Encrypt Linux partition using LUKS

Hi everybody. Today I will explain you how to use LUKS to encrypt a disk partition. LUKS stands for Linux Unified Key Setup that means that you can forget to mount as such LUKS partition on a Windows operating system. LUKS uses cryptsetup user-space tool to configure dmcrypt, a kernel-space module that made all cryptography stuffs. Because LUKS is the standard for Linux hard disk encryption, it does not only facilitate compatibility among Linux distributions, but also provides secure management of multiple user passwords. Another important point, in contrast to existing products, is that LUKS stores all necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly. The next figure shows you the different interfaces between your hardware (hard disk, SD-card etc) and the user-space.

luks-layers

To resume, cryptsetup is used to configure and manage dmcrypt from the user-space. cryptsetup uses /dev/random and /dev/urandom as random number generator.

dmcrypt

dmcrypt (Device-mapper) crypts the target (full disk or partition) and provides transparent encryption of block devices using the kernel cryptographic API. The concept of device mapper (/dev/mapper) is included in the Linux kernel 2.6 and 3.x and provides a generic way to create virtual layers of block devices. The main idea is to use a block device node created by the user in /dev/mapper and all data written to this device will be encrypted and all data read from this device will be decrypted.

Key generation

In order to generate secure key, LUKS uses TKS1 template. This template uses PBKDF2 method in order to provide a better resistance against bruteforce attacks. This is very useful if the user passphrase has a weak entropy. In addition to this, TKS1 template uses a two level hierarchy of cryptographic keys to provides ability to change passphrases. The encryption key is derived from this passphrase. The next scheme explains how the system is initialized.

luks-gen

Firstly, the master key is generated by LUKS using the /dev/(u)random and a salt is used too. The system measures the performance of the host to determine the number of possible iteration that PBKDF2 will do to hash the passphrase. This passphrase is set by the user when he configures LUKS. The hash function used by PBKDF2 can be specified during the setup. We will see all these parameters later. Once the user passphrase is derived (salted hash), it is crypted with the master key to product the encrypted master key. The last step splits the encrypted master key into more fragments and save the AF-splitted encrypted master key, the iteration rate and the salt to the storage. By default, LUKS uses AES-256 for the cipher with the XTS mode. The master key is 256 bits length. Please note that AES-256 cipher must be present in your system. The list of supported ciphers and mode can be found under /proc/crypto. 

Tutorial: Create a LUKS ext4 partition

In this tutorial, I use Ubuntu 14.04.02 LTS. This is necessary to install cryptsetup.

sudo apt-get install cryptsetup-bin --yes

The first step is to initialize a LUKS partition. Be careful because when you execute this command, all data on the given partition will be lost. You must enter your passphrase.

cryptsetup luksFormat /dev/sdb

After that, you can check the partition by dumping its header

cryptsetup luksDump /dev/sdb

luks-dumpThis dump provides a lot of interesting information about the master key (MK)

  • Cipher: AES-256 with XTS mode
  • Hash function: SHA-1
  • Master key length: 256 bits
  • Master key digest: 8c 54 b8 de 9b fb 6f 42 31 5f 46 f5 51 6a 2b b0 cb 12 03 80
  • Master key salt: 57 ee d2 39 47 9a 36 f8 18 71 e9 41 af 53 46 b9  2a 5b 88 00 ee 95 da 31 43 4b 84 4a 66 53 08 f6
  • # iteration for the master Key hash: 58’500

For the moment, only on passphrase is enabled for this partition (key slot 0) but this is possible to add more passphrase. We can see that the passphrase uses another salt and the number of iteration is not the same too. In fact, each new passphrase, the salt and the number of iteration will be different. If you want to add another passphrase for this partition, you can use this command:

cryptsetup luksAddKey /dev/sdb

If we dump again the partition header, we can see the field “Key Slot 1” filled. This field correspond to the new passphrase.

luks-dump2Now, we can create the mapping under /dev/mapper.

cryptsetup open --type luks /dev/sdb myCryptedPartition
Enter passphrase for /dev/sdb: ******

You will be asked for the passphrase of course. Normally we should see the special file /dev/mapper/myCryptedPartition.

ls -al /dev/mapper/myCryptedPartition 
lrwxrwxrwx 1 root root 7 Jun 29 00:29 /dev/mapper/myCryptedPartition -> ../dm-0

By default with Ubuntu, this command create a symbolic link to /dev/dm-0. I do not exactly why. For example, in a ARM-7 board, this symbolic link is not created. We can go to analyze the target of this link

ls -al /dev/dm-0
brw-rw---- 1 root disk 252, 0 Jun 29 00:29 /dev/dm-0

We can see that the permissions are better now. Only the owner (root) and members of root group have the read/write access to this block device. The next step is to format this partition. In this example, I will format it in EXT4.

sudo mkfs.ext4 /dev/dm-0

And now, it is possible to mount this partition where you want. For example in /mtn.

sudo mkdir /mnt/myLuksMountPoint
sudo mount /dev/dm-0 /mnt/myLuksMountPoint

And now, we are able to see the mounted LUKS device.

ls -al /mnt/myLuksMountPoint/
total 24
drwxr-xr-x 3 root root  4096 Jun 29 00:34 .
drwxr-xr-x 4 root root  4096 Jun 29 00:36 ..
drwx------ 2 root root 16384 Jun 29 00:34 lost+found

The next figure resumes the work done in this tutorial.

luks-resume

If you are using Ubuntu, try to reboot now and normally Ubuntu will detect this new partition and show you an icon like this. Click on it and you will be asked for passphrase. Enter a valid passphrase and you will be able to use your encrypted partition.

luks-ubuntu-lock

luks-ubuntu-passphrase

That is done. I hope you will find this little tutorial interesting and do not hesitate to tell me if you want to read more detailed stuff about LUKS.

Bookmark the permalink.

2 Comments

  1. Maybe I did not understand something , but a partition like that can be automounted?
    When partition is mounted is visible to all in clear ?
    Root user may remove the keys and thus prevent some users access?
    Root user could gain access adding keys?
    If the last three answers are no it’s very interesting

  2. Yes I think it could be automounted because there is the possibility to encrypt your whole root filesystem. When the partition is mounted, only the specified user has access to it but you have the possibility to set multiple password. Anyone has a valid passphrase can see the partition. Even root user must has a valid passphrase to modify a LUKS partition.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.