cryptsetupis a command line tool that interfaces with the
dm_cryptkernel module that creates, access, and manages encrypted devices.
- Debugging The
--debugoption does not leak the passphrase, however, using
- Backups Always have a fresh backup before attempting anything, especially if you plan on reencrypting a device.
- Cloning Do not distribute cloned encrypted devices because the clone will also include the LUKS header and master key.
- Distribution Installers there is a chance that if you are installing a new distribution or version of a distribution where your data is in an encrypted container, the installer may not activate it resulting in loss of data. Ubuntu has been known to have a habit of killing encrypted containers.
- Non-interactive Formatting There is no warning when formatting a device for encryption.
- Passphrase is not the Master Key The LUKS passphrase is used in decrypting a master key that is randomly selected on header creation. Even if you create a new LUKS header with the same exact parameters with the same passphrase the master key will NOT be the same.
- Debugging The
SetupBefore using the cryptsetup tool, the necessary kernel modules must either be available either as modules or into the kernel. For distributions such as Fedora and Ubuntu, the module are already there. For systems running Gentoo, you must do this yourself.
General setup ---> [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support [*] Enable loadable module support Device Drivers ---> [*] Multiple devices driver support (RAID and LVM) ---> <*> Device mapper support <*> Crypt target supportIn addition to the following options, enable any others you need for other tools.
[*] Cryptographic API ---> <*> XTS support <*> SHA224 and SHA256 digest algorithm <*> AES cipher algorithms <*> AES cipher algorithms (x86_64) <*> User-space interface for hash algorithms <*> User-space interface for symmetric key cipher algorithmsTo use TrueCrypt, tcplay/VeraCrypt, enable the following options.
Device Drivers ---> [*] Block Devices ---> <*> Loopback device support File systems ---> <*> FUSE (Filesystem in Userspace) support [*] Cryptographic API ---> <*> RIPEMD-160 digest algorithm <*> SHA384 and SHA512 digest algorithms <*> Whirlpool digest algorithms <*> LRW support <*> Serpent cipher algorithm <*> Twofish cipher algorithm
# echo "sys-fs/cryptsetup kernel nls python udev # urandom" >> /etc/portage/package.use # emerge sys-fs/cryptsetupUseflags for sys-fs/cryptsetup:
- gcrypt Use dev-libs/libgcrypt crypto backend
- nls add native language support
- python add support for python.
- reencrypt Build cryptsetup-reencrypt
- udev Enable virtual/udev integration (device discovery, power and storage device support, etc)
- urandom Use /dev/urandom instead of /dev/random
- kernel Use kernel crypto backend (mainly for embedded systems)
- libressl Use dev-libs/libressl (fork of openssl) crypto backend
- nettle Use dev-libs/nettle crypto backend
- openssl Use dev-libs/openssl crypto backend
- pwquality Use dev-libs/libpwquality for password quality checking
- static Link modules statically
- static-libs Static versions of libraries
# dnf -y install cryptsetup cryptsetup-reencrypt
# yum -y install cryptsetup cryptsetup-reencrypt
# aptitude -y install cryptsetupThe
dm_cryptmodule should be autoloaded along with any other cipher modules. If not, create a file with the
Selecting an Algorithmdm-crypt is able to use different operating modes such as
--type luks(Linux Unified Key Setup),
--type plainfor using dm-crypt plain mode when the master-key will not be on the device,
--type loopaesfor a loopaes legacy mode, and
--type tcryptfor TrueCrypt compatibility. If you're using Gentoo and enabled the
kernelflag, you can view the list of available ciphers in
/proc/cryptoTo get an idea of the read and write speeds with various ciphers run
PBKDF2-sha1 181540 iterations per second for 256-bit key PBKDF2-sha256 218453 iterations per second for 256-bit key PBKDF2-sha512 151528 iterations per second for 256-bit key PBKDF2-ripemd160 156224 iterations per second for 256-bit key PBKDF2-whirlpool 148607 iterations per second for 256-bit key # Algorithm | Key | Encryption | Decryption aes-cbc 128b 157.6 MiB/s 227.7 MiB/s serpent-cbc 128b 70.8 MiB/s 220.1 MiB/s twofish-cbc 128b 189.6 MiB/s 238.8 MiB/s aes-cbc 256b 161.0 MiB/s 173.3 MiB/s serpent-cbc 256b 88.7 MiB/s 221.8 MiB/s twofish-cbc 256b 195.6 MiB/s 240.9 MiB/s aes-xts 256b 217.8 MiB/s 221.8 MiB/s serpent-xts 256b 200.0 MiB/s 204.6 MiB/s twofish-xts 256b 219.7 MiB/s 219.1 MiB/s aes-xts 512b 169.3 MiB/s 171.7 MiB/s serpent-xts 512b 202.5 MiB/s 203.9 MiB/s twofish-xts 512b 219.6 MiB/s 218.3 MiB/sWhen it comes to selecting the algorithm, aes-xts is enough for the average user.
Keys and PassphrasesA keyfile is a file whose data is used as the passphrase to unlock an encrypted volume. That means if such a file is lost or changed, decrypting the volume may no longer be possible. When no key file is specified during the setup of the encrypted device, then a passphrase will need to be entered manually. When selecting a passphrase, the length of it doesn't matter as much as entropy.
|Average English word||0.6 - 1.3|
1/2 * 2^entropy. In short, choose a passphrase that has a entropy of at least 80 Bits. Passphrase keyfile is a key file containing a simple passphrase. The benefit of this type of key file is that if the file is lost the data it contained is known and hopefully easily remembered by the owner of the encrypted volume. However the disadvantage is that this does not add any security over entering a passphrase during the initial system start.
# echo -n "mypassphrase" > /root/encryption.key # chown root:root /root/encryption.key # chmod 0400 /root/encryption.keyBuilding on the concept of passphrase keyfiles, the contents of the passphrase keyfile can be completely random. The benefit of this type of keyfile is that it is much more resistant to dictionary attacks than a simple passphrase. An additional strength of keyfiles can be utilized in this situation which is the length of data used. Since this is not a string meant to be memorized by a person for entry, it is trivial to create files containing thousands of random characters as the key. The disadvantage is that if this file is lost or changed, it will most likely not be possible to access the encrypted volume without a backup passphrase.
# dd bs=512 count=4 if=/dev/urandom of=/root/encryption.key # chmod 600 /root/encryption.keyWhen creating a keyfile anywhere, will leave a trace even after you delete the file. Using the
shredis ineffective due to journaling file systems and solid state storage. The best way to create a key without leaving a trace of it is to do it in RAM and move it immediately to a dedicated flash drive.
# mkdir /mnt/ram # mount -t ramfs ramfs /mnt/ram # dd bs=512 count=4 if=/dev/urandom of=/mnt/ram/encryption.key # mv /mnt/ram/encryption.key /run/media/root/usb-keyUsing a binary file as a keyfile, such as images, text, video, etc. When identifying files as candidates for a keyfile, it is recommended to choose files that are relatively static such as photos, music, video clips. The benefit of these files is that they serve a dual function which can make them harder to identify as keyfiles. Instead of having a text file with a large amount of random text, the keyfile would look like a regular image file or music clip to the casual observer. The disadvantage is that if this file is lost or changed, it will most likely not be possible to access the encrypted volume without a backup passphrase. Additionally, there is a theoretical loss of randomness when compared to a randomly generated text file. This is due to the fact that images, videos and music have some intrinsic relationship between neighboring bits of data that does not exist for a text file. However this is controversial and has never been exploited publicly.
Key StorageOne-Time Key is a key that changes at each boot. This key is usually created using /dev/urandom during dm-crypt setup. The key is not stored anywhere and no passphrase is needed. This type of key can only be used on file systems that can be formatted during reboot; swap or /tmp. Removable storage allows you to access the key when needed but the data is vulnerable when decrypted and left unattended. Using a hash value from a key phrase does not require the key to be stored in a file. Encrypting the key using GPG and storing it on another device such as a flash drive where the passphrase used to encrypt the key can be changed by reencrypting it with a different one. Using a Smart Card isn't directly implemented with dm_crypt, but can be implemented using a series of key-scripts
Encrypting the DeviceGiven that you want to use /dev/sdb to store your sensitive data on, you can simply run the following command:
# cryptsetup luksFormat /dev/sdb1To see what defaults are used, simply run:
...snip... Default compiled-in key and passphrase parameters: Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters) Default PBKDF2 iteration time for LUKS: 2000 (ms) Default compiled-in device cipher parameters: loop-AES: aes, Key 256 bits plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160 LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/randomOn my system, the previous
cryptsetupcommand is equivalent to the following.
# cryptsetup --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 2000 --use-urandom --verify-passphrase luksFormat /dev/sdb1When using xts ciphers, the key size is split in half. To obtain the desired key size, such as 256, 512 must be used.
--iter-timeis the number of milliseconds to spend with PBKDF2 passphrase processing.
# cryptsetup luksFormat --type luks2 /dev/sdb /root/encryption.key
# cryptsetup --type plain -v open /dev/sdb encd # cryptsetup --type plain --cipher=serpent-xts-plain64 --hash=sha256 --key-size=256 --offset=10 open /dev/mapper/encd encd2 # parted -s -a optimal /dev/mapper/encd2 -- mklabel gpt mkpart primary encrypted 0 -1 # mkfs.ext4 /dev/mapper/encd21
Key ManagementUp to 8 keys can be used with encrypted devices.
Key Slot 0: ENABLED Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
# cryptsetup luksAddKey /dev/sdb /root/encryption.key
cryptsetupwill add the specified key to the next available slot. To use a different slot, use the
-Soption along with the desired slot. If no key is indicated, then a password prompt will be displayed.
cryptsetup luksAddKey /dev/sda -s 3To change the key in a particular slot:
cryptsetup luksChangeKey /dev/sda3 -s 3There are three subcommands that are used to remove keys:
luksRemoveKeywill remove the key in a slot by specifying the passphrase/key file.
luksKillSlotwill remove the key in a particular slot and replace it with a new one.
luksErasewill remove all keys without prompting for a passphrase or warning.
LUKS Header Management
# cryptsetup luksHeaderBackup /dev/sdb --header-backup-file /root/sdb-header.img
# mount -t ramfs ramfs /mnt/ram # cryptsetup luksHeaderBackup /dev/sdb --header-backup-file /mnt/ram/sdb-header.img # gpg2 --recipient --encrypt /mnt/ram/sdb-header.img # cp /mnt/ram/sdb-header.img.gpg /mnt/backup/ # umount /mnt/ram
# cryptsetup luksDump /dev/sdb | grep "Payload offset" Payload offset: 4040 # fdisk -l /dev/sdb | grep "Sector size" # mount -t ramfs ramfs /mnt/ram # cp /mnt/backup/sdb-header.img.gpg /mnt/ram # gpg2 --decrypt /mnt/ram/sdb-header.img.gpg # dd if=/mnt/ram/sdb-header.img of=/dev/sdb bs=512 count=4040
cryptsetup-reencryptcan be used to convert an unencrypted FS to an encrypted one, remove encryption, or re-encrypt the device. Re-encryption is not possible for detached LUKS header or other encryption modes (e.g., plain-mode). Default LUKS header requires 4096 512-byte sectors. In order to encrypt an unencrypted device:
- Unmount the device.
- Check the file system using fsck.
- Resize the file system using the appropriate tool to the smallest possible size.
- Reduce the device by 4096 sectors so the LUKS header can be added then encrypt it using the default options.
- Open the newly created encrypted disk
- Resize the newly created encrypted device to its maximum size.
- Mount the mapped device and continue using it.
# umount /mnt/data # fsck -f /dev/sdb1 # resize2fs -M /dev/sdb1 # cryptsetup-reencrypt /dev/sdb1 --new --reduce-device-size 4096S # cryptsetup open /dev/sdb1 recrypt # resize2fs /dev/mapper/recrypt # mount /dev/mapper/recrypt /mntTo reencrypt a device using the same options and only changing the passphrase:
# cryptsetup-reencrypt /dev/sdb1The ability to change the luks header may be limited by its size.
Cipher mode: cbc-essiv:sha256 Payload offset: 2048 MK bits: 128It's possible to upgrade the encryption of a device but only so in two steps.
- Re-encrypting with the same encryption options, but using the --reduce-device-size option to make further space for the larger LUKS header.
- Re-encypt the whole device again with the desired cipher.
Unlocking at BootFor a secondary device, add an entry to the /etc/crypttab. In this file, each line represents one entry, all text after `#` is ignored. Each field on the line is separated by a space where the first two fields are required.
- Name to map the device to.
- Device path or
- Encryption password
- Encryption options
- discard - allows discard requests to be passed to the device.
- cipher= - specifies the cipher for the encrypted device.
- hash= - specifies the hash for the the encrypted device.
- header= - Used for LUKS devices that have a detached head. This option specifies where that header is located.
- offset= - Start offset in the backend device, using 512-byte sectors. Only works for plain devices.
- skip= - Number of 512-byte sectors of the encrypted data to skip from the beginning. This indicates where the data on the device starts.
- keyfile-offset= - Number of bytes to skip at the start of the keyfile.
- keyfile-size= - Maximum number of bytes to read from the keyfile. This is ignored in plain mode.
- key-slot= - Which slot the to compare the key file or passphrase.
- luks - Force LUKS mode. When used, cipher,hash,size are ignored since they are provided by the LUKS header.
- _netdev - Marks the device as requiring network connectivity.
- noauto - Device will not be added to the cryptsetup.target meaning it will not be unlocked on boot.
- nofail - Device is not a hard dependency of the cryptsetup.target. It is still pulled in and started but they system will not wait for the device to show up and be unlocked.
- offset= - Start offset in the backend device, in 512-byte sectors. This is only relevant for plain devices.
- plain - Force plain encryption mode.
- read-only, readonly - Sets the encrypted device in read-only mode.
- skip= - Number of 512-byte sectors of encrypted data to skip at the beginning.
- size= - Specifies the key size in bits.
- swap - Device will be used as a swap device, and will be formatted accordingly after setting up the encrypted block device, with mkswap. Implies plain
- tcrypt - Enables TrueCrypt mode. When used, cipher, hash, keyfile-offset, size are ignored since they are provided by the TrueCrypt header.
- tcrypt-hidden - Use the hidden TrueCrypt volume. Implies tcrypt.
- tcrypt-keyfile= - Specifies the absolute path to a keyfile to use for a TrueCrypt volume. Implies tcrypt. This option can be specified more than once.
- tcrypt-system - TrueCrypt system encryption mode.
- tcrypt-veracrypt - Check for a VeraCrypt colume. VeraCrypt is a fork of TrueCrypt that is mostly compatible but uses different, stronger key derivation algorithms that cannot be detected without this flag. This option could substantially slow down unlocking due to the aforementioned.
- timeout= - Specifies the timeout for querying for a password. Value is in seconds by default, appending s, ms, us, min, h, d. A value of 0 waits indefinitely, the default wait time.
- tmp - Device will be prepared for using it as /tmp, being formatted using mke2fs. Implies plain
- tries= - Number of times a user is asked for the password. Default is 3, 0 means there is no limit.
- verify - Requires the user to enter the passphrase twice.
- x-systemd.device-timeout= - How long systemd should wait for a device to show up before giving up on the entry.