ for more details. Note that
|
|
Packit |
94f725 |
if your partition or filesystem is misaligned, dm-crypt can make the
|
|
Packit |
94f725 |
effect worse though. Also note that SSDs typically have much larger
|
|
Packit |
94f725 |
blocks internally (e.g. 128kB or even larger).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.19 How can I wipe a device with crypto-grade randomness?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The conventional recommendation if you want to do more than just a
|
|
Packit |
94f725 |
zero-wipe is to use something like
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cat /dev/urandom > <taget-device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That used to very slow and painful at 10-20MB/s on a fast computer, but
|
|
Packit |
94f725 |
newer kernels can give you > 200MB/s (depending on hardware). An
|
|
Packit |
94f725 |
alternative is using cryptsetup and a plain dm-crypt device with a
|
|
Packit |
94f725 |
random key, which is fast and on the same level of security. The
|
|
Packit |
94f725 |
defaults are quite enough.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For device set-up, do the following:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup open --type plain -d /dev/urandom /dev/<device> target
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This maps the container as plain under /dev/mapper/target with a random
|
|
Packit |
94f725 |
password. For the actual wipe you have several options. Basically, you
|
|
Packit |
94f725 |
pipe zeroes into the opened container that then get encrypted. Simple
|
|
Packit |
94f725 |
wipe without progress-indicator:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cat /dev/zero > /dev/mapper/to_be_wiped
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Progress-indicator by dd_rescue:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
dd_rescue -w /dev/zero /dev/mapper/to_be_wiped
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Progress-indicator by my "wcs" stream meter (available from
|
|
Packit |
94f725 |
http://www.tansi.org/tools/index.html ):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cat /dev/zero | wcs > /dev/mapper/to_be_wiped
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Or use plain "dd", which gives you the progress when sent a SIGUSR1, see
|
|
Packit |
94f725 |
the dd man page.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Remove the mapping at the end and you are done.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 2.20 How to I wipe only the LUKS header?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This does _not_ describe an emergency wipe procedure, see Item 5.4 for
|
|
Packit |
94f725 |
that. This procedure here is intended to be used when the data should
|
|
Packit |
94f725 |
stay intact, e.g. when you change your LUKS container to use a detached
|
|
Packit |
94f725 |
header and want to remove the old one. Please only do this if you have
|
|
Packit |
94f725 |
a current backup.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS1:
|
|
Packit |
94f725 |
01) Determine header size in 512 Byte sectors with luksDump:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksDump <device with LUKS container>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
-> ...
|
|
Packit |
94f725 |
Payload offset: <number>
|
|
Packit |
94f725 |
...
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
02) Take the result number, multiply by 512 zeros and write to
|
|
Packit |
94f725 |
the start of the device, e.g. like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
dd bs=512 count=<number> if=/dev/zero of=<device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS2: (warning, untested! Remember that backup?) This assumes the
|
|
Packit |
94f725 |
LUKS2 container uses the defaults, in particular there is only one data
|
|
Packit |
94f725 |
segment. 01) Determine the data-segment offset using luksDump, same
|
|
Packit |
94f725 |
as above for LUKS1:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
-> ...
|
|
Packit |
94f725 |
Data segments:
|
|
Packit |
94f725 |
0: crypt
|
|
Packit |
94f725 |
offset: <number> [bytes]
|
|
Packit |
94f725 |
...
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
02) Overwrite the stated number of bytes from the start of the device.
|
|
Packit |
94f725 |
Just to give yet another way to get a defined number of zeros:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
head -c /dev/zero > /dev/<device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
3. Common Problems
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 3.1 My dm-crypt/LUKS mapping does not work! What general steps
|
|
Packit |
94f725 |
are there to investigate the problem?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you get a specific error message, investigate what it claims first.
|
|
Packit |
94f725 |
If not, you may want to check the following things.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Check that "/dev", including "/dev/mapper/control" is there. If it is
|
|
Packit |
94f725 |
missing, you may have a problem with the "/dev" tree itself or you may
|
|
Packit |
94f725 |
have broken udev rules.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Check that you have the device mapper and the crypt target in your
|
|
Packit |
94f725 |
kernel. The output of "dmsetup targets" should list a "crypt" target.
|
|
Packit |
94f725 |
If it is not there or the command fails, add device mapper and
|
|
Packit |
94f725 |
crypt-target to the kernel.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Check that the hash-functions and ciphers you want to use are in the
|
|
Packit |
94f725 |
kernel. The output of "cat /proc/crypto" needs to list them.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 3.2 My dm-crypt mapping suddenly stopped when upgrading cryptsetup.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The default cipher, hash or mode may have changed (the mode changed from
|
|
Packit |
94f725 |
1.0.x to 1.1.x). See under "Issues With Specific Versions of
|
|
Packit |
94f725 |
cryptsetup".
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 3.3 When I call cryptsetup from cron/CGI, I get errors about
|
|
Packit |
94f725 |
unknown features?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you get errors about unknown parameters or the like that are not
|
|
Packit |
94f725 |
present when cryptsetup is called from the shell, make sure you have no
|
|
Packit |
94f725 |
older version of cryptsetup on your system that then gets called by
|
|
Packit |
94f725 |
cron/CGI. For example some distributions install cryptsetup into
|
|
Packit |
94f725 |
/usr/sbin, while a manual install could go to /usr/local/sbin. As a
|
|
Packit |
94f725 |
debugging aid, call "cryptsetup --version" from cron/CGI or the
|
|
Packit |
94f725 |
non-shell mechanism to be sure the right version gets called.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 3.4 Unlocking a LUKS device takes very long. Why?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The unlock time for a key-slot (see Section 5 for an explanation what
|
|
Packit |
94f725 |
iteration does) is calculated when setting a passphrase. By default it
|
|
Packit |
94f725 |
is 1 second (2 seconds for LUKS2). If you set a passphrase on a fast
|
|
Packit |
94f725 |
machine and then unlock it on a slow machine, the unlocking time can be
|
|
Packit |
94f725 |
much longer. Also take into account that up to 8 key-slots (LUKS2: up
|
|
Packit |
94f725 |
to 32 key-slots) have to be tried in order to find the right one.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If this is problem, you can add another key-slot using the slow machine
|
|
Packit |
94f725 |
with the same passphrase and then remove the old key-slot. The new
|
|
Packit |
94f725 |
key-slot will have the unlock time adjusted to the slow machine. Use
|
|
Packit |
94f725 |
luksKeyAdd and then luksKillSlot or luksRemoveKey. You can also use
|
|
Packit |
94f725 |
the -i option to reduce iteration time (and security level) when setting
|
|
Packit |
94f725 |
a passphrase. Default is 1000 (1 sec) for LUKS1 and 2000 (2sec) for
|
|
Packit |
94f725 |
LUKS2.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
However, this operation will not change volume key iteration count ("MK
|
|
Packit |
94f725 |
iterations" for LUKS1, "Iterations" under "Digests" for LUKS2). In
|
|
Packit |
94f725 |
order to change that, you will have to backup the data in the LUKS
|
|
Packit |
94f725 |
container (i.e. your encrypted data), luksFormat on the slow machine
|
|
Packit |
94f725 |
and restore the data. Note that MK iterations are not very security
|
|
Packit |
94f725 |
relevant.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 3.5 "blkid" sees a LUKS UUID and an ext2/swap UUID on the same
|
|
Packit |
94f725 |
device. What is wrong?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Some old versions of cryptsetup have a bug where the header does not get
|
|
Packit |
94f725 |
completely wiped during LUKS format and an older ext2/swap signature
|
|
Packit |
94f725 |
remains on the device. This confuses blkid.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Fix: Wipe the unused header areas by doing a backup and restore of
|
|
Packit |
94f725 |
the header with cryptsetup 1.1.x or later:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksHeaderBackup --header-backup-file <file> <device>
|
|
Packit |
94f725 |
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
4. Troubleshooting
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 4.1 I get the error "LUKS keyslot x is invalid." What does that mean?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For LUKS1, this means that the given keyslot has an offset that points
|
|
Packit |
94f725 |
outside the valid keyslot area. Typically, the reason is a corrupted
|
|
Packit |
94f725 |
LUKS1 header because something was written to the start of the device
|
|
Packit |
94f725 |
the LUKS1 container is on. For LUKS2, I do not know when this error can
|
|
Packit |
94f725 |
happen, but I expect it will be something similar. Refer to Section
|
|
Packit |
94f725 |
"Backup and Data Recovery" and ask on the mailing list if you have
|
|
Packit |
94f725 |
trouble diagnosing and (if still possible) repairing this.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 4.2 I cannot unlock my LUKS container! What could be the problem?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First, make sure you have a correct passphrase. Then make sure you have
|
|
Packit |
94f725 |
the correct key-map and correct keyboard. And then make sure you have
|
|
Packit |
94f725 |
the correct character set and encoding, see also "PASSPHRASE CHARACTER
|
|
Packit |
94f725 |
SET" under Section 1.2.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you are sure you are entering the passphrase right, there is the
|
|
Packit |
94f725 |
possibility that the respective key-slot has been damaged. There is no
|
|
Packit |
94f725 |
way to recover a damaged key-slot, except from a header backup (see
|
|
Packit |
94f725 |
Section 6). For security reasons, there is also no checksum in the
|
|
Packit |
94f725 |
key-slots that could tell you whether a key-slot has been damaged. The
|
|
Packit |
94f725 |
only checksum present allows recognition of a correct passphrase, but
|
|
Packit |
94f725 |
that only works with that correct passphrase and a respective key-slot
|
|
Packit |
94f725 |
that is intact.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
In order to find out whether a key-slot is damaged one has to look for
|
|
Packit |
94f725 |
"non-random looking" data in it. There is a tool that automatizes this
|
|
Packit |
94f725 |
for LUKS1 in the cryptsetup distribution from version 1.6.0 onwards. It
|
|
Packit |
94f725 |
is located in misc/keyslot_checker/. Instructions how to use and how to
|
|
Packit |
94f725 |
interpret results are in the README file. Note that this tool requires
|
|
Packit |
94f725 |
a libcryptsetup from cryptsetup 1.6.0 or later (which means
|
|
Packit |
94f725 |
libcryptsetup.so.4.5.0 or later). If the tool complains about missing
|
|
Packit |
94f725 |
functions in libcryptsetup, you likely have an earlier version from your
|
|
Packit |
94f725 |
distribution still installed. You can either point the symbolic link(s)
|
|
Packit |
94f725 |
from libcryptsetup.so.4 to the new version manually, or you can
|
|
Packit |
94f725 |
uninstall the distribution version of cryptsetup and re-install that
|
|
Packit |
94f725 |
from cryptsetup >= 1.6.0 again to fix this.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 4.3 Can a bad RAM module cause problems?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS and dm-crypt can give the RAM quite a workout, especially when
|
|
Packit |
94f725 |
combined with software RAID. In particular the combination RAID5 +
|
|
Packit |
94f725 |
LUKS1 + XFS seems to uncover RAM problems that do not cause obvious
|
|
Packit |
94f725 |
problems otherwise. Symptoms vary, but often the problem manifest
|
|
Packit |
94f725 |
itself when copying large amounts of data, typically several times
|
|
Packit |
94f725 |
larger than your main memory.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: One thing you should always do on large data copying or movements
|
|
Packit |
94f725 |
is to run a verify, for example with the "-d" option of "tar" or by
|
|
Packit |
94f725 |
doing a set of MD5 checksums on the source or target with
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
find . -type f -exec md5sum \{\} \; > checksum-file
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
and then a "md5sum -c checksum-file" on the other side. If you get
|
|
Packit |
94f725 |
mismatches here, RAM is the primary suspect. A lesser suspect is an
|
|
Packit |
94f725 |
overclocked CPU. I have found countless hardware problems in verify
|
|
Packit |
94f725 |
runs after copying data or making backups. Bit errors are much more
|
|
Packit |
94f725 |
common than most people think.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Some RAM issues are even worse and corrupt structures in one of the
|
|
Packit |
94f725 |
layers. This typically results in lockups, CPU state dumps in the
|
|
Packit |
94f725 |
system logs, kernel panic or other things. It is quite possible to have
|
|
Packit |
94f725 |
a problem with an encrypted device, but not with an otherwise the same
|
|
Packit |
94f725 |
unencrypted device. The reason for that is that encryption has an error
|
|
Packit |
94f725 |
amplification property: If you flip one bit in an encrypted data block,
|
|
Packit |
94f725 |
the decrypted version has half of its bits flipped. This is actually an
|
|
Packit |
94f725 |
important security property for modern ciphers. With the usual modes in
|
|
Packit |
94f725 |
cryptsetup (CBC, ESSIV, XTS), you can get a completely changed 512 byte
|
|
Packit |
94f725 |
block for a bit error. A corrupt block causes a lot more havoc than the
|
|
Packit |
94f725 |
occasionally flipped single bit and can result in various obscure
|
|
Packit |
94f725 |
errors.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note that a verify run on copying between encrypted or unencrypted
|
|
Packit |
94f725 |
devices will reliably detect corruption, even when the copying itself
|
|
Packit |
94f725 |
did not report any problems. If you find defect RAM, assume all backups
|
|
Packit |
94f725 |
and copied data to be suspect, unless you did a verify.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 4.4 How do I test RAM?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First you should know that overclocking often makes memory problems
|
|
Packit |
94f725 |
worse. So if you overclock (which I strongly recommend against in a
|
|
Packit |
94f725 |
system holding data that has any worth), run the tests with the
|
|
Packit |
94f725 |
overclocking active.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There are two good options. One is Memtest86+ and the other is
|
|
Packit |
94f725 |
"memtester" by Charles Cazabon. Memtest86+ requires a reboot and then
|
|
Packit |
94f725 |
takes over the machine, while memtester runs from a root-shell. Both
|
|
Packit |
94f725 |
use different testing methods and I have found problems fast with either
|
|
Packit |
94f725 |
one that the other needed long to find. I recommend running the
|
|
Packit |
94f725 |
following procedure until the first error is found:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Run Memtest86+ for one cycle
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Run memtester for one cycle (shut down as many other applications
|
|
Packit |
94f725 |
as possible and use the largest memory area you can get)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Run Memtest86+ for 24h or more
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Run memtester for 24h or more
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If all that does not produce error messages, your RAM may be sound,
|
|
Packit |
94f725 |
but I have had one weak bit in the past that Memtest86+ needed around
|
|
Packit |
94f725 |
60 hours to find. If you can reproduce the original problem reliably,
|
|
Packit |
94f725 |
a good additional test may be to remove half of the RAM (if you have
|
|
Packit |
94f725 |
more than one module) and try whether the problem is still there and if
|
|
Packit |
94f725 |
so, try with the other half. If you just have one module, get a
|
|
Packit |
94f725 |
different one and try with that. If you do overclocking, reduce the
|
|
Packit |
94f725 |
settings to the most conservative ones available and try with that.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 4.5 Is there a risk using debugging tools like strace?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There most definitely is. A dump from strace and friends can contain
|
|
Packit |
94f725 |
all data entered, including the full passphrase. Example with strace
|
|
Packit |
94f725 |
and passphrase "test":
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
> strace cryptsetup luksOpen /dev/sda10 c1
|
|
Packit |
94f725 |
...
|
|
Packit |
94f725 |
read(6, "test\n", 512) = 5
|
|
Packit |
94f725 |
...
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Depending on different factors and the tool used, the passphrase may
|
|
Packit |
94f725 |
also be encoded and not plainly visible. Hence it is never a good idea
|
|
Packit |
94f725 |
to give such a trace from a live container to anybody. Recreate the
|
|
Packit |
94f725 |
problem with a test container or set a temporary passphrase like "test"
|
|
Packit |
94f725 |
and use that for the trace generation. Item 2.6 explains how to create
|
|
Packit |
94f725 |
a loop-file backed LUKS container that may come in handy for this
|
|
Packit |
94f725 |
purpose.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
See also Item 6.10 for another set of data you should not give to
|
|
Packit |
94f725 |
others.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
5. Security Aspects
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.1 How long is a secure passphrase ?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This is just the short answer. For more info and explanation of some of
|
|
Packit |
94f725 |
the terms used in this item, read the rest of Section 5. The actual
|
|
Packit |
94f725 |
recommendation is at the end of this item.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First, passphrase length is not really the right measure, passphrase
|
|
Packit |
94f725 |
entropy is. If your passphrase is 200 times the letter "a", it is long
|
|
Packit |
94f725 |
but has very low entropy and is pretty insecure.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For example, a random lowercase letter (a-z) gives you 4.7 bit of
|
|
Packit |
94f725 |
entropy, one element of a-z0-9 gives you 5.2 bits of entropy, an element
|
|
Packit |
94f725 |
of a-zA-Z0-9 gives you 5.9 bits and a-zA-Z0-9!@#$%\^&:-+ gives you 6.2
|
|
Packit |
94f725 |
bits. On the other hand, a random English word only gives you 0.6...1.3
|
|
Packit |
94f725 |
bits of entropy per character. Using sentences that make sense gives
|
|
Packit |
94f725 |
lower entropy, series of random words gives higher entropy. Do not use
|
|
Packit |
94f725 |
sentences that can be tied to you or found on your computer. This type
|
|
Packit |
94f725 |
of attack is done routinely today.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That said, it does not matter too much what scheme you use, but it does
|
|
Packit |
94f725 |
matter how much entropy your passphrase contains, because an attacker
|
|
Packit |
94f725 |
has to try on average
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
1/2 * 2^(bits of entropy in passphrase)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
different passphrases to guess correctly.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Historically, estimations tended to use computing time estimates, but
|
|
Packit |
94f725 |
more modern approaches try to estimate cost of guessing a passphrase.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
As an example, I will try to get an estimate from the numbers in
|
|
Packit |
94f725 |
https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40 This
|
|
Packit |
94f725 |
thing costs 23kUSD and does 68Ghashes/sec for SHA1. This is in 2017.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Incidentally, my older calculation for a machine around 1000 times
|
|
Packit |
94f725 |
slower was off by a factor of about 1000, but in the right direction,
|
|
Packit |
94f725 |
i.e. I estimated the attack to be too easy. Nobody noticed ;-) On the
|
|
Packit |
94f725 |
plus side, the tables are now (2017) pretty much accurate.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
More references can be found a the end of this document. Note that
|
|
Packit |
94f725 |
these are estimates from the defender side, so assuming something is
|
|
Packit |
94f725 |
easier than it actually is is fine. An attacker may still have
|
|
Packit |
94f725 |
significantly higher cost than estimated here.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS1 used SHA1 (since version 1.7.0 it uses SHA256) for hashing per
|
|
Packit |
94f725 |
default. We will leave aside the check whether a try actually decrypts
|
|
Packit |
94f725 |
a key-slot. I will assume a useful lifetime of the hardware of 2 years.
|
|
Packit |
94f725 |
(This is on the low side.) Disregarding downtime, the machine can then
|
|
Packit |
94f725 |
break
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
N = 68*10^9 * 3600 * 24 * 365 * 2 ~ 4*10^18
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
passphrases for EUR/USD 23k. That is one 62 bit passphrase hashed once
|
|
Packit |
94f725 |
with SHA1 for EUR/USD 23k. This can be parallelized, it can be done
|
|
Packit |
94f725 |
faster than 2 years with several of these machines.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For LUKS2, things look a bit better, as the advantage of using graphics
|
|
Packit |
94f725 |
cards is massively reduced. Using the recommendations below should
|
|
Packit |
94f725 |
hence be fine for LUKS2 as well and give a better security margin.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For plain dm-crypt (no hash iteration) this is it. This gives (with
|
|
Packit |
94f725 |
SHA1, plain dm-crypt default is ripemd160 which seems to be slightly
|
|
Packit |
94f725 |
slower than SHA1):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Passphrase entropy Cost to break
|
|
Packit |
94f725 |
60 bit EUR/USD 6k
|
|
Packit |
94f725 |
65 bit EUR/USD 200K
|
|
Packit |
94f725 |
70 bit EUR/USD 6M
|
|
Packit |
94f725 |
75 bit EUR/USD 200M
|
|
Packit |
94f725 |
80 bit EUR/USD 6B
|
|
Packit |
94f725 |
85 bit EUR/USD 200B
|
|
Packit |
94f725 |
... ...
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For LUKS1, you have to take into account hash iteration in PBKDF2.
|
|
Packit |
94f725 |
For a current CPU, there are about 100k iterations (as can be queried
|
|
Packit |
94f725 |
with ''cryptsetup luksDump''.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The table above then becomes:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Passphrase entropy Cost to break
|
|
Packit |
94f725 |
50 bit EUR/USD 600k
|
|
Packit |
94f725 |
55 bit EUR/USD 20M
|
|
Packit |
94f725 |
60 bit EUR/USD 600M
|
|
Packit |
94f725 |
65 bit EUR/USD 20B
|
|
Packit |
94f725 |
70 bit EUR/USD 600B
|
|
Packit |
94f725 |
75 bit EUR/USD 20T
|
|
Packit |
94f725 |
... ...
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Recommendation:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To get reasonable security for the next 10 years, it is a good idea
|
|
Packit |
94f725 |
to overestimate by a factor of at least 1000.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Then there is the question of how much the attacker is willing to spend.
|
|
Packit |
94f725 |
That is up to your own security evaluation. For general use, I will
|
|
Packit |
94f725 |
assume the attacker is willing to spend up to 1 million EUR/USD. Then
|
|
Packit |
94f725 |
we get the following recommendations:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Plain dm-crypt: Use > 80 bit. That is e.g. 17 random chars from a-z
|
|
Packit |
94f725 |
or a random English sentence of > 135 characters length.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS1 and LUKS2: Use > 65 bit. That is e.g. 14 random chars from a-z
|
|
Packit |
94f725 |
or a random English sentence of > 108 characters length.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If paranoid, add at least 20 bit. That is roughly four additional
|
|
Packit |
94f725 |
characters for random passphrases and roughly 32 characters for a
|
|
Packit |
94f725 |
random English sentence.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.2 Is LUKS insecure? Everybody can see I have encrypted data!
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
In practice it does not really matter. In most civilized countries you
|
|
Packit |
94f725 |
can just refuse to hand over the keys, no harm done. In some countries
|
|
Packit |
94f725 |
they can force you to hand over the keys if they suspect encryption.
|
|
Packit |
94f725 |
The suspicion is enough, they do not have to prove anything. This is
|
|
Packit |
94f725 |
for practical reasons, as even the presence of a header (like the LUKS
|
|
Packit |
94f725 |
header) is not enough to prove that you have any keys. It might have
|
|
Packit |
94f725 |
been an experiment, for example. Or it was used as encrypted swap with
|
|
Packit |
94f725 |
a key from /dev/random. So they make you prove you do not have
|
|
Packit |
94f725 |
encrypted data. Of course, if true, that is impossible and hence the
|
|
Packit |
94f725 |
whole idea is not compatible with fair laws. Note that in this context,
|
|
Packit |
94f725 |
countries like the US or the UK are not civilized and do not have fair
|
|
Packit |
94f725 |
laws.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This means that if you have a large set of random-looking data, they can
|
|
Packit |
94f725 |
already lock you up. Hidden containers (encryption hidden within
|
|
Packit |
94f725 |
encryption), as possible with Truecrypt, do not help either. They will
|
|
Packit |
94f725 |
just assume the hidden container is there and unless you hand over the
|
|
Packit |
94f725 |
key, you will stay locked up. Don't have a hidden container? Though
|
|
Packit |
94f725 |
luck. Anybody could claim that.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Still, if you are concerned about the LUKS header, use plain dm-crypt
|
|
Packit |
94f725 |
with a good passphrase. See also Section 2, "What is the difference
|
|
Packit |
94f725 |
between "plain" and LUKS format?"
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.3 Should I initialize (overwrite) a new LUKS/dm-crypt partition?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you just create a filesystem on it, most of the old data will still
|
|
Packit |
94f725 |
be there. If the old data is sensitive, you should overwrite it before
|
|
Packit |
94f725 |
encrypting. In any case, not initializing will leave the old data there
|
|
Packit |
94f725 |
until the specific sector gets written. That may enable an attacker to
|
|
Packit |
94f725 |
determine how much and where on the partition data was written. If you
|
|
Packit |
94f725 |
think this is a risk, you can prevent this by overwriting the encrypted
|
|
Packit |
94f725 |
device (here assumed to be named "e1") with zeros like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
dd_rescue -w /dev/zero /dev/mapper/e1
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
or alternatively with one of the following more standard commands:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cat /dev/zero > /dev/mapper/e1
|
|
Packit |
94f725 |
dd if=/dev/zero of=/dev/mapper/e1
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.4 How do I securely erase a LUKS container?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For LUKS, if you are in a desperate hurry, overwrite the LUKS header and
|
|
Packit |
94f725 |
key-slot area. For LUKS1 and LUKS2, just be generous and overwrite the
|
|
Packit |
94f725 |
first 100MB. A single overwrite with zeros should be enough. If you
|
|
Packit |
94f725 |
anticipate being in a desperate hurry, prepare the command beforehand.
|
|
Packit |
94f725 |
Example with /dev/sde1 as the LUKS partition and default parameters:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
head -c 100000000 /dev/zero > /dev/sde1; sync
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
A LUKS header backup or full backup will still grant access to most or
|
|
Packit |
94f725 |
all data, so make sure that an attacker does not have access to backups
|
|
Packit |
94f725 |
or destroy them as well.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Also note that SSDs and also some HDDs (SMR and hybrid HDDs, for
|
|
Packit |
94f725 |
example) may not actually overwrite the header and only do that an
|
|
Packit |
94f725 |
unspecified and possibly very long time later. The only way to be sure
|
|
Packit |
94f725 |
there is physical destruction. If the situation permits, do both
|
|
Packit |
94f725 |
overwrite and physical destruction.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you have time, overwrite the whole drive with a single pass of random
|
|
Packit |
94f725 |
data. This is enough for most HDDs. For SSDs or FLASH (USB sticks) or
|
|
Packit |
94f725 |
SMR or hybrid drives, you may want to overwrite the whole drive several
|
|
Packit |
94f725 |
times to be sure data is not retained. This is possibly still insecure
|
|
Packit |
94f725 |
as the respective technologies are not fully understood in this regard.
|
|
Packit |
94f725 |
Still, due to the anti-forensic properties of the LUKS key-slots, a
|
|
Packit |
94f725 |
single overwrite could be enough. If in doubt, use physical destruction
|
|
Packit |
94f725 |
in addition. Here is a link to some current research results on erasing
|
|
Packit |
94f725 |
SSDs and FLASH drives:
|
|
Packit |
94f725 |
http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Keep in mind to also erase all backups.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Example for a random-overwrite erase of partition sde1 done with
|
|
Packit |
94f725 |
dd_rescue:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
dd_rescue -w /dev/urandom /dev/sde1
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.5 How do I securely erase a backup of a LUKS partition or header?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That depends on the medium it is stored on. For HDD and SSD, use
|
|
Packit |
94f725 |
overwrite with random data. For an SSD, FLASH drive (USB stick) hybrid
|
|
Packit |
94f725 |
HDD or SMR HDD, you may want to overwrite the complete drive several
|
|
Packit |
94f725 |
times and use physical destruction in addition, see last item. For
|
|
Packit |
94f725 |
re-writable CD/DVD, a single overwrite should be enough, due to the
|
|
Packit |
94f725 |
anti-forensic properties of the LUKS keyslots. For write-once media,
|
|
Packit |
94f725 |
use physical destruction. For low security requirements, just cut the
|
|
Packit |
94f725 |
CD/DVD into several parts. For high security needs, shred or burn the
|
|
Packit |
94f725 |
medium.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If your backup is on magnetic tape, I advise physical destruction by
|
|
Packit |
94f725 |
shredding or burning, after (!) overwriting . The problem with magnetic
|
|
Packit |
94f725 |
tape is that it has a higher dynamic range than HDDs and older data may
|
|
Packit |
94f725 |
well be recoverable after overwrites. Also write-head alignment issues
|
|
Packit |
94f725 |
can lead to data not actually being deleted during overwrites.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The best option is to actually encrypt the backup, for example with
|
|
Packit |
94f725 |
PGP/GnuPG and then just destroy all copies of the encryption key if
|
|
Packit |
94f725 |
needed. Best keep them on paper, as that has excellent durability and
|
|
Packit |
94f725 |
secure destruction is easy, for example by burning and then crushing the
|
|
Packit |
94f725 |
ashes to a fine powder. A blender and water also works nicely.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.6 What about backup? Does it compromise security?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That depends. See item 6.7.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.7 Why is all my data permanently gone if I overwrite the LUKS header?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Overwriting the LUKS header in part or in full is the most common reason
|
|
Packit |
94f725 |
why access to LUKS containers is lost permanently. Overwriting can be
|
|
Packit |
94f725 |
done in a number of fashions, like creating a new filesystem on the raw
|
|
Packit |
94f725 |
LUKS partition, making the raw partition part of a raid array and just
|
|
Packit |
94f725 |
writing to the raw partition.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The LUKS1 header contains a 256 bit "salt" per key-slot and without that
|
|
Packit |
94f725 |
no decryption is possible. While the salts are not secret, they are
|
|
Packit |
94f725 |
key-grade material and cannot be reconstructed. This is a
|
|
Packit |
94f725 |
cryptographically strong "cannot". From observations on the cryptsetup
|
|
Packit |
94f725 |
mailing-list, people typically go though the usual stages of grief
|
|
Packit |
94f725 |
(Denial, Anger, Bargaining, Depression, Acceptance) when this happens to
|
|
Packit |
94f725 |
them. Observed times vary between 1 day and 2 weeks to complete the
|
|
Packit |
94f725 |
cycle. Seeking help on the mailing-list is fine. Even if we usually
|
|
Packit |
94f725 |
cannot help with getting back your data, most people found the feedback
|
|
Packit |
94f725 |
comforting.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If your header does not contain an intact key-slot salt, best go
|
|
Packit |
94f725 |
directly to the last stage ("Acceptance") and think about what to do
|
|
Packit |
94f725 |
now. There is one exception that I know of: If your LUKS1 container is
|
|
Packit |
94f725 |
still open, then it may be possible to extract the master key from the
|
|
Packit |
94f725 |
running system. See Item "How do I recover the master key from a mapped
|
|
Packit |
94f725 |
LUKS1 container?" in Section "Backup and Data Recovery".
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For LUKS2, things are both better and worse. First, the salts are in a
|
|
Packit |
94f725 |
less vulnerable position now. But, on the other hand, the keys of a
|
|
Packit |
94f725 |
mapped (open) container are now stored in the kernel key-store, and
|
|
Packit |
94f725 |
while there probably is some way to get them out of there, I am not sure
|
|
Packit |
94f725 |
how much effort that needs.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.8 What is a "salt"?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
A salt is a random key-grade value added to the passphrase before it is
|
|
Packit |
94f725 |
processed. It is not kept secret. The reason for using salts is as
|
|
Packit |
94f725 |
follows: If an attacker wants to crack the password for a single LUKS
|
|
Packit |
94f725 |
container, then every possible passphrase has to be tried. Typically an
|
|
Packit |
94f725 |
attacker will not try every binary value, but will try words and
|
|
Packit |
94f725 |
sentences from a dictionary.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If an attacker wants to attack several LUKS containers with the same
|
|
Packit |
94f725 |
dictionary, then a different approach makes sense: Compute the resulting
|
|
Packit |
94f725 |
slot-key for each dictionary element and store it on disk. Then the
|
|
Packit |
94f725 |
test for each entry is just the slow unlocking with the slot key (say
|
|
Packit |
94f725 |
0.00001 sec) instead of calculating the slot-key first (1 sec). For a
|
|
Packit |
94f725 |
single attack, this does not help. But if you have more than one
|
|
Packit |
94f725 |
container to attack, this helps tremendously, also because you can
|
|
Packit |
94f725 |
prepare your table before you even have the container to attack! The
|
|
Packit |
94f725 |
calculation is also very simple to parallelize. You could, for example,
|
|
Packit |
94f725 |
use the night-time unused CPU power of your desktop PCs for this.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This is where the salt comes in. If the salt is combined with the
|
|
Packit |
94f725 |
passphrase (in the simplest form, just appended to it), you suddenly
|
|
Packit |
94f725 |
need a separate table for each salt value. With a reasonably-sized salt
|
|
Packit |
94f725 |
value (256 bit, e.g.) this is quite infeasible.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.9 Is LUKS secure with a low-entropy (bad) passphrase?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Short answer: yes. Do not use a low-entropy passphrase.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: For LUKS2, protection for bad passphrases is a bit better
|
|
Packit |
94f725 |
due to the use of Argon2, but that is only a gradual improvement.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Longer answer:
|
|
Packit |
94f725 |
This needs a bit of theory. The quality of your passphrase is directly
|
|
Packit |
94f725 |
related to its entropy (information theoretic, not thermodynamic). The
|
|
Packit |
94f725 |
entropy says how many bits of "uncertainty" or "randomness" are in you
|
|
Packit |
94f725 |
passphrase. In other words, that is how difficult guessing the
|
|
Packit |
94f725 |
passphrase is.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Example: A random English sentence has about 1 bit of entropy per
|
|
Packit |
94f725 |
character. A random lowercase (or uppercase) character has about 4.7
|
|
Packit |
94f725 |
bit of entropy.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Now, if n is the number of bits of entropy in your passphrase and t
|
|
Packit |
94f725 |
is the time it takes to process a passphrase in order to open the
|
|
Packit |
94f725 |
LUKS container, then an attacker has to spend at maximum
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
attack_time_max = 2^n * t
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
time for a successful attack and on average half that. There is no way
|
|
Packit |
94f725 |
getting around that relationship. However, there is one thing that does
|
|
Packit |
94f725 |
help, namely increasing t, the time it takes to use a passphrase, see
|
|
Packit |
94f725 |
next FAQ item.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Still, if you want good security, a high-entropy passphrase is the only
|
|
Packit |
94f725 |
option. For example, a low-entropy passphrase can never be considered
|
|
Packit |
94f725 |
secure against a TLA-level (Three Letter Agency level, i.e.
|
|
Packit |
94f725 |
government-level) attacker, no matter what tricks are used in the
|
|
Packit |
94f725 |
key-derivation function. Use at least 64 bits for secret stuff. That
|
|
Packit |
94f725 |
is 64 characters of English text (but only if randomly chosen) or a
|
|
Packit |
94f725 |
combination of 12 truly random letters and digits.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For passphrase generation, do not use lines from very well-known texts
|
|
Packit |
94f725 |
(religious texts, Harry potter, etc.) as they are too easy to guess.
|
|
Packit |
94f725 |
For example, the total Harry Potter has about 1'500'000 words (my
|
|
Packit |
94f725 |
estimation). Trying every 64 character sequence starting and ending at
|
|
Packit |
94f725 |
a word boundary would take only something like 20 days on a single CPU
|
|
Packit |
94f725 |
and is entirely feasible. To put that into perspective, using a number
|
|
Packit |
94f725 |
of Amazon EC2 High-CPU Extra Large instances (each gives about 8 real
|
|
Packit |
94f725 |
cores), this test costs currently about 50USD/EUR, but can be made to
|
|
Packit |
94f725 |
run arbitrarily fast.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
On the other hand, choosing 1.5 lines from, say, the Wheel of Time, is
|
|
Packit |
94f725 |
in itself not more secure, but the book selection adds quite a bit of
|
|
Packit |
94f725 |
entropy. (Now that I have mentioned it here, don't use tWoT either!) If
|
|
Packit |
94f725 |
you add 2 or 3 typos and switch some words around, then this is good
|
|
Packit |
94f725 |
passphrase material.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.10 What is "iteration count" and why is decreasing it a bad idea?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS1:
|
|
Packit |
94f725 |
Iteration count is the number of PBKDF2 iterations a passphrase is put
|
|
Packit |
94f725 |
through before it is used to unlock a key-slot. Iterations are done
|
|
Packit |
94f725 |
with the explicit purpose to increase the time that it takes to unlock a
|
|
Packit |
94f725 |
key-slot. This provides some protection against use of low-entropy
|
|
Packit |
94f725 |
passphrases.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The idea is that an attacker has to try all possible passphrases. Even
|
|
Packit |
94f725 |
if the attacker knows the passphrase is low-entropy (see last item), it
|
|
Packit |
94f725 |
is possible to make each individual try take longer. The way to do this
|
|
Packit |
94f725 |
is to repeatedly hash the passphrase for a certain time. The attacker
|
|
Packit |
94f725 |
then has to spend the same time (given the same computing power) as the
|
|
Packit |
94f725 |
user per try. With LUKS1, the default is 1 second of PBKDF2 hashing.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Example 1: Lets assume we have a really bad passphrase (e.g. a
|
|
Packit |
94f725 |
girlfriends name) with 10 bits of entropy. With the same CPU, an
|
|
Packit |
94f725 |
attacker would need to spend around 500 seconds on average to break that
|
|
Packit |
94f725 |
passphrase. Without iteration, it would be more like 0.0001 seconds on
|
|
Packit |
94f725 |
a modern CPU.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Example 2: The user did a bit better and has 32 chars of English text.
|
|
Packit |
94f725 |
That would be about 32 bits of entropy. With 1 second iteration, that
|
|
Packit |
94f725 |
means an attacker on the same CPU needs around 136 years. That is
|
|
Packit |
94f725 |
pretty impressive for such a weak passphrase. Without the iterations,
|
|
Packit |
94f725 |
it would be more like 50 days on a modern CPU, and possibly far less.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
In addition, the attacker can both parallelize and use special hardware
|
|
Packit |
94f725 |
like GPUs or FPGAs to speed up the attack. The attack can also happen
|
|
Packit |
94f725 |
quite some time after the luksFormat operation and CPUs can have become
|
|
Packit |
94f725 |
faster and cheaper. For that reason you want a bit of extra security.
|
|
Packit |
94f725 |
Anyways, in Example 1 your are screwed. In example 2, not necessarily.
|
|
Packit |
94f725 |
Even if the attack is faster, it still has a certain cost associated
|
|
Packit |
94f725 |
with it, say 10000 EUR/USD with iteration and 1 EUR/USD without
|
|
Packit |
94f725 |
iteration. The first can be prohibitively expensive, while the second
|
|
Packit |
94f725 |
is something you try even without solid proof that the decryption will
|
|
Packit |
94f725 |
yield something useful.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The numbers above are mostly made up, but show the idea. Of course the
|
|
Packit |
94f725 |
best thing is to have a high-entropy passphrase.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Would a 100 sec iteration time be even better? Yes and no.
|
|
Packit |
94f725 |
Cryptographically it would be a lot better, namely 100 times better.
|
|
Packit |
94f725 |
However, usability is a very important factor for security technology
|
|
Packit |
94f725 |
and one that gets overlooked surprisingly often. For LUKS, if you have
|
|
Packit |
94f725 |
to wait 2 minutes to unlock the LUKS container, most people will not
|
|
Packit |
94f725 |
bother and use less secure storage instead. It is better to have less
|
|
Packit |
94f725 |
protection against low-entropy passphrases and people actually use LUKS,
|
|
Packit |
94f725 |
than having them do without encryption altogether.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Now, what about decreasing the iteration time? This is generally a very
|
|
Packit |
94f725 |
bad idea, unless you know and can enforce that the users only use
|
|
Packit |
94f725 |
high-entropy passphrases. If you decrease the iteration time without
|
|
Packit |
94f725 |
ensuring that, then you put your users at increased risk, and
|
|
Packit |
94f725 |
considering how rarely LUKS containers are unlocked in a typical
|
|
Packit |
94f725 |
work-flow, you do so without a good reason. Don't do it. The iteration
|
|
Packit |
94f725 |
time is already low enough that users with low entropy passphrases are
|
|
Packit |
94f725 |
vulnerable. Lowering it even further increases this danger
|
|
Packit |
94f725 |
significantly.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS2: Pretty much the same reasoning applies. The advantages of using
|
|
Packit |
94f725 |
GPUs or FPGAs in an attack have been significantly reduced, but that
|
|
Packit |
94f725 |
is the only main difference.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.11 Some people say PBKDF2 is insecure?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There is some discussion that a hash-function should have a "large
|
|
Packit |
94f725 |
memory" property, i.e. that it should require a lot of memory to be
|
|
Packit |
94f725 |
computed. This serves to prevent attacks using special programmable
|
|
Packit |
94f725 |
circuits, like FPGAs, and attacks using graphics cards. PBKDF2 does not
|
|
Packit |
94f725 |
need a lot of memory and is vulnerable to these attacks. However, the
|
|
Packit |
94f725 |
publication usually referred in these discussions is not very convincing
|
|
Packit |
94f725 |
in proving that the presented hash really is "large memory" (that may
|
|
Packit |
94f725 |
change, email the FAQ maintainer when it does) and it is of limited
|
|
Packit |
94f725 |
usefulness anyways. Attackers that use clusters of normal PCs will not
|
|
Packit |
94f725 |
be affected at all by a "large memory" property. For example the US
|
|
Packit |
94f725 |
Secret Service is known to use the off-hour time of all the office PCs
|
|
Packit |
94f725 |
of the Treasury for password breaking. The Treasury has about 110'000
|
|
Packit |
94f725 |
employees. Assuming every one has an office PC, that is significant
|
|
Packit |
94f725 |
computing power, all of it with plenty of memory for computing "large
|
|
Packit |
94f725 |
memory" hashes. Bot-net operators also have all the memory they want.
|
|
Packit |
94f725 |
The only protection against a resourceful attacker is a high-entropy
|
|
Packit |
94f725 |
passphrase, see items 5.9 and 5.10.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That said, LUKS2 defaults to Argon2, which has a large-memory property
|
|
Packit |
94f725 |
and massively reduces the advantages of GPUs and FPGAs.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.12 What about iteration count with plain dm-crypt?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Simple: There is none. There is also no salting. If you use plain
|
|
Packit |
94f725 |
dm-crypt, the only way to be secure is to use a high entropy passphrase.
|
|
Packit |
94f725 |
If in doubt, use LUKS instead.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.13 Is LUKS with default parameters less secure on a slow CPU?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Unfortunately, yes. However the only aspect affected is the protection
|
|
Packit |
94f725 |
for low-entropy passphrase or master-key. All other security aspects
|
|
Packit |
94f725 |
are independent of CPU speed.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The master key is less critical, as you really have to work at it to
|
|
Packit |
94f725 |
give it low entropy. One possibility to mess this up is to supply the
|
|
Packit |
94f725 |
master key yourself. If that key is low-entropy, then you get what you
|
|
Packit |
94f725 |
deserve. The other known possibility to create a LUKS container with a
|
|
Packit |
94f725 |
bad master key is to use /dev/urandom for key generation in an
|
|
Packit |
94f725 |
entropy-starved situation (e.g. automatic installation on an embedded
|
|
Packit |
94f725 |
device without network and other entropy sources or installation in a VM
|
|
Packit |
94f725 |
under certain circumstances).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For the passphrase, don't use a low-entropy passphrase. If your
|
|
Packit |
94f725 |
passphrase is good, then a slow CPU will not matter. If you insist on a
|
|
Packit |
94f725 |
low-entropy passphrase on a slow CPU, use something like
|
|
Packit |
94f725 |
"--iter-time=10000" or higher and wait a long time on each LUKS unlock
|
|
Packit |
94f725 |
and pray that the attacker does not find out in which way exactly your
|
|
Packit |
94f725 |
passphrase is low entropy. This also applies to low-entropy passphrases
|
|
Packit |
94f725 |
on fast CPUs. Technology can do only so much to compensate for problems
|
|
Packit |
94f725 |
in front of the keyboard.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Also note that power-saving modes will make your CPU slower. This will
|
|
Packit |
94f725 |
reduce iteration count on LUKS container creation. It will keep unlock
|
|
Packit |
94f725 |
times at the expected values though at this CPU speed.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.14 Why was the default aes-cbc-plain replaced with aes-cbc-essiv?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: This item applies both to plain dm-crypt and to LUKS
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The problem is that cbc-plain has a fingerprint vulnerability, where a
|
|
Packit |
94f725 |
specially crafted file placed into the crypto-container can be
|
|
Packit |
94f725 |
recognized from the outside. The issue here is that for cbc-plain the
|
|
Packit |
94f725 |
initialization vector (IV) is the sector number. The IV gets XORed to
|
|
Packit |
94f725 |
the first data chunk of the sector to be encrypted. If you make sure
|
|
Packit |
94f725 |
that the first data block to be stored in a sector contains the sector
|
|
Packit |
94f725 |
number as well, the first data block to be encrypted is all zeros and
|
|
Packit |
94f725 |
always encrypted to the same ciphertext. This also works if the first
|
|
Packit |
94f725 |
data chunk just has a constant XOR with the sector number. By having
|
|
Packit |
94f725 |
several shifted patterns you can take care of the case of a
|
|
Packit |
94f725 |
non-power-of-two start sector number of the file.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This mechanism allows you to create a pattern of sectors that have the
|
|
Packit |
94f725 |
same first ciphertext block and signal one bit per sector to the
|
|
Packit |
94f725 |
outside, allowing you to e.g. mark media files that way for recognition
|
|
Packit |
94f725 |
without decryption. For large files this is a practical attack. For
|
|
Packit |
94f725 |
small ones, you do not have enough blocks to signal and take care of
|
|
Packit |
94f725 |
different file starting offsets.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
In order to prevent this attack, the default was changed to cbc-essiv.
|
|
Packit |
94f725 |
ESSIV uses a keyed hash of the sector number, with the encryption key as
|
|
Packit |
94f725 |
key. This makes the IV unpredictable without knowing the encryption key
|
|
Packit |
94f725 |
and the watermarking attack fails.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.15 Are there any problems with "plain" IV? What is "plain64"?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First, "plain" and "plain64" are both not secure to use with CBC, see
|
|
Packit |
94f725 |
previous FAQ item.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
However there are modes, like XTS, that are secure with "plain" IV. The
|
|
Packit |
94f725 |
next limit is that "plain" is 64 bit, with the upper 32 bit set to zero.
|
|
Packit |
94f725 |
This means that on volumes larger than 2TiB, the IV repeats, creating a
|
|
Packit |
94f725 |
vulnerability that potentially leaks some data. To avoid this, use
|
|
Packit |
94f725 |
"plain64", which uses the full sector number up to 64 bit. Note that
|
|
Packit |
94f725 |
"plain64" requires a kernel 2.6.33 or more recent. Also note that
|
|
Packit |
94f725 |
"plain64" is backwards compatible for volume sizes of maximum size 2TiB,
|
|
Packit |
94f725 |
but not for those > 2TiB. Finally, "plain64" does not cause any
|
|
Packit |
94f725 |
performance penalty compared to "plain".
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.16 What about XTS mode?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
XTS mode is potentially even more secure than cbc-essiv (but only if
|
|
Packit |
94f725 |
cbc-essiv is insecure in your scenario). It is a NIST standard and
|
|
Packit |
94f725 |
used, e.g. in Truecrypt. From version 1.6.0 of cryptsetup onwards,
|
|
Packit |
94f725 |
aes-xts-plain64 is the default for LUKS. If you want to use it with a
|
|
Packit |
94f725 |
cryptsetup before version 1.6.0 or with plain dm-crypt, you have to
|
|
Packit |
94f725 |
specify it manually as "aes-xts-plain", i.e.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup -c aes-xts-plain luksFormat <device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For volumes >2TiB and kernels >= 2.6.33 use "plain64" (see FAQ item
|
|
Packit |
94f725 |
on "plain" and "plain64"):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup -c aes-xts-plain64 luksFormat <device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There is a potential security issue with XTS mode and large blocks.
|
|
Packit |
94f725 |
LUKS and dm-crypt always use 512B blocks and the issue does not apply.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.17 Is LUKS FIPS-140-2 certified?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
No. But that is more a problem of FIPS-140-2 than of LUKS. From a
|
|
Packit |
94f725 |
technical point-of-view, LUKS with the right parameters would be
|
|
Packit |
94f725 |
FIPS-140-2 compliant, but in order to make it certified, somebody has to
|
|
Packit |
94f725 |
pay real money for that. And then, whenever cryptsetup is changed or
|
|
Packit |
94f725 |
extended, the certification lapses and has to be obtained again.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
From the aspect of actual security, LUKS with default parameters should
|
|
Packit |
94f725 |
be as good as most things that are FIPS-140-2 certified, although you
|
|
Packit |
94f725 |
may want to make sure to use /dev/random (by specifying --use-random on
|
|
Packit |
94f725 |
luksFormat) as randomness source for the master key to avoid being
|
|
Packit |
94f725 |
potentially insecure in an entropy-starved situation.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.18 What about Plausible Deniability?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First let me attempt a definition for the case of encrypted filesystems:
|
|
Packit |
94f725 |
Plausible deniability is when you store data inside an encrypted
|
|
Packit |
94f725 |
container and it is not possible to prove it is there without having a
|
|
Packit |
94f725 |
special passphrase. And at the same time it must be "plausible" that
|
|
Packit |
94f725 |
there actually is no hidden data there.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
As a simple entropy-analysis will show that here may be data there, the
|
|
Packit |
94f725 |
second part is what makes it tricky.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There seem to be a lot of misunderstandings about this idea, so let me
|
|
Packit |
94f725 |
make it clear that this refers to the situation where the attackers can
|
|
Packit |
94f725 |
prove that there is data that either may be random or may be part of a
|
|
Packit |
94f725 |
plausible-deniability scheme, they just cannot prove which one it is.
|
|
Packit |
94f725 |
Hence a plausible-deniability scheme must hold up when the attackers
|
|
Packit |
94f725 |
know there is something potentially fishy. If you just hide data and
|
|
Packit |
94f725 |
rely on it not being found, that is just simple deniability, not
|
|
Packit |
94f725 |
"plausible" deniability and I am not talking about that in the
|
|
Packit |
94f725 |
following. Simple deniability against a low-competence attacker may be
|
|
Packit |
94f725 |
as simple as renaming a file or putting data into an unused part of a
|
|
Packit |
94f725 |
disk. Simple deniability against a high-skill attacker with time to
|
|
Packit |
94f725 |
invest is usually pointless unless you go for advanced steganographic
|
|
Packit |
94f725 |
techniques, which have their own drawbacks, such as low data capacity.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Now, the idea of plausible deniability is compelling and on a first
|
|
Packit |
94f725 |
glance it seems possible to do it. And from a cryptographic point of
|
|
Packit |
94f725 |
view, it actually is possible.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
So, does the idea work in practice? No, unfortunately. The reasoning
|
|
Packit |
94f725 |
used by its proponents is fundamentally flawed in several ways and the
|
|
Packit |
94f725 |
cryptographic properties fail fatally when colliding with the real
|
|
Packit |
94f725 |
world.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First, why should "I do not have a hidden partition" be any more
|
|
Packit |
94f725 |
plausible than "I forgot my crypto key" or "I wiped that partition with
|
|
Packit |
94f725 |
random data, nothing in there"? I do not see any reason.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Second, there are two types of situations: Either they cannot force you
|
|
Packit |
94f725 |
to give them the key (then you simply do not) or they can. In the
|
|
Packit |
94f725 |
second case, they can always do bad things to you, because they cannot
|
|
Packit |
94f725 |
prove that you have the key in the first place! This means they do not
|
|
Packit |
94f725 |
have to prove you have the key, or that this random looking data on your
|
|
Packit |
94f725 |
disk is actually encrypted data. So the situation will allow them to
|
|
Packit |
94f725 |
waterboard/lock-up/deport you anyways, regardless of how "plausible"
|
|
Packit |
94f725 |
your deniability is. Do not have a hidden partition you could show to
|
|
Packit |
94f725 |
them, but there are indications you may? Too bad for you.
|
|
Packit |
94f725 |
Unfortunately "plausible deniability" also means you cannot prove there
|
|
Packit |
94f725 |
is no hidden data.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Third, hidden partitions are not that hidden. There are basically just
|
|
Packit |
94f725 |
two possibilities: a) Make a large crypto container, but put a smaller
|
|
Packit |
94f725 |
filesystem in there and put the hidden partition into the free space.
|
|
Packit |
94f725 |
Unfortunately this is glaringly obvious and can be detected in an
|
|
Packit |
94f725 |
automated fashion. This means that the initial suspicion to put you
|
|
Packit |
94f725 |
under duress in order to make you reveal your hidden data is given. b)
|
|
Packit |
94f725 |
Make a filesystem that spans the whole encrypted partition, and put the
|
|
Packit |
94f725 |
hidden partition into space not currently used by that filesystem.
|
|
Packit |
94f725 |
Unfortunately that is also glaringly obvious, as you then cannot write
|
|
Packit |
94f725 |
to the filesystem without a high risk of destroying data in the hidden
|
|
Packit |
94f725 |
container. Have not written anything to the encrypted filesystem in a
|
|
Packit |
94f725 |
while? Too bad, they have the suspicion they need to do unpleasant
|
|
Packit |
94f725 |
things to you.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To be fair, if you prepare option b) carefully and directly before going
|
|
Packit |
94f725 |
into danger, it may work. But then, the mere presence of encrypted data
|
|
Packit |
94f725 |
may already be enough to get you into trouble in those places were they
|
|
Packit |
94f725 |
can demand encryption keys.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Here is an additional reference for some problems with plausible
|
|
Packit |
94f725 |
deniability: http://www.schneier.com/paper-truecrypt-dfs.pdf I strongly
|
|
Packit |
94f725 |
suggest you read it.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
So, no, I will not provide any instructions on how to do it with plain
|
|
Packit |
94f725 |
dm-crypt or LUKS. If you insist on shooting yourself in the foot, you
|
|
Packit |
94f725 |
can figure out how to do it yourself.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.19 What about SSDs, Flash, Hybrid and SMR Drives?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The problem is that you cannot reliably erase parts of these devices,
|
|
Packit |
94f725 |
mainly due to wear-leveling and possibly defect management and delayed
|
|
Packit |
94f725 |
writes to the main data area.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For example for SSDs, when overwriting a sector, what the device does is
|
|
Packit |
94f725 |
to move an internal sector (may be 128kB or even larger) to some pool of
|
|
Packit |
94f725 |
discarded, not-yet erased unused sectors, take a fresh empty sector from
|
|
Packit |
94f725 |
the empty-sector pool and copy the old sector over with the changes to
|
|
Packit |
94f725 |
the small part you wrote. This is done in some fashion so that larger
|
|
Packit |
94f725 |
writes do not cause a lot of small internal updates.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The thing is that the mappings between outside-addressable sectors and
|
|
Packit |
94f725 |
inside sectors is arbitrary (and the vendors are not talking). Also the
|
|
Packit |
94f725 |
discarded sectors are not necessarily erased immediately. They may
|
|
Packit |
94f725 |
linger a long time.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For plain dm-crypt, the consequences are that older encrypted data may
|
|
Packit |
94f725 |
be lying around in some internal pools of the device. Thus may or may
|
|
Packit |
94f725 |
not be a problem and depends on the application. Remember the same can
|
|
Packit |
94f725 |
happen with a filesystem if consecutive writes to the same area of a
|
|
Packit |
94f725 |
file can go to different sectors.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
However, for LUKS, the worst case is that key-slots and LUKS header may
|
|
Packit |
94f725 |
end up in these internal pools. This means that password management
|
|
Packit |
94f725 |
functionality is compromised (the old passwords may still be around,
|
|
Packit |
94f725 |
potentially for a very long time) and that fast erase by overwriting the
|
|
Packit |
94f725 |
header and key-slot area is insecure.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Also keep in mind that the discarded/used pool may be large. For
|
|
Packit |
94f725 |
example, a 240GB SSD has about 16GB of spare area in the chips that it
|
|
Packit |
94f725 |
is free to do with as it likes. You would need to make each individual
|
|
Packit |
94f725 |
key-slot larger than that to allow reliable overwriting. And that
|
|
Packit |
94f725 |
assumes the disk thinks all other space is in use. Reading the internal
|
|
Packit |
94f725 |
pools using forensic tools is not that hard, but may involve some
|
|
Packit |
94f725 |
soldering.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
What to do?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you trust the device vendor (you probably should not...) you can try
|
|
Packit |
94f725 |
an ATA "secure erase" command. That is not present in USB keys though
|
|
Packit |
94f725 |
and may or may not be secure for a hybrid drive.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you can do without password management and are fine with doing
|
|
Packit |
94f725 |
physical destruction for permanently deleting data (always after one or
|
|
Packit |
94f725 |
several full overwrites!), you can use plain dm-crypt.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you want or need all the original LUKS security features to work, you
|
|
Packit |
94f725 |
can use a detached LUKS header and put that on a conventional, magnetic
|
|
Packit |
94f725 |
disk. That leaves potentially old encrypted data in the pools on the
|
|
Packit |
94f725 |
main disk, but otherwise you get LUKS with the same security as on a
|
|
Packit |
94f725 |
traditional magnetic disk. Note however that storage vendors are prone
|
|
Packit |
94f725 |
to lying to their customers. For example, it recently came out that
|
|
Packit |
94f725 |
HDDs sold without any warning or mentioning in the data-sheets were
|
|
Packit |
94f725 |
actually using SMR and that will write data first to a faster area and
|
|
Packit |
94f725 |
only overwrite the original data area some time later when things are
|
|
Packit |
94f725 |
quiet.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you are concerned about your laptop being stolen, you are likely fine
|
|
Packit |
94f725 |
using LUKS on an SSD or hybrid drive. An attacker would need to have
|
|
Packit |
94f725 |
access to an old passphrase (and the key-slot for this old passphrase
|
|
Packit |
94f725 |
would actually need to still be somewhere in the SSD) for your data to
|
|
Packit |
94f725 |
be at risk. So unless you pasted your old passphrase all over the
|
|
Packit |
94f725 |
Internet or the attacker has knowledge of it from some other source and
|
|
Packit |
94f725 |
does a targeted laptop theft to get at your data, you should be fine.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.20 LUKS1 is broken! It uses SHA-1!
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
No, it is not. SHA-1 is (academically) broken for finding collisions,
|
|
Packit |
94f725 |
but not for using it in a key-derivation function. And that collision
|
|
Packit |
94f725 |
vulnerability is for non-iterated use only. And you need the hash-value
|
|
Packit |
94f725 |
in verbatim.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This basically means that if you already have a slot-key, and you have
|
|
Packit |
94f725 |
set the PBKDF2 iteration count to 1 (it is > 10'000 normally), you could
|
|
Packit |
94f725 |
(maybe) derive a different passphrase that gives you the the same
|
|
Packit |
94f725 |
slot-key. But if you have the slot-key, you can already unlock the
|
|
Packit |
94f725 |
key-slot and get the master key, breaking everything. So basically,
|
|
Packit |
94f725 |
this SHA-1 vulnerability allows you to open a LUKS1 container with high
|
|
Packit |
94f725 |
effort when you already have it open.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The real problem here is people that do not understand crypto and claim
|
|
Packit |
94f725 |
things are broken just because some mechanism is used that has been
|
|
Packit |
94f725 |
broken for a specific different use. The way the mechanism is used
|
|
Packit |
94f725 |
matters very much. A hash that is broken for one use can be completely
|
|
Packit |
94f725 |
secure for other uses and here it is.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Since version 1.7.0, cryptsetup uses SHA-256 as default to ensure that
|
|
Packit |
94f725 |
it will be compatible in the future. There are already some systems
|
|
Packit |
94f725 |
where SHA-1 is completely phased out or disabled by a security policy.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.21 Why is there no "Nuke-Option"?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
A "Nuke-Option" or "Kill-switch" is a password that when entered upon
|
|
Packit |
94f725 |
unlocking instead wipes the header and all passwords. So when somebody
|
|
Packit |
94f725 |
forces you to enter your password, you can destroy the data instead.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
While this sounds attractive at first glance, it does not make sense
|
|
Packit |
94f725 |
once a real security analysis is done. One problem is that you have to
|
|
Packit |
94f725 |
have some kind of HSM (Hardware Security Module) in order to implement
|
|
Packit |
94f725 |
it securely. In the movies, a HSM starts to smoke and melt once the
|
|
Packit |
94f725 |
Nuke-Option has been activated. In actual reality, it just wipes some
|
|
Packit |
94f725 |
battery-backed RAM cells. A proper HSM costs something like
|
|
Packit |
94f725 |
20'000...100'000 EUR/USD and there a Nuke-Option may make some sense.
|
|
Packit |
94f725 |
BTW, a chipcard or a TPM is not a HSM, although some vendors are
|
|
Packit |
94f725 |
promoting that myth.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Now, a proper HSMs will have a wipe option but not a Nuke-Option, i.e.
|
|
Packit |
94f725 |
you can explicitly wipe the HSM, but by a different process than
|
|
Packit |
94f725 |
unlocking it takes. Why is that? Simple: If somebody can force you to
|
|
Packit |
94f725 |
reveal passwords, then they can also do bad things to you if you do not
|
|
Packit |
94f725 |
or if you enter a nuke password instead. Think locking you up for a few
|
|
Packit |
94f725 |
years for "destroying evidence" or for far longer and without trial for
|
|
Packit |
94f725 |
being a "terrorist suspect". No HSM maker will want to expose its
|
|
Packit |
94f725 |
customers to that risk.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Now think of the typical LUKS application scenario, i.e. disk
|
|
Packit |
94f725 |
encryption. Usually the ones forcing you to hand over your password
|
|
Packit |
94f725 |
will have access to the disk as well, and, if they have any real
|
|
Packit |
94f725 |
suspicion, they will mirror your disk before entering anything supplied
|
|
Packit |
94f725 |
by you. This neatly negates any Nuke-Option. If they have no suspicion
|
|
Packit |
94f725 |
(just harassing people that cross some border for example), the
|
|
Packit |
94f725 |
Nuke-Option would work, but see above about likely negative consequences
|
|
Packit |
94f725 |
and remember that a Nuke-Option may not work reliably on SSD and hybrid
|
|
Packit |
94f725 |
drives anyways.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Hence my advice is to never take data that you do not want to reveal
|
|
Packit |
94f725 |
into any such situation in the first place. There is no need to
|
|
Packit |
94f725 |
transfer data on physical carriers today. The Internet makes it quite
|
|
Packit |
94f725 |
possible to transfer data between arbitrary places and modern encryption
|
|
Packit |
94f725 |
makes it secure. If you do it right, nobody will even be able to
|
|
Packit |
94f725 |
identify source or destination. (How to do that is out of scope of this
|
|
Packit |
94f725 |
document. It does require advanced skills in this age of pervasive
|
|
Packit |
94f725 |
surveillance.)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Hence, LUKS has not kill option because it would do much more harm than
|
|
Packit |
94f725 |
good.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Still, if you have a good use-case (i.e. non-abstract real-world
|
|
Packit |
94f725 |
situation) where a Nuke-Option would actually be beneficial, please let
|
|
Packit |
94f725 |
me know.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 5.22 Does cryptsetup open network connections to websites, etc. ?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This question seems not to make much sense at first glance, but here is
|
|
Packit |
94f725 |
an example form the real world: The TrueCrypt GUI has a "Donation"
|
|
Packit |
94f725 |
button. Press it, and a web-connection to the TrueCrypt website is
|
|
Packit |
94f725 |
opened via the default browser, telling everybody that listens that you
|
|
Packit |
94f725 |
use TrueCrypt. In the worst case, things like this can get people
|
|
Packit |
94f725 |
tortured or killed.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
So: Cryptsetup will never open any network connections except the
|
|
Packit |
94f725 |
local netlink socket it needs to talk to the kernel crypto API.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
In addition, the installation package should contain all documentation,
|
|
Packit |
94f725 |
including this FAQ, so that you do not have to go to a web-site to read
|
|
Packit |
94f725 |
it. (If your distro cuts the docu, please complain to them.) In
|
|
Packit |
94f725 |
security software, any connection initiated to anywhere outside your
|
|
Packit |
94f725 |
machine should always be the result of an explicit request for such a
|
|
Packit |
94f725 |
connection by the user and cryptsetup will stay true to that principle.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
6. Backup and Data Recovery
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.1 Why do I need Backup?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First, disks die. The rate for well-treated (!) disk is about 5% per
|
|
Packit |
94f725 |
year, which is high enough to worry about. There is some indication
|
|
Packit |
94f725 |
that this may be even worse for some SSDs. This applies both to LUKS
|
|
Packit |
94f725 |
and plain dm-crypt partitions.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Second, for LUKS, if anything damages the LUKS header or the key-stripe
|
|
Packit |
94f725 |
area then decrypting the LUKS device can become impossible. This is a
|
|
Packit |
94f725 |
frequent occurrence. For example an accidental format as FAT or some
|
|
Packit |
94f725 |
software overwriting the first sector where it suspects a partition boot
|
|
Packit |
94f725 |
sector typically makes a LUKS1 partition permanently inaccessible. See
|
|
Packit |
94f725 |
more below on LUKS header damage.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
So, data-backup in some form is non-optional. For LUKS, you may also
|
|
Packit |
94f725 |
want to store a header backup in some secure location. This only needs
|
|
Packit |
94f725 |
an update if you change passphrases.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.2 How do I backup a LUKS header?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
While you could just copy the appropriate number of bytes from the start
|
|
Packit |
94f725 |
of the LUKS partition, the best way is to use command option
|
|
Packit |
94f725 |
"luksHeaderBackup" of cryptsetup. This protects also against errors
|
|
Packit |
94f725 |
when non-standard parameters have been used in LUKS partition creation.
|
|
Packit |
94f725 |
Example:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksHeaderBackup --header-backup-file <file> <device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To restore, use the inverse command, i.e.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksHeaderRestore --header-backup-file <file> <device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you are unsure about a header to be restored, make a backup of the
|
|
Packit |
94f725 |
current one first! You can also test the header-file without restoring
|
|
Packit |
94f725 |
it by using the --header option for a detached header like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup --header <file> luksOpen <device> </dev/mapper/name>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If that unlocks your keys-lot, you are good. Do not forget to close
|
|
Packit |
94f725 |
the device again.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Under some circumstances (damaged header), this fails. Then use the
|
|
Packit |
94f725 |
following steps in case it is LUKS1:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First determine the master-key size:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksDump <device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
gives a line of the form
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
MK bits: <bits>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
with bits equal to 256 for the old defaults and 512 for the new
|
|
Packit |
94f725 |
defaults. 256 bits equals a total header size of 1'052'672 Bytes and
|
|
Packit |
94f725 |
512 bits one of 2MiB. (See also Item 6.12) If luksDump fails, assume
|
|
Packit |
94f725 |
2MiB, but be aware that if you restore that, you may also restore the
|
|
Packit |
94f725 |
first 1M or so of the filesystem. Do not change the filesystem if you
|
|
Packit |
94f725 |
were unable to determine the header size! With that, restoring a
|
|
Packit |
94f725 |
too-large header backup is still safe.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Second, dump the header to file. There are many ways to do it, I
|
|
Packit |
94f725 |
prefer the following:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
head -c 1052672 <device> > header_backup.dmp
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
or
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
head -c 2M <device> > header_backup.dmp
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
for a 2MiB header. Verify the size of the dump-file to be sure.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To restore such a backup, you can try luksHeaderRestore or do a more
|
|
Packit |
94f725 |
basic
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cat header_backup.dmp > <device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.3 How do I test for a LUKS header?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Use
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup -v isLuks <device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
on the device. Without the "-v" it just signals its result via
|
|
Packit |
94f725 |
exit-status. You can also use the more general test
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
blkid -p <device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
which will also detect other types and give some more info. Omit
|
|
Packit |
94f725 |
"-p" for old versions of blkid that do not support it.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.4 How do I backup a LUKS or dm-crypt partition?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There are two options, a sector-image and a plain file or filesystem
|
|
Packit |
94f725 |
backup of the contents of the partition. The sector image is already
|
|
Packit |
94f725 |
encrypted, but cannot be compressed and contains all empty space. The
|
|
Packit |
94f725 |
filesystem backup can be compressed, can contain only part of the
|
|
Packit |
94f725 |
encrypted device, but needs to be encrypted separately if so desired.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
A sector-image will contain the whole partition in encrypted form, for
|
|
Packit |
94f725 |
LUKS the LUKS header, the keys-slots and the data area. It can be done
|
|
Packit |
94f725 |
under Linux e.g. with dd_rescue (for a direct image copy) and with
|
|
Packit |
94f725 |
"cat" or "dd". Examples:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cat /dev/sda10 > sda10.img
|
|
Packit |
94f725 |
dd_rescue /dev/sda10 sda10.img
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
You can also use any other backup software that is capable of making a
|
|
Packit |
94f725 |
sector image of a partition. Note that compression is ineffective for
|
|
Packit |
94f725 |
encrypted data, hence it does not make sense to use it.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For a filesystem backup, you decrypt and mount the encrypted partition
|
|
Packit |
94f725 |
and back it up as you would a normal filesystem. In this case the
|
|
Packit |
94f725 |
backup is not encrypted, unless your encryption method does that. For
|
|
Packit |
94f725 |
example you can encrypt a backup with "tar" as follows with GnuPG:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
tar cjf - <path> | gpg --cipher-algo AES -c - > backup.tbz2.gpg
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
And verify the backup like this if you are at "path":
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cat backup.tbz2.gpg | gpg - | tar djf -
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: Always verify backups, especially encrypted ones!
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There is one problem with verifying like this: The kernel may still have
|
|
Packit |
94f725 |
some files cached and in fact verify them against RAM or may even verify
|
|
Packit |
94f725 |
RAM against RAM, which defeats the purpose of the exercise. The
|
|
Packit |
94f725 |
following command empties the kernel caches:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
echo 3 > /proc/sys/vm/drop_caches
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Run it after backup and before verify.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
In both cases GnuPG will ask you interactively for your symmetric key.
|
|
Packit |
94f725 |
The verify will only output errors. Use "tar dvjf -" to get all
|
|
Packit |
94f725 |
comparison results. To make sure no data is written to disk
|
|
Packit |
94f725 |
unencrypted, turn off swap if it is not encrypted before doing the
|
|
Packit |
94f725 |
backup.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Restore works like certification with the 'd' ('difference') replaced
|
|
Packit |
94f725 |
by 'x' ('eXtract'). Refer to the man-page of tar for more explanations
|
|
Packit |
94f725 |
and instructions. Note that with default options tar will overwrite
|
|
Packit |
94f725 |
already existing files without warning. If you are unsure about how
|
|
Packit |
94f725 |
to use tar, experiment with it in a location where you cannot do damage.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
You can of course use different or no compression and you can use an
|
|
Packit |
94f725 |
asymmetric key if you have one and have a backup of the secret key that
|
|
Packit |
94f725 |
belongs to it.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
A second option for a filesystem-level backup that can be used when the
|
|
Packit |
94f725 |
backup is also on local disk (e.g. an external USB drive) is to use a
|
|
Packit |
94f725 |
LUKS container there and copy the files to be backed up between both
|
|
Packit |
94f725 |
mounted containers. Also see next item.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.5 Do I need a backup of the full partition? Would the header
|
|
Packit |
94f725 |
and key-slots not be enough?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Backup protects you against two things: Disk loss or corruption and user
|
|
Packit |
94f725 |
error. By far the most questions on the dm-crypt mailing list about how
|
|
Packit |
94f725 |
to recover a damaged LUKS partition are related to user error. For
|
|
Packit |
94f725 |
example, if you create a new filesystem on a non-mapped LUKS container,
|
|
Packit |
94f725 |
chances are good that all data is lost permanently.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For this case, a header+key-slot backup would often be enough. But keep
|
|
Packit |
94f725 |
in mind that a well-treated (!) HDD has roughly a failure risk of 5% per
|
|
Packit |
94f725 |
year. It is highly advisable to have a complete backup to protect
|
|
Packit |
94f725 |
against this case.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.6 What do I need to backup if I use "decrypt_derived"?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This is a script in Debian, intended for mounting /tmp or swap with a
|
|
Packit |
94f725 |
key derived from the master key of an already decrypted device. If you
|
|
Packit |
94f725 |
use this for an device with data that should be persistent, you need to
|
|
Packit |
94f725 |
make sure you either do not lose access to that master key or have a
|
|
Packit |
94f725 |
backup of the data. If you derive from a LUKS device, a header backup
|
|
Packit |
94f725 |
of that device would cover backing up the master key. Keep in mind that
|
|
Packit |
94f725 |
this does not protect against disk loss.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: If you recreate the LUKS header of the device you derive from
|
|
Packit |
94f725 |
(using luksFormat), the master key changes even if you use the same
|
|
Packit |
94f725 |
passphrase(s) and you will not be able to decrypt the derived device
|
|
Packit |
94f725 |
with the new LUKS header.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.7 Does a backup compromise security?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Depends on how you do it. However if you do not have one, you are going
|
|
Packit |
94f725 |
to eventually lose your encrypted data.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There are risks introduced by backups. For example if you
|
|
Packit |
94f725 |
change/disable a key-slot in LUKS, a binary backup of the partition will
|
|
Packit |
94f725 |
still have the old key-slot. To deal with this, you have to be able to
|
|
Packit |
94f725 |
change the key-slot on the backup as well, securely erase the backup or
|
|
Packit |
94f725 |
do a filesystem-level backup instead of a binary one.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you use dm-crypt, backup is simpler: As there is no key management,
|
|
Packit |
94f725 |
the main risk is that you cannot wipe the backup when wiping the
|
|
Packit |
94f725 |
original. However wiping the original for dm-crypt should consist of
|
|
Packit |
94f725 |
forgetting the passphrase and that you can do without actual access to
|
|
Packit |
94f725 |
the backup.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
In both cases, there is an additional (usually small) risk with binary
|
|
Packit |
94f725 |
backups: An attacker can see how many sectors and which ones have been
|
|
Packit |
94f725 |
changed since the backup. To prevent this, use a filesystem level
|
|
Packit |
94f725 |
backup method that encrypts the whole backup in one go, e.g. as
|
|
Packit |
94f725 |
described above with tar and GnuPG.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
My personal advice is to use one USB disk (low value data) or three
|
|
Packit |
94f725 |
disks (high value data) in rotating order for backups, and either use
|
|
Packit |
94f725 |
independent LUKS partitions on them, or use encrypted backup with tar
|
|
Packit |
94f725 |
and GnuPG.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you do network-backup or tape-backup, I strongly recommend to go
|
|
Packit |
94f725 |
the filesystem backup path with independent encryption, as you
|
|
Packit |
94f725 |
typically cannot reliably delete data in these scenarios, especially
|
|
Packit |
94f725 |
in a cloud setting. (Well, you can burn the tape if it is under your
|
|
Packit |
94f725 |
control...)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.8 What happens if I overwrite the start of a LUKS partition or
|
|
Packit |
94f725 |
damage the LUKS header or key-slots?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There are two critical components for decryption: The salt values in the
|
|
Packit |
94f725 |
key-slot descriptors of the header and the key-slots. For LUKS2 they
|
|
Packit |
94f725 |
are a bit better protected. but for LUKS1, these are right in the first
|
|
Packit |
94f725 |
sector. If the salt values are overwritten or changed, nothing (in the
|
|
Packit |
94f725 |
cryptographically strong sense) can be done to access the data, unless
|
|
Packit |
94f725 |
there is a backup of the LUKS header. If a key-slot is damaged, the
|
|
Packit |
94f725 |
data can still be read with a different key-slot, if there is a
|
|
Packit |
94f725 |
remaining undamaged and used key-slot. Note that in order to make a
|
|
Packit |
94f725 |
key-slot completely unrecoverable, changing about 4-6 bits in random
|
|
Packit |
94f725 |
locations of its 128kiB size is quite enough.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.9 What happens if I (quick) format a LUKS partition?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
I have not tried the different ways to do this, but very likely you will
|
|
Packit |
94f725 |
have written a new boot-sector, which in turn overwrites the LUKS
|
|
Packit |
94f725 |
header, including the salts, making your data permanently irretrievable,
|
|
Packit |
94f725 |
unless you have a LUKS header backup. For LUKS2 this may still be
|
|
Packit |
94f725 |
recoverable without that header backup, for LUKS1 it is not. You may
|
|
Packit |
94f725 |
also damage the key-slots in part or in full. See also last item.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.10 How do I recover the master key from a mapped LUKS1 container?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: LUKS2 uses the kernel keyring to store keys and hence this
|
|
Packit |
94f725 |
procedure does not work unless you have explicitly disabled the use of
|
|
Packit |
94f725 |
the keyring with "--disable-keyring" on opening.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This is typically only needed if you managed to damage your LUKS1
|
|
Packit |
94f725 |
header, but the container is still mapped, i.e. "luksOpen"ed. It also
|
|
Packit |
94f725 |
helps if you have a mapped container that you forgot or do not know a
|
|
Packit |
94f725 |
passphrase for (e.g. on a long running server.)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
WARNING: Things go wrong, do a full backup before trying this!
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
WARNING: This exposes the master key of the LUKS1 container. Note that
|
|
Packit |
94f725 |
both ways to recreate a LUKS header with the old master key described
|
|
Packit |
94f725 |
below will write the master key to disk. Unless you are sure you have
|
|
Packit |
94f725 |
securely erased it afterwards, e.g. by writing it to an encrypted
|
|
Packit |
94f725 |
partition, RAM disk or by erasing the filesystem you wrote it to by a
|
|
Packit |
94f725 |
complete overwrite, you should change the master key afterwards.
|
|
Packit |
94f725 |
Changing the master key requires a full data backup, luksFormat and then
|
|
Packit |
94f725 |
restore of the backup. Alternatively the tool cryptsetup-reencrypt from
|
|
Packit |
94f725 |
the cryptsetup package can be used to change the master key (see its
|
|
Packit |
94f725 |
man-page), but a full backup is still highly recommended.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
First, there is a script by Milan that automates the whole process,
|
|
Packit |
94f725 |
except generating a new LUKS1 header with the old master key (it prints
|
|
Packit |
94f725 |
the command for that though):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
https://gitlab.com/cryptsetup/cryptsetup/blob/master/misc/luks-header-from-active
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
You can also do this manually. Here is how:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Get the master key from the device mapper. This is done by the
|
|
Packit |
94f725 |
following command. Substitute c5 for whatever you mapped to:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
# dmsetup table --target crypt --showkey /dev/mapper/c5
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Result:
|
|
Packit |
94f725 |
0 200704 crypt aes-cbc-essiv:sha256
|
|
Packit |
94f725 |
a1704d9715f73a1bb4db581dcacadaf405e700d591e93e2eaade13ba653d0d09
|
|
Packit |
94f725 |
0 7:0 4096
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The result is actually one line, wrapped here for clarity. The long
|
|
Packit |
94f725 |
hex string is the master key.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Convert the master key to a binary file representation. You can do
|
|
Packit |
94f725 |
this manually, e.g. with hexedit. You can also use the tool "xxd"
|
|
Packit |
94f725 |
from vim like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
echo "a1704d9....53d0d09" | xxd -r -p > <master-key-file>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Do a luksFormat to create a new LUKS1 header.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
NOTE: If your header is intact and you just forgot the passphrase,
|
|
Packit |
94f725 |
you can just set a new passphrase, see next sub-item.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Unmap the device before you do that (luksClose). Then do
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksFormat --master-key-file=<master-key-file> <luks device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note that if the container was created with other than the default
|
|
Packit |
94f725 |
settings of the cryptsetup version you are using, you need to give
|
|
Packit |
94f725 |
additional parameters specifying the deviations. If in doubt, try the
|
|
Packit |
94f725 |
script by Milan. It does recover the other parameters as well.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Side note: This is the way the decrypt_derived script gets at the master
|
|
Packit |
94f725 |
key. It just omits the conversion and hashes the master key string.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- If the header is intact and you just forgot the passphrase, just
|
|
Packit |
94f725 |
set a new passphrase like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksAddKey --master-key-file=<master-key-file> <luks device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
You may want to disable the old one afterwards.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.11 What does the on-disk structure of dm-crypt look like?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There is none. dm-crypt takes a block device and gives encrypted access
|
|
Packit |
94f725 |
to each of its blocks with a key derived from the passphrase given. If
|
|
Packit |
94f725 |
you use a cipher different than the default, you have to specify that as
|
|
Packit |
94f725 |
a parameter to cryptsetup too. If you want to change the password, you
|
|
Packit |
94f725 |
basically have to create a second encrypted device with the new
|
|
Packit |
94f725 |
passphrase and copy your data over. On the plus side, if you
|
|
Packit |
94f725 |
accidentally overwrite any part of a dm-crypt device, the damage will be
|
|
Packit |
94f725 |
limited to the area you overwrote.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.12 What does the on-disk structure of LUKS1 look like?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: For LUKS2, refer to the LUKS2 document referenced in Item 1.2
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
A LUKS1 partition consists of a header, followed by 8 key-slot
|
|
Packit |
94f725 |
descriptors, followed by 8 key slots, followed by the encrypted data
|
|
Packit |
94f725 |
area.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Header and key-slot descriptors fill the first 592 bytes. The key-slot
|
|
Packit |
94f725 |
size depends on the creation parameters, namely on the number of
|
|
Packit |
94f725 |
anti-forensic stripes, key material offset and master key size.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
With the default parameters, each key-slot is a bit less than 128kiB in
|
|
Packit |
94f725 |
size. Due to sector alignment of the key-slot start, that means the key
|
|
Packit |
94f725 |
block 0 is at offset 0x1000-0x20400, key block 1 at offset
|
|
Packit |
94f725 |
0x21000-0x40400, and key block 7 at offset 0xc1000-0xe0400. The space
|
|
Packit |
94f725 |
to the next full sector address is padded with zeros. Never used
|
|
Packit |
94f725 |
key-slots are filled with what the disk originally contained there, a
|
|
Packit |
94f725 |
key-slot removed with "luksRemoveKey" or "luksKillSlot" gets filled with
|
|
Packit |
94f725 |
0xff. Due to 2MiB default alignment, start of the data area for
|
|
Packit |
94f725 |
cryptsetup 1.3 and later is at 2MiB, i.e. at 0x200000. For older
|
|
Packit |
94f725 |
versions, it is at 0x101000, i.e. at 1'052'672 bytes, i.e. at 1MiB +
|
|
Packit |
94f725 |
4096 bytes from the start of the partition. Incidentally,
|
|
Packit |
94f725 |
"luksHeaderBackup" for a LUKS container created with default parameters
|
|
Packit |
94f725 |
dumps exactly the first 2MiB (or 1'052'672 bytes for headers created
|
|
Packit |
94f725 |
with cryptsetup versions < 1.3) to file and "luksHeaderRestore" restores
|
|
Packit |
94f725 |
them.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For non-default parameters, you have to figure out placement yourself.
|
|
Packit |
94f725 |
"luksDump" helps. See also next item. For the most common non-default
|
|
Packit |
94f725 |
settings, namely aes-xts-plain with 512 bit key, the offsets are: 1st
|
|
Packit |
94f725 |
keyslot 0x1000-0x3f800, 2nd keyslot 0x40000-0x7e000, 3rd keyslot
|
|
Packit |
94f725 |
0x7e000-0xbd800, ..., and start of bulk data at 0x200000.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The exact specification of the format is here:
|
|
Packit |
94f725 |
https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For your convenience, here is the LUKS1 header with hex offsets.
|
|
Packit |
94f725 |
NOTE:
|
|
Packit |
94f725 |
The spec counts key-slots from 1 to 8, but the cryptsetup tool counts
|
|
Packit |
94f725 |
from 0 to 7. The numbers here refer to the cryptsetup numbers.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Refers to LUKS1 On-Disk Format Specification Version 1.2.3
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS1 header:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
offset length name data type description
|
|
Packit |
94f725 |
-----------------------------------------------------------------------
|
|
Packit |
94f725 |
0x0000 0x06 magic byte[] 'L','U','K','S', 0xba, 0xbe
|
|
Packit |
94f725 |
0 6
|
|
Packit |
94f725 |
0x0006 0x02 version uint16_t LUKS version
|
|
Packit |
94f725 |
6 3
|
|
Packit |
94f725 |
0x0008 0x20 cipher-name char[] cipher name spec.
|
|
Packit |
94f725 |
8 32
|
|
Packit |
94f725 |
0x0028 0x20 cipher-mode char[] cipher mode spec.
|
|
Packit |
94f725 |
40 32
|
|
Packit |
94f725 |
0x0048 0x20 hash-spec char[] hash spec.
|
|
Packit |
94f725 |
72 32
|
|
Packit |
94f725 |
0x0068 0x04 payload-offset uint32_t bulk data offset in sectors
|
|
Packit |
94f725 |
104 4 (512 bytes per sector)
|
|
Packit |
94f725 |
0x006c 0x04 key-bytes uint32_t number of bytes in key
|
|
Packit |
94f725 |
108 4
|
|
Packit |
94f725 |
0x0070 0x14 mk-digest byte[] master key checksum
|
|
Packit |
94f725 |
112 20 calculated with PBKDF2
|
|
Packit |
94f725 |
0x0084 0x20 mk-digest-salt byte[] salt for PBKDF2 when
|
|
Packit |
94f725 |
132 32 calculating mk-digest
|
|
Packit |
94f725 |
0x00a4 0x04 mk-digest-iter uint32_t iteration count for PBKDF2
|
|
Packit |
94f725 |
164 4 when calculating mk-digest
|
|
Packit |
94f725 |
0x00a8 0x28 uuid char[] partition UUID
|
|
Packit |
94f725 |
168 40
|
|
Packit |
94f725 |
0x00d0 0x30 key-slot-0 key slot key slot 0
|
|
Packit |
94f725 |
208 48
|
|
Packit |
94f725 |
0x0100 0x30 key-slot-1 key slot key slot 1
|
|
Packit |
94f725 |
256 48
|
|
Packit |
94f725 |
0x0130 0x30 key-slot-2 key slot key slot 2
|
|
Packit |
94f725 |
304 48
|
|
Packit |
94f725 |
0x0160 0x30 key-slot-3 key slot key slot 3
|
|
Packit |
94f725 |
352 48
|
|
Packit |
94f725 |
0x0190 0x30 key-slot-4 key slot key slot 4
|
|
Packit |
94f725 |
400 48
|
|
Packit |
94f725 |
0x01c0 0x30 key-slot-5 key slot key slot 5
|
|
Packit |
94f725 |
448 48
|
|
Packit |
94f725 |
0x01f0 0x30 key-slot-6 key slot key slot 6
|
|
Packit |
94f725 |
496 48
|
|
Packit |
94f725 |
0x0220 0x30 key-slot-7 key slot key slot 7
|
|
Packit |
94f725 |
544 48
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Key slot:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
offset length name data type description
|
|
Packit |
94f725 |
-------------------------------------------------------------------------
|
|
Packit |
94f725 |
0x0000 0x04 active uint32_t key slot enabled/disabled
|
|
Packit |
94f725 |
0 4
|
|
Packit |
94f725 |
0x0004 0x04 iterations uint32_t PBKDF2 iteration count
|
|
Packit |
94f725 |
4 4
|
|
Packit |
94f725 |
0x0008 0x20 salt byte[] PBKDF2 salt
|
|
Packit |
94f725 |
8 32
|
|
Packit |
94f725 |
0x0028 0x04 key-material-offset uint32_t key start sector
|
|
Packit |
94f725 |
40 4 (512 bytes/sector)
|
|
Packit |
94f725 |
0x002c 0x04 stripes uint32_t number of anti-forensic
|
|
Packit |
94f725 |
44 4 stripes
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.13 What is the smallest possible LUKS1 container?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: From cryptsetup 1.3 onwards, alignment is set to 1MB. With modern
|
|
Packit |
94f725 |
Linux partitioning tools that also align to 1MB, this will result in
|
|
Packit |
94f725 |
alignment to 2k sectors and typical Flash/SSD sectors, which is highly
|
|
Packit |
94f725 |
desirable for a number of reasons. Changing the alignment is not
|
|
Packit |
94f725 |
recommended.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That said, with default parameters, the data area starts at exactly 2MB
|
|
Packit |
94f725 |
offset (at 0x101000 for cryptsetup versions before 1.3). The smallest
|
|
Packit |
94f725 |
data area you can have is one sector of 512 bytes. Data areas of 0
|
|
Packit |
94f725 |
bytes can be created, but fail on mapping.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
While you cannot put a filesystem into something this small, it may
|
|
Packit |
94f725 |
still be used to contain, for example, key. Note that with current
|
|
Packit |
94f725 |
formatting tools, a partition for a container this size will be 3MiB
|
|
Packit |
94f725 |
anyways. If you put the LUKS container into a file (via losetup and a
|
|
Packit |
94f725 |
loopback device), the file needs to be 2097664 bytes in size, i.e. 2MiB
|
|
Packit |
94f725 |
+ 512B.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The two ways to influence the start of the data area are key-size and
|
|
Packit |
94f725 |
alignment.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For alignment, you can go down to 1 on the parameter. This will still
|
|
Packit |
94f725 |
leave you with a data-area starting at 0x101000, i.e. 1MiB+4096B
|
|
Packit |
94f725 |
(default parameters) as alignment will be rounded up to the next
|
|
Packit |
94f725 |
multiple of 8 (i.e. 4096 bytes) If in doubt, do a dry-run on a larger
|
|
Packit |
94f725 |
file and dump the LUKS header to get actual information.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
For key-size, you can use 128 bit (e.g. AES-128 with CBC), 256 bit
|
|
Packit |
94f725 |
(e.g. AES-256 with CBC) or 512 bit (e.g. AES-256 with XTS mode). You
|
|
Packit |
94f725 |
can do 64 bit (e.g. blowfish-64 with CBC), but anything below 128 bit
|
|
Packit |
94f725 |
has to be considered insecure today.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Example 1 - AES 128 bit with CBC:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksFormat -s 128 --align-payload=8 <device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This results in a data offset of 0x81000, i.e. 516KiB or 528384
|
|
Packit |
94f725 |
bytes. Add one 512 byte sector and the smallest LUKS container size
|
|
Packit |
94f725 |
with these parameters is 516KiB + 512B or 528896 bytes.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Example 2 - Blowfish 64 bit with CBC (WARNING: insecure):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksFormat -c blowfish -s 64 --align-payload=8 /dev/loop0
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This results in a data offset of 0x41000, i.e. 260kiB or 266240
|
|
Packit |
94f725 |
bytes, with a minimal LUKS1 container size of 260kiB + 512B or 266752
|
|
Packit |
94f725 |
bytes.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.14 I think this is overly complicated. Is there an alternative?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Not really. Encryption comes at a price. You can use plain dm-crypt to
|
|
Packit |
94f725 |
simplify things a bit. It does not allow multiple passphrases, but on
|
|
Packit |
94f725 |
the plus side, it has zero on disk description and if you overwrite some
|
|
Packit |
94f725 |
part of a plain dm-crypt partition, exactly the overwritten parts are
|
|
Packit |
94f725 |
lost (rounded up to full sectors).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 6.15 Can I clone a LUKS container?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
You can, but it breaks security, because the cloned container has the
|
|
Packit |
94f725 |
same header and hence the same master key. Even if you change the
|
|
Packit |
94f725 |
passphrase(s), the master key stays the same. That means whoever has
|
|
Packit |
94f725 |
access to one of the clones can decrypt them all, completely bypassing
|
|
Packit |
94f725 |
the passphrases.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
While you can use cryptsetup-reencrypt to change the master key,
|
|
Packit |
94f725 |
this is probably more effort than to create separate LUKS containers
|
|
Packit |
94f725 |
in the first place.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The right way to do this is to first luksFormat the target container,
|
|
Packit |
94f725 |
then to clone the contents of the source container, with both containers
|
|
Packit |
94f725 |
mapped, i.e. decrypted. You can clone the decrypted contents of a LUKS
|
|
Packit |
94f725 |
container in binary mode, although you may run into secondary issues
|
|
Packit |
94f725 |
with GUIDs in filesystems, partition tables, RAID-components and the
|
|
Packit |
94f725 |
like. These are just the normal problems binary cloning causes.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note that if you need to ship (e.g.) cloned LUKS containers with a
|
|
Packit |
94f725 |
default passphrase, that is fine as long as each container was
|
|
Packit |
94f725 |
individually created (and hence has its own master key). In this case,
|
|
Packit |
94f725 |
changing the default passphrase will make it secure again.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
7. Interoperability with other Disk Encryption Tools
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 7.1 What is this section about?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Cryptsetup for plain dm-crypt can be used to access a number of on-disk
|
|
Packit |
94f725 |
formats created by tools like loop-aes patched into losetup. This
|
|
Packit |
94f725 |
sometimes works and sometimes does not. This section collects insights
|
|
Packit |
94f725 |
into what works, what does not and where more information is required.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Additional information may be found in the mailing-list archives,
|
|
Packit |
94f725 |
mentioned at the start of this FAQ document. If you have a solution
|
|
Packit |
94f725 |
working that is not yet documented here and think a wider audience may
|
|
Packit |
94f725 |
be interested, please email the FAQ maintainer.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 7.2 loop-aes: General observations.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
One problem is that there are different versions of losetup around.
|
|
Packit |
94f725 |
loop-aes is a patch for losetup. Possible problems and deviations
|
|
Packit |
94f725 |
from cryptsetup option syntax include:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Offsets specified in bytes (cryptsetup: 512 byte sectors)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- The need to specify an IV offset
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Encryption mode needs specifying (e.g. "-c twofish-cbc-plain")
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Key size needs specifying (e.g. "-s 128" for 128 bit keys)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Passphrase hash algorithm needs specifying
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Also note that because plain dm-crypt and loop-aes format does not have
|
|
Packit |
94f725 |
metadata, and while the loopAES extension for cryptsetup tries
|
|
Packit |
94f725 |
autodetection (see command loopaesOpen), it may not always work. If you
|
|
Packit |
94f725 |
still have the old set-up, using a verbosity option (-v) on mapping with
|
|
Packit |
94f725 |
the old tool or having a look into the system logs after setup could
|
|
Packit |
94f725 |
give you the information you need. Below, there are also some things
|
|
Packit |
94f725 |
that worked for somebody.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 7.3 loop-aes patched into losetup on Debian 5.x, kernel 2.6.32
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
In this case, the main problem seems to be that this variant of
|
|
Packit |
94f725 |
losetup takes the offset (-o option) in bytes, while cryptsetup takes
|
|
Packit |
94f725 |
it in sectors of 512 bytes each.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Example: The losetup command
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
losetup -e twofish -o 2560 /dev/loop0 /dev/sdb1
|
|
Packit |
94f725 |
mount /dev/loop0 mount-point
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
translates to
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup create -c twofish -o 5 --skip 5 e1 /dev/sdb1
|
|
Packit |
94f725 |
mount /dev/mapper/e1 mount-point
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 7.4 loop-aes with 160 bit key
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This seems to be sometimes used with twofish and blowfish and represents
|
|
Packit |
94f725 |
a 160 bit ripemed160 hash output padded to 196 bit key length. It seems
|
|
Packit |
94f725 |
the corresponding options for cryptsetup are
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
--cipher twofish-cbc-null -s 192 -h ripemd160:20
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 7.5 loop-aes v1 format OpenSUSE
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Apparently this is done by older OpenSUSE distros and stopped working
|
|
Packit |
94f725 |
from OpenSUSE 12.1 to 12.2. One user had success with the following:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup create <target> <device> -c aes -s 128 -h sha256
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 7.6 Kernel encrypted loop device (cryptoloop)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There are a number of different losetup implementations for using
|
|
Packit |
94f725 |
encrypted loop devices so getting this to work may need a bit of
|
|
Packit |
94f725 |
experimentation.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
NOTE: Do NOT use this for new containers! Some of the existing
|
|
Packit |
94f725 |
implementations are insecure and future support is uncertain.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Example for a compatible mapping:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
losetup -e twofish -N /dev/loop0 /image.img
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
translates to
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup create image_plain /image.img -c twofish-cbc-plain -H plain
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
with the mapping being done to /dev/mapper/image_plain instead of
|
|
Packit |
94f725 |
to /dev/loop0.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
More details:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Cipher, mode and password hash (or no hash):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
-e cipher [-N] => -c cipher-cbc-plain -H plain [-s 256]
|
|
Packit |
94f725 |
-e cipher => -c cipher-cbc-plain -H ripemd160 [-s 256]
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Key size and offsets (losetup: bytes, cryptsetuop: sectors of 512 bytes):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
-k 128 => -s 128
|
|
Packit |
94f725 |
-o 2560 => -o 5 -p 5 # 2560/512 = 5
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There is no replacement for --pass-fd, it has to be emulated using
|
|
Packit |
94f725 |
keyfiles, see the cryptsetup man-page.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
8. Issues with Specific Versions of cryptsetup
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 8.1 When using the create command for plain dm-crypt with
|
|
Packit |
94f725 |
cryptsetup 1.1.x, the mapping is incompatible and my data is not
|
|
Packit |
94f725 |
accessible anymore!
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
With cryptsetup 1.1.x, the distro maintainer can define different
|
|
Packit |
94f725 |
default encryption modes. You can check the compiled-in defaults using
|
|
Packit |
94f725 |
"cryptsetup --help". Moreover, the plain device default changed because
|
|
Packit |
94f725 |
the old IV mode was vulnerable to a watermarking attack.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you are using a plain device and you need a compatible mode, just
|
|
Packit |
94f725 |
specify cipher, key size and hash algorithm explicitly. For
|
|
Packit |
94f725 |
compatibility with cryptsetup 1.0.x defaults, simple use the following:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup create -c aes-cbc-plain -s 256 -h ripemd160 <name> <dev>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS stores cipher and mode in the metadata on disk, avoiding this
|
|
Packit |
94f725 |
problem.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 8.2 cryptsetup on SLED 10 has problems...
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
SLED 10 is missing an essential kernel patch for dm-crypt, which is
|
|
Packit |
94f725 |
broken in its kernel as a result. There may be a very old version of
|
|
Packit |
94f725 |
cryptsetup (1.0.x) provided by SLED, which should also not be used
|
|
Packit |
94f725 |
anymore as well. My advice would be to drop SLED 10.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 8.3 Gcrypt 1.6.x and later break Whirlpool
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
It is the other way round: In gcrypt 1.5.x, Whirlpool is broken and it
|
|
Packit |
94f725 |
was fixed in 1.6.0 and later. If you selected whirlpool as hash on
|
|
Packit |
94f725 |
creation of a LUKS container, it does not work anymore with the fixed
|
|
Packit |
94f725 |
library. This shows one serious risk of using rarely used settings.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note that at the time this FAQ item was written, 1.5.4 was the latest
|
|
Packit |
94f725 |
1.5.x version and it has the flaw, i.e. works with the old Whirlpool
|
|
Packit |
94f725 |
version. Possibly later 1.5.x versions will work as well. If not,
|
|
Packit |
94f725 |
please let me know.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The only two ways to access older LUKS containers created with Whirlpool
|
|
Packit |
94f725 |
are to either decrypt with an old gcrypt version that has the flaw or to
|
|
Packit |
94f725 |
use a compatibility feature introduced in cryptsetup 1.6.4 and gcrypt
|
|
Packit |
94f725 |
1.6.1 or later. Version 1.6.0 cannot be used.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Steps:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Make at least a header backup or better, refresh your full backup.
|
|
Packit |
94f725 |
(You have a full backup, right? See Item 6.1 and following.)
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Make sure you have cryptsetup 1.6.4 or later and check the gcrypt
|
|
Packit |
94f725 |
version:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup luksDump <your luks device> --debug | grep backend
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If gcrypt is at version 1.5.x or before:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Reencrypt the LUKS header with a different hash. (Requires entering
|
|
Packit |
94f725 |
all keyslot passphrases. If you do not have all, remove the ones you
|
|
Packit |
94f725 |
do not have before.):
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup-reencrypt --keep-key --hash sha256 <your luks device>
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If gcrypt is at version 1.6.1 or later:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Patch the hash name in the LUKS header from "whirlpool" to
|
|
Packit |
94f725 |
"whirlpool_gcryptbug". This activates the broken implementation.
|
|
Packit |
94f725 |
The detailed header layout is in Item 6.12 of this FAQ and in the
|
|
Packit |
94f725 |
LUKS on-disk format specification. One way to change the hash is
|
|
Packit |
94f725 |
with the following command:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
echo -n -e 'whirlpool_gcryptbug\0' | dd of=<luks device> bs=1 seek=72 conv=notrunc
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- You can now open the device again. It is highly advisable to change
|
|
Packit |
94f725 |
the hash now with cryptsetup-reencrypt as described above. While you
|
|
Packit |
94f725 |
can reencrypt to use the fixed whirlpool, that may not be a good idea
|
|
Packit |
94f725 |
as almost nobody seems to use it and hence the long time until the
|
|
Packit |
94f725 |
bug was discovered.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
9. The Initrd question
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 9.1 My initrd is broken with cryptsetup
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That is not nice! However the initrd is supplied by your distribution,
|
|
Packit |
94f725 |
not by the cryptsetup project and hence you should complain to them. We
|
|
Packit |
94f725 |
cannot really do anything about it.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 9.2 CVE-2016-4484 says cryptsetup is broken!
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Not really. It says the initrd in some Debian versions have a behavior
|
|
Packit |
94f725 |
that under some very special and unusual conditions may be considered
|
|
Packit |
94f725 |
a vulnerability.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
What happens is that you can trick the initrd to go to a rescue-shell if
|
|
Packit |
94f725 |
you enter the LUKS password wrongly in a specific way. But falling back
|
|
Packit |
94f725 |
to a rescue shell on initrd errors is a sensible default behavior in the
|
|
Packit |
94f725 |
first place. It gives you about as much access as booting a rescue
|
|
Packit |
94f725 |
system from CD or USB-Stick or as removing the disk would give you. So
|
|
Packit |
94f725 |
this only applies when an attacker has physical access, but cannot boot
|
|
Packit |
94f725 |
anything else or remove the disk. These will be rare circumstances
|
|
Packit |
94f725 |
indeed, and if you rely on the default distribution initrd to keep you
|
|
Packit |
94f725 |
safe under these circumstances, then you have bigger problems than this
|
|
Packit |
94f725 |
somewhat expected behavior.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The CVE was exagerrated and should not be assigned to upstream
|
|
Packit |
94f725 |
cryptsetup in the first place (it is a distro specific initrd issue).
|
|
Packit |
94f725 |
It was driven more by a try to make a splash for self-aggrandizement,
|
|
Packit |
94f725 |
than by any actual security concerns. Ignore it.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 9.3 How do I do my own initrd with cryptsetup?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Note: The instructions here apply to an initrd in initramfs format, not
|
|
Packit |
94f725 |
to an initrd in initrd format. The latter is a filesystem image, not a
|
|
Packit |
94f725 |
cpio-archive, and seems to not be widely used anymore.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
It depends on the distribution. Below, I give a very simple example and
|
|
Packit |
94f725 |
step-by-step instructions for Debian. With a bit of work, it should be
|
|
Packit |
94f725 |
possible to adapt this to other distributions. Note that the
|
|
Packit |
94f725 |
description is pretty general, so if you want to do other things with an
|
|
Packit |
94f725 |
initrd it provides a useful starting point for that too.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
01) Unpacking an existing initrd to use as template
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
A Linux initrd is in gzip'ed cpio format. To unpack it, use something
|
|
Packit |
94f725 |
like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
md tmp; cd tmp; cat ../initrd | gunzip | cpio -id
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
After this, you have the full initrd content in tmp/
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
02) Inspecting the init-script
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The init-script is the only thing the kernel cares about. All activity
|
|
Packit |
94f725 |
starts there. Its traditional location is /sbin/init on disk, but /init
|
|
Packit |
94f725 |
in an initrd. In an initrd unpacked as above it is tmp/init.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
While init can be a binary despite usually being called "init script",
|
|
Packit |
94f725 |
in Debian the main init on the root partition is a binary, but the init
|
|
Packit |
94f725 |
in the initrd (and only that one is called by the kernel) is a script
|
|
Packit |
94f725 |
and starts like this:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
#!/bin/sh
|
|
Packit |
94f725 |
....
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The "sh" used here is in tmp/bin/sh as just unpacked, and in Debian it
|
|
Packit |
94f725 |
currently is a busybox.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
03) Creating your own initrd
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The two examples below should give you most of what is needed. This is
|
|
Packit |
94f725 |
tested with LUKS1 and should work with LUKS2 as well. If not, please
|
|
Packit |
94f725 |
let me know.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Here is a really minimal example. It does nothing but set up some
|
|
Packit |
94f725 |
things and then drop to an interactive shell. It is perfect to try out
|
|
Packit |
94f725 |
things that you want to go into the init-script.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
#!/bin/sh
|
|
Packit |
94f725 |
export PATH=/sbin:/bin
|
|
Packit |
94f725 |
[ -d /sys ] || mkdir /sys
|
|
Packit |
94f725 |
[ -d /proc ] || mkdir /proc
|
|
Packit |
94f725 |
[ -d /tmp ] || mkdir /tmp
|
|
Packit |
94f725 |
mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
|
|
Packit |
94f725 |
mount -t proc -o nodev,noexec,nosuid proc /proc
|
|
Packit |
94f725 |
echo "initrd is running, starting BusyBox..."
|
|
Packit |
94f725 |
exec /bin/sh --login
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Here is an example that opens the first LUKS-partition it finds with the
|
|
Packit |
94f725 |
hard-coded password "test2" and then mounts it as root-filesystem. This
|
|
Packit |
94f725 |
is intended to be used on an USB-stick that after boot goes into a safe,
|
|
Packit |
94f725 |
as it contains the LUKS-passphrase in plain text and is not secure to be
|
|
Packit |
94f725 |
left in the system. The script contains debug-output that should make it
|
|
Packit |
94f725 |
easier to see what is going on. Note that the final hand-over to the init
|
|
Packit |
94f725 |
on the encrypted root-partition is done by "exec switch_root /mnt/root
|
|
Packit |
94f725 |
/sbin/init", after mounting the decrypted LUKS container with "mount
|
|
Packit |
94f725 |
/dev/mapper/c1 /mnt/root". The second argument of switch_root is relative
|
|
Packit |
94f725 |
to the first argument, i.e. the init started with this command is really
|
|
Packit |
94f725 |
/mnt/sbin/init before switch_root runs.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
#!/bin/sh
|
|
Packit |
94f725 |
export PATH=/sbin:/bin
|
|
Packit |
94f725 |
[ -d /sys ] || mkdir /sys
|
|
Packit |
94f725 |
[ -d /proc ] || mkdir /proc
|
|
Packit |
94f725 |
[ -d /tmp ] || mkdir /tmp
|
|
Packit |
94f725 |
mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
|
|
Packit |
94f725 |
mount -t proc -o nodev,noexec,nosuid proc /proc
|
|
Packit |
94f725 |
echo "detecting LUKS containers in sda1-10, sdb1-10"; sleep 1
|
|
Packit |
94f725 |
for i in a b
|
|
Packit |
94f725 |
do
|
|
Packit |
94f725 |
for j in 1 2 3 4 5 6 7 8 9 10
|
|
Packit |
94f725 |
do
|
|
Packit |
94f725 |
sleep 0.5
|
|
Packit |
94f725 |
d="/dev/sd"$i""$j
|
|
Packit |
94f725 |
echo -n $d
|
|
Packit |
94f725 |
cryptsetup isLuks $d >/dev/null 2>&1
|
|
Packit |
94f725 |
r=$?
|
|
Packit |
94f725 |
echo -n " result: "$r""
|
|
Packit |
94f725 |
# 0 = is LUKS, 1 = is not LUKS, 4 = other error
|
|
Packit |
94f725 |
if expr $r = 0 > /dev/null
|
|
Packit |
94f725 |
then
|
|
Packit |
94f725 |
echo " is LUKS, attempting unlock"
|
|
Packit |
94f725 |
echo -n "test2" | cryptsetup luksOpen --key-file=- $d c1
|
|
Packit |
94f725 |
r=$?
|
|
Packit |
94f725 |
echo " result of unlock attempt: "$r""
|
|
Packit |
94f725 |
sleep 2
|
|
Packit |
94f725 |
if expr $r = 0 > /dev/null
|
|
Packit |
94f725 |
then
|
|
Packit |
94f725 |
echo "*** LUKS partition unlocked, switching root ***
|
|
Packit |
94f725 |
echo " (waiting 30 seconds before doing that)"
|
|
Packit |
94f725 |
mount /dev/mapper/c1 /mnt/root
|
|
Packit |
94f725 |
sleep 30
|
|
Packit |
94f725 |
exec switch_root /mnt/root /sbin/init
|
|
Packit |
94f725 |
fi
|
|
Packit |
94f725 |
else
|
|
Packit |
94f725 |
echo " is not LUKS"
|
|
Packit |
94f725 |
fi
|
|
Packit |
94f725 |
done
|
|
Packit |
94f725 |
done
|
|
Packit |
94f725 |
echo "FAIL finding root on LUKS, loading BusyBox..."; sleep 5
|
|
Packit |
94f725 |
exec /bin/sh --login
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
04) What if I want a binary in the initrd, but libraries are missing?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That is a bit tricky. One option is to compile statically, but that
|
|
Packit |
94f725 |
does not work for everything. Debian puts some libraries into lib/ and
|
|
Packit |
94f725 |
lib64/ which are usually enough. If you need more, you can add the
|
|
Packit |
94f725 |
libraries you need there. That may or may not need a configuration
|
|
Packit |
94f725 |
change for the dynamic linker "ld" as well. Refer to standard Linux
|
|
Packit |
94f725 |
documentation on how to add a library to a Linux system. A running
|
|
Packit |
94f725 |
initrd is just a running Linux system after all, it is not special in
|
|
Packit |
94f725 |
any way.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
05) How do I repack the initrd?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Simply repack the changed directory. While in tmp/, do
|
|
Packit |
94f725 |
the following:
|
|
Packit |
94f725 |
```
|
|
Packit |
94f725 |
find . | cpio --create --format='newc' | gzip > ../new_initrd
|
|
Packit |
94f725 |
```
|
|
Packit |
94f725 |
Rename "new_initrd" to however you want it called (the name of
|
|
Packit |
94f725 |
the initrd is a kernel-parameter) and move to /boot. That is it.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
10. LUKS2 Questions
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.1 Is the cryptography of LUKS2 different?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Mostly not. The header has changed in its structure, but the
|
|
Packit |
94f725 |
crytpgraphy is the same. The one exception is that PBKDF2 has been
|
|
Packit |
94f725 |
replaced by Argon2 to give better resilience against attacks attacks by
|
|
Packit |
94f725 |
graphics cards and other hardware with lots of computing power but
|
|
Packit |
94f725 |
limited local memory per computing element.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.2 What new features does LUKS2 have?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
There are quite a few. I recommend reading the man-page and the on-disk
|
|
Packit |
94f725 |
format specification, see Item 1.2.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
To list just some:
|
|
Packit |
94f725 |
- A lot of the metadata is JSON, allowing for easier extension
|
|
Packit |
94f725 |
- Max 32 key-slots per default
|
|
Packit |
94f725 |
- Better protection for bad passphrases now available with Argon2
|
|
Packit |
94f725 |
- Authenticated encryption
|
|
Packit |
94f725 |
- The LUKS2 header is less vulnerable to corruption and has a 2nd copy
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.3 Why does LUKS2 need so much memory?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS2 uses Argon2 instead of PBKDF2. That causes the increase in memory.
|
|
Packit |
94f725 |
See next item.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.4 Why use Argon2 in LUKS 2 instead of PBKDF2?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS tries to be secure with not-so-good passwords. Bad passwords need to
|
|
Packit |
94f725 |
be protected in some way against an attacker that just tries all possible
|
|
Packit |
94f725 |
combinations. (For good passwords, you can just wait for the attacker to
|
|
Packit |
94f725 |
die of old age...) The situation with LUKS is not quite the same as with a
|
|
Packit |
94f725 |
password stored in a database, but there are similarities.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
LUKS does not store passwords on disk. Instead, the passwords are used to
|
|
Packit |
94f725 |
decrypt the master-key with it and that one is stored on disk in encrypted
|
|
Packit |
94f725 |
form. If you have a good password, with, say, more than 80 bits of
|
|
Packit |
94f725 |
entropy, you could just put the password through a single crypto-hash (to
|
|
Packit |
94f725 |
turn it into something that can be used as a key) and that would be secure.
|
|
Packit |
94f725 |
This is what plain dm-crypt does.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If the password has lower entropy, you want to make this process cost some
|
|
Packit |
94f725 |
effort, so that each try takes time and resources and slows the attacker
|
|
Packit |
94f725 |
down. LUKS1 uses PBKDF2 for that, adding an iteration count and a salt.
|
|
Packit |
94f725 |
The iteration count is per default set to that it takes 1 second per try on
|
|
Packit |
94f725 |
the CPU of the device where the respective passphrase was set. The salt is
|
|
Packit |
94f725 |
there to prevent precomputation.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The problem with that is that if you use a graphics card, you can massively
|
|
Packit |
94f725 |
speed up these computations as PBKDF2 needs very little memeory to compute
|
|
Packit |
94f725 |
it. A graphics card is (grossly simplified) a mass of small CPUs with some
|
|
Packit |
94f725 |
small very fast local memory per CPU and a large slow memory (the 4/6/8 GB
|
|
Packit |
94f725 |
a current card may have). If you can keep a computation in the small,
|
|
Packit |
94f725 |
CPU-local memory, you can gain a speed factor of 1000 or more when trying
|
|
Packit |
94f725 |
passwords with PBKDF2.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Argon2 was created to address this problem. It adds a "large memory
|
|
Packit |
94f725 |
property" where computing the result with less memory than the memory
|
|
Packit |
94f725 |
parameter requires is massively (exponentially) slowed down. That means,
|
|
Packit |
94f725 |
if you set, for example, 4GB of memory, computing Argon2 on a graphics card
|
|
Packit |
94f725 |
with around 100kB of memory per "CPU" makes no sense at all because it is
|
|
Packit |
94f725 |
far too slow. An attacker has hence to use real CPUs and furthermore is
|
|
Packit |
94f725 |
limited by main memory bandwith.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Hence the large amount of memory used is a security feature and should not
|
|
Packit |
94f725 |
be turned off or reduced. If you really (!) understand what you are doing
|
|
Packit |
94f725 |
and can assure good passwords, you can either go back to PBKDF2 or set a
|
|
Packit |
94f725 |
low amount of memory used for Argon2 when creating the header.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.5 LUKS2 is insecure! It uses less memory than the Argon2 RFC say!
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Well, not really. The RFC recommends 6GiB of memory for use with disk
|
|
Packit |
94f725 |
encryption. That is a bit insane and something clearly went wrong in the
|
|
Packit |
94f725 |
standardization process here. First, that makes Argon2 unusable on any 32
|
|
Packit |
94f725 |
bit Linux and that is clearly a bad thing. Second, there are many small
|
|
Packit |
94f725 |
Linux devices around that do not have 6GiB of RAM in the first place. For
|
|
Packit |
94f725 |
example, the current Raspberry Pi has 1GB, 2GB or 4GB of RAM, and with the
|
|
Packit |
94f725 |
RFC recommendations, none of these could compute Argon2 hashes.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Hence LUKS2 uses a more real-world approach. Iteration is set to a
|
|
Packit |
94f725 |
minimum of 4 because there are some theoretical attacks that work up to an
|
|
Packit |
94f725 |
iteration count of 3. The thread parameter is set to 4. To achieve 2
|
|
Packit |
94f725 |
second/slot unlock time, LUKS2 adjusts the memory parameter down if
|
|
Packit |
94f725 |
needed. In the other direction, it will respect available memory and not
|
|
Packit |
94f725 |
exceed it. On a current PC, the memory parameter will be somewhere around
|
|
Packit |
94f725 |
1GB, which should quite generous. The minimum I was able to set in an
|
|
Packit |
94f725 |
experiment with "-i 1" was 400kB of memory and that is too low to be
|
|
Packit |
94f725 |
secure. A Raspberry Pi would probably end up somewhere around 50MB (have
|
|
Packit |
94f725 |
not tried it) and that should still be plenty.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
That said, if you have a good, high-entropy passphrase, LUKS2 is secure
|
|
Packit |
94f725 |
with any memory parameter.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.6 How does re-encryption store data while it is running?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
All metadata necessary to perform a recovery of said segment (in case of
|
|
Packit |
94f725 |
crash) is stored in the LUKS2 metadata area. No matter if the LUKS2
|
|
Packit |
94f725 |
reencryption was run in online or offline mode.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.7 What do I do if re-encryption crashes?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
In case of a reencryption application crash, try to close the original
|
|
Packit |
94f725 |
device via following command first:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
cryptsetup close <my_crypt_device>.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Cryptsetup assesses if it's safe to teardown the reencryption device stack
|
|
Packit |
94f725 |
or not. It will also cut off I/O (via dm-error mapping) to current
|
|
Packit |
94f725 |
hotzone segment (to make later recovery possible). If it can't be torn
|
|
Packit |
94f725 |
down, i.e. due to a mounted fs, you must unmount the filesystem first.
|
|
Packit |
94f725 |
Never try to tear down reencryption dm devices manually using e.g.
|
|
Packit |
94f725 |
dmsetup tool, at least not unless cryptsetup says it's safe to do so. It
|
|
Packit |
94f725 |
could damage the data beyond repair.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.8 Do I need to enter two passphrases to recover a crashed
|
|
Packit |
94f725 |
re-encryption?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Cryptsetup (command line utility) expects the passphrases to be identical
|
|
Packit |
94f725 |
for the keyslot containing old volume key and for the keyslot containing
|
|
Packit |
94f725 |
new one. So the recovery happens during normal the "cryptsetup open"
|
|
Packit |
94f725 |
operation or the equivalent during boot.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Re-encryption recovery can be also performed in offline mode by
|
|
Packit |
94f725 |
the "cryptsetup repair" command.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.9 What is an unbound keyslot and what is it used for?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
Quite simply, an 'unbound key' is an independent 'key' stored in a luks2
|
|
Packit |
94f725 |
keyslot that cannot be used to unlock a LUKS2 data device. More specifically,
|
|
Packit |
94f725 |
an 'unbound key' or 'unbound luks2 keyslot' contains a secret that is not
|
|
Packit |
94f725 |
currently associated with any data/crypt segment (encrypted area) in the
|
|
Packit |
94f725 |
LUKS2 'Segments' section (displayed by luksDump).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
This is a bit of a more general idea. It basically allows to use a keyslot
|
|
Packit |
94f725 |
as a container for a key to be used in other things than decrypting a
|
|
Packit |
94f725 |
data segment.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
As of April 2020, the following uses are defined:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
1) LUKS2 re-encryption. The new volume key is stored in an unbound keyslot
|
|
Packit |
94f725 |
which becomes a regular LUKS2 keyslot later when re-encryption is
|
|
Packit |
94f725 |
finished.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
2) Somewhat similar is the use with a wrapped key scheme (e.g. with the
|
|
Packit |
94f725 |
paes cipher). In this case, the VK (Volume Key) stored in a keyslot
|
|
Packit |
94f725 |
is an encrypted binary binary blob. The KEK (Key Encryption Key) for
|
|
Packit |
94f725 |
that blob may be refreshed (Note that this KEK is not managed by
|
|
Packit |
94f725 |
cryptsetup!) and the binary blob gets changed. The KEK refresh process
|
|
Packit |
94f725 |
uses an 'unbound keyslot'. First the future effective VK is placed
|
|
Packit |
94f725 |
in the unbound keyslot and later it gets turned into the new real VK
|
|
Packit |
94f725 |
(and bound to the respective crypt segment).
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.10 What about the size of the LUKS2 header?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
While the LUKS1 header has a fixed size that is determined by the cipher
|
|
Packit |
94f725 |
spec (see Item 6.12), LUKS2 is more variable. The default size is 16MB,
|
|
Packit |
94f725 |
but it can be adjusted on creation by using the --luks2-metadata-size
|
|
Packit |
94f725 |
and --luks2-keyslots-size options. Refer to the man-page for details.
|
|
Packit |
94f725 |
While adjusting the size in an existing LUKS2 container is possible,
|
|
Packit |
94f725 |
it is somewhat complicated and risky. My advice is to do a backup,
|
|
Packit |
94f725 |
recreate the container with changed parameters and restore that backup.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* 10.11 Does LUKS2 store metadata anywhere except in the header?
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
It does not. But note that if you use the experimental integrity support,
|
|
Packit |
94f725 |
there will be an integrity header as well at the start of the data area
|
|
Packit |
94f725 |
and things get a bit more complicated. All metadata will still be at the
|
|
Packit |
94f725 |
start of the device, nothing gets stored somewhere in the middle or at
|
|
Packit |
94f725 |
the end.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
11. References and Further Reading
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Purpose of this Section
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
The purpose of this section is to collect references to all materials
|
|
Packit |
94f725 |
that do not fit the FAQ but are relevant in some fashion. This can be
|
|
Packit |
94f725 |
core topics like the LUKS spec or disk encryption, but it can also be
|
|
Packit |
94f725 |
more tangential, like secure storage management or cryptography used in
|
|
Packit |
94f725 |
LUKS. It should still have relevance to cryptsetup and its
|
|
Packit |
94f725 |
applications.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
If you want to see something added here, send email to the maintainer
|
|
Packit |
94f725 |
(or the cryptsetup mailing list) giving an URL, a description (1-3 lines
|
|
Packit |
94f725 |
preferred) and a section to put it in. You can also propose new
|
|
Packit |
94f725 |
sections.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
At this time I would like to limit the references to things that are
|
|
Packit |
94f725 |
available on the web.
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Specifications
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- LUKS on-disk format spec: See Item 1.2
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Other Documentation
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Arch Linux on LUKS, LVM and full-disk encryption:
|
|
Packit |
94f725 |
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Code Examples
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Some code examples are in the source package under docs/examples
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- LUKS AF Splitter in Ruby by John Lane: https://rubygems.org/gems/afsplitter
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Brute-forcing passphrases
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- http://it.slashdot.org/story/12/12/05/0623215/new-25-gpu-monster-devours-strong-passwords-in-minutes
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Tools
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* SSD and Flash Disk Related
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Disk Encryption
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Attacks Against Disk Encryption
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Risk Management as Relevant for Disk Encryption
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Cryptography
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
* Secure Storage
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
A. Contributors
|
|
Packit |
94f725 |
In no particular order:
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Arno Wagner
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
- Milan Broz
|
|
Packit |
94f725 |
|
|
Packit |
94f725 |
___
|