322
325
easy to make, but will compromise your security.
325
* 2.2 How do I set up encrypted swap?
328
* 2.2 LUKS on partitions or raw disks?
330
This is a complicated question, and made more so by the availability
331
of RAID and LVM. I will try to give some scenarios and discuss
332
advantages and disadvantages. Note that I say LUKS for simplicity,
333
but you can do all the things described with plain dm-crypt as well.
334
Also note that your specific scenario may be so special that most
335
or even all things I say below do not apply.
337
Be aware that if you add LVM into the mix, things can get very
338
complicated. Same with RAID but less so. In particular, data
339
recovery can get exceedingly difficult. Only do so if you have a
340
really good reason and always remember KISS is what separates an
341
engineer from an amateur. Of course, if you really need the added
342
complexity, KISS is satisfied. But be very sure as there is a price
343
to pay for it. In engineering, complexity is always the enemy and
344
needs to be fought without mercy when encountered.
346
Also consider using RAID instead of LVM, as at least with the old
347
superblock format 0.90, the RAID superblock is in the place (end
348
of disk) where the risk of it permanently damaging the LUKS header
349
is smallest and you can have your array assembled by the RAID
350
controller (i.e. the kernel), as it should be. Use partition type
351
0xfd for that. I recommend staying away from superblock formats
352
1.0, 1.1 and 1.2 unless you really need them. Be aware that you
353
lose autodetection with them and have to fall back to some
354
user-space script to do it.
358
(1) Encrypted partition: Just make a partition to your liking,
359
and put LUKS on top of it and a filesystem into the LUKS container.
360
This gives you isolation of differently-tasked data areas, just as
361
ordinary partitioning does. You can have confidential data,
362
non-confidential data, data for some specific applications,
363
user-homes, root, etc. Advantages are simplicity as there is a 1:1
364
mapping between partitions and filesystems, clear security
365
functionality and the ability to separate data into different,
366
independent (!) containers.
368
Note that you cannot do this for encrypted root, that requires an
369
initrd. On the other hand, an initrd is about as vulnerable to a
370
competent attacker as a non-encrypted root, so there really is no
371
security advantage to doing it that way. An attacker that wants to
372
compromise your system will just compromise the initrd or the
373
kernel itself. The better way to deal with this is to make sure the
374
root partition does not store any critical data and move that to
375
additional encrypted partitions. If you really are concerned your
376
root partition may be sabotaged by somebody with physical access
377
(that would however strangely not, say, sabotage your BIOS,
378
keyboard, etc.), protect it in some other way. The PC is just not
379
set-up for a really secure boot-chain (whatever some people may
382
(2) Fully encrypted raw block device: For this, put LUKS on the
383
raw device (e.g. /dev/sdb) and put a filesystem into the LUKS
384
container, no partitioning whatsoever involved. This is very
385
suitable for things like external USB disks used for backups or
386
offline data-storage.
388
(3) Encrypted RAID: Create your RAID from partitions and/or full
389
devices. Put LUKS on top of the RAID device, just if it were an
390
ordinary block device. Applications are just the same as above, but
391
you get redundancy. (Side note as many people seem to be unaware of
392
it: You can do RAID1 with an arbitrary number of components in
393
Linux.) See also Item 2.8.
395
(4) Now, some people advocate doing the encryption below the RAID
396
layer. That has several serious problems. One is that suddenly
397
debugging RAID issues becomes much harder. You cannot do automatic
398
RAID assembly anymore. You need to keep the encryption keys for the
399
components in sync or manage them somehow. The only possible
400
advantage is that things may run a little faster as more CPUs do
401
the encryption, but if speed is a priority over security and
402
simplicity, you are doing this wrong anyways. A good way to
403
mitigate a speed issue is to get a CPU that does hardware AES.
406
* 2.3 How do I set up encrypted swap?
327
408
As things that are confidential can end up in swap (keys,
328
409
passphrases, etc. are usually protected against being swapped to
689
770
misaligned, dm-crypt can make the effect worse though.
773
* 2.19 How can I wipe a device with crypto-grade randomness?
775
The conventional recommendation if you want to not just do a
776
zero-wipe is to use something like
778
cat /dev/urandom > <taget-device>
780
That is very slow and painful at 10-20MB/s on a fast computer.
781
Using cryptsetup and a plain dm-crypt device with a random key, it
782
is much faster and gives you the same level of security. The
783
defaults are quite enough.
785
For device set-up, do the following:
787
cryptsetup open --type plain -d /dev/urandom /dev/<block-device> to_be_wiped
789
Then you have several options. Simple wipe without
792
cat /dev/zero > /dev/mapper/to_be_wiped
794
Progress-indicator by dd_rescue:
796
dd_rescue -w /dev/zero /dev/mapper/to_be_wiped
798
Progress-indicator by my "wcs" stream meter (available from
799
http://www.tansi.org/tools/index.html ):
801
cat /dev/zero | wcs > /dev/mapper/to_be_wiped
803
Remove the mapping at the end and you are done.
692
806
3. Common Problems
1124
1238
new filesystem on the raw LUKS partition, making the raw partition
1125
1239
part of a raid array and just writing to the raw partition.
1127
The LUKS header contains a 256 bit "salt" value and without that no
1128
decryption is possible. While the salt is not secret, it is
1129
key-grade material and cannot be reconstructed. This is a
1241
The LUKS header contains a 256 bit "salt" per key-slot and without
1242
that no decryption is possible. While the salts are not secret,
1243
they are key-grade material and cannot be reconstructed. This is a
1130
1244
cryptographically strong "cannot". From observations on the
1131
1245
cryptsetup mailing-list, people typically go though the usual
1132
1246
stages of grief (Denial, Anger, Bargaining, Depression, Acceptance)
1135
1249
fine. Even if we usually cannot help with getting back your data,
1136
1250
most people found the feedback comforting.
1138
If your header does not contain an intact salt, best go directly
1139
to the last stage ("Acceptance") and think about what to do now.
1140
There is one exception that I know of: If your LUKS container is
1141
still open, then it may be possible to extract the master key from
1142
the running system. See Item "How do I recover the master key from
1143
a mapped LUKS container?" in Section "Backup and Data Recovery".
1252
If your header does not contain an intact key-slot salt, best go
1253
directly to the last stage ("Acceptance") and think about what to
1254
do now. There is one exception that I know of: If your LUKS
1255
container is still open, then it may be possible to extract the
1256
master key from the running system. See Item "How do I recover the
1257
master key from a mapped LUKS container?" in Section "Backup and
1146
1261
* 5.8 What is a "salt"?
1810
1951
damage the LUKS header or key-slots?
1812
1953
There are two critical components for decryption: The salt values
1813
in the header itself and the key-slots. If the salt values are
1814
overwritten or changed, nothing (in the cryptographically strong
1815
sense) can be done to access the data, unless there is a backup
1816
of the LUKS header. If a key-slot is damaged, the data can still
1817
be read with a different key-slot, if there is a remaining
1818
undamaged and used key-slot. Note that in order to make a key-slot
1819
unrecoverable in a cryptographically strong sense, changing about
1820
4-6 bits in random locations of its 128kiB size is quite enough.
1954
in the key-slot descriptors of the header and the key-slots. If the
1955
salt values are overwritten or changed, nothing (in the
1956
cryptographically strong sense) can be done to access the data,
1957
unless there is a backup of the LUKS header. If a key-slot is
1958
damaged, the data can still be read with a different key-slot, if
1959
there is a remaining undamaged and used key-slot. Note that in
1960
order to make a key-slot unrecoverable in a cryptographically
1961
strong sense, changing about 4-6 bits in random locations of its
1962
128kiB size is quite enough.
1823
1965
* 6.9 What happens if I (quick) format a LUKS partition?
1951
2093
The exact specification of the format is here:
1952
2094
http://code.google.com/p/cryptsetup/wiki/Specification
2096
For your convenience, here is the LUKS header with hex offsets.
2097
NOTE: The spec counts key-slots from 1 to 8, but the cryptsetup
2098
tool counts from 0 to 7. The numbers here refer to the cryptsetup
2101
Refers to LUKS On-Disk Format Specification Version 1.2.1
2103
offset length name data type description
2104
-----------------------------------------------------------------------
2105
0x0000 0x06 magic byte[] 'L','U','K','S', 0xba, 0xbe
2107
0x0006 0x02 version uint16_t LUKS version
2109
0x0008 0x20 cipher-name char[] cipher name spec.
2111
0x0028 0x20 cipher-mode char[] cipher mode spec.
2113
0x0048 0x20 hash-spec char[] hash spec.
2115
0x0068 0x04 payload-offset uint32_t bulk data offset in sectors
2116
104 4 (512 bytes per sector)
2117
0x006c 0x04 key-bytes uint32_t number of bytes in key
2119
0x0070 0x14 mk-digest byte[] master key checksum
2120
112 20 calculated with PBKDF2
2121
0x0084 0x20 mk-digest-salt byte[] salt for PBKDF2 when
2122
132 32 calculating mk-digest
2123
0x00a4 0x04 mk-digest-iter uint32_t iteration count for PBKDF2
2124
164 4 when calculating mk-digest
2125
0x00a8 0x28 uuid char[] partition UUID
2127
0x00d0 0x30 key-slot-0 key slot key slot 0
2129
0x0100 0x30 key-slot-1 key slot key slot 1
2131
0x0130 0x30 key-slot-2 key slot key slot 2
2133
0x0160 0x30 key-slot-3 key slot key slot 3
2135
0x0190 0x30 key-slot-4 key slot key slot 4
2137
0x01c0 0x30 key-slot-5 key slot key slot 5
2139
0x01f0 0x30 key-slot-6 key slot key slot 6
2141
0x0220 0x30 key-slot-7 key slot key slot 7
2144
offset length name data type description
2145
-------------------------------------------------------------------------
2146
0x0000 0x04 active uint32_t key slot enabled/disabled
2148
0x0004 0x04 iterations uint32_t PBKDF2 iteration count
2150
0x0008 0x20 salt byte[] PBKDF2 salt
2152
0x0028 0x04 key-material-offset uint32_t key start sector
2153
40 4 (512 bytes/sector)
2154
0x002c 0x04 stripes uint32_t number of anti-forensic
1955
2158
* 6.13 What is the smallest possible LUKS container?
2186
2389
It is the other way round: In gcrypt 1.5.3 and before Whirlpool is
2187
2390
broken and it was fixed in the next version. If you selected
2188
2391
whirlpool as hash on creation of a LUKS container, it does not work
2189
anymore with the fixed library. Currently, the only work-around is
2190
to decrypt with the old version. This also shows one risk of using
2191
rarely used settings.
2392
anymore with the fixed library. This shows one serious risk of
2393
using rarely used settings.
2395
The only two ways to deal with this are either to decrypt with an
2396
old gcrypt version that has the flaw or to use a compatibility
2397
feature introduced in cryptsetup 1.6.4 and gcrypt 1.6.1 or later.
2398
Versions of gcrypt between 1.5.4 and 1.6.0 cannot be used.
2402
- Make a least a header backup or better, refresh your full
2403
backup. (You have a full backup, right? See Item 6.1 and
2406
- Make sure you have cryptsetup 1.6.4 or later and check the gcrypt
2410
cryptsetup luksDump <your luks device> --debug | grep backend
2412
If gcrypt is at version 1.5.3 or before:
2414
- Reencrypt the LUKS header with a different hash. (Requires
2415
entering all keyslot passphrases. If you do not have all, remove
2416
the ones you do not have before.):
2418
cryptsetup-reencrypt --keep-key --hash sha256 <your luks device>
2420
If gcrypt is at version 1.6.1 or later:
2422
- Patch the hash name in the LUKS header from "whirlpool" to
2423
"whirlpool_gcryptbug". This activates the broken implementation.
2424
The detailed header layout is in Item 6.12 of this FAQ and in the
2425
LUKS on-disk format specification. One way to change the hash is
2426
with the following command:
2428
echo -n -e 'whirlpool_gcryptbug\0' | dd of=<luks device> bs=1 seek=72 conv=notrunc
2430
- You can now open the device again. It is highly advisable to
2431
change the hash now with cryptsetup-reencrypt as described above.
2432
While you can reencrypt to use the fixed whirlpool, that may not
2433
be a good idea as almost nobody seems to use it and hence the long
2434
time until the bug was discovered.
2194
2437
9. References and Further Reading