Hi everybody. Today I will explain you how to use LUKS to encrypt a disk partition. LUKS stands for Linux Unified Key Setup that means that you can forget to mount as such LUKS partition on a Windows operating system. LUKS uses cryptsetup user-space tool to configure dmcrypt, a kernel-space module that made all cryptography stuffs. Because LUKS is the standard for Linux hard disk encryption, it does not only facilitate compatibility among Linux distributions, but also provides secure management of multiple user passwords. Another important point, in contrast to existing products, is that LUKS stores all necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly. The next figure shows you the different interfaces between your hardware (hard disk, SD-card etc) and the user-space.
To resume, cryptsetup is used to configure and manage dmcrypt from the user-space. cryptsetup uses /dev/random and /dev/urandom as random number generator.
dmcrypt (Device-mapper) crypts the target (full disk or partition) and provides transparent encryption of block devices using the kernel cryptographic API. The concept of device mapper (/dev/mapper) is included in the Linux kernel 2.6 and 3.x and provides a generic way to create virtual layers of block devices. The main idea is to use a block device node created by the user in /dev/mapper and all data written to this device will be encrypted and all data read from this device will be decrypted.
In order to generate secure key, LUKS uses TKS1 template. This template uses PBKDF2 method in order to provide a better resistance against bruteforce attacks. This is very useful if the user passphrase has a weak entropy. In addition to this, TKS1 template uses a two level hierarchy of cryptographic keys to provides ability to change passphrases. The encryption key is derived from this passphrase. The next scheme explains how the system is initialized.
Firstly, the master key is generated by LUKS using the /dev/(u)random and a salt is used too. The system measures the performance of the host to determine the number of possible iteration that PBKDF2 will do to hash the passphrase. This passphrase is set by the user when he configures LUKS. The hash function used by PBKDF2 can be specified during the setup. We will see all these parameters later. Once the user passphrase is derived (salted hash), it is crypted with the master key to product the encrypted master key. The last step splits the encrypted master key into more fragments and save the AF-splitted encrypted master key, the iteration rate and the salt to the storage. By default, LUKS uses AES-256 for the cipher with the XTS mode. The master key is 256 bits length. Please note that AES-256 cipher must be present in your system. The list of supported ciphers and mode can be found under /proc/crypto.
Tutorial: Create a LUKS ext4 partition
In this tutorial, I use Ubuntu 14.04.02 LTS. This is necessary to install cryptsetup.
sudo apt-get install cryptsetup-bin --yes
The first step is to initialize a LUKS partition. Be careful because when you execute this command, all data on the given partition will be lost. You must enter your passphrase.
cryptsetup luksFormat /dev/sdb
After that, you can check the partition by dumping its header
cryptsetup luksDump /dev/sdb
This dump provides a lot of interesting information about the master key (MK)
- Cipher: AES-256 with XTS mode
- Hash function: SHA-1
- Master key length: 256 bits
- Master key digest: 8c 54 b8 de 9b fb 6f 42 31 5f 46 f5 51 6a 2b b0 cb 12 03 80
- Master key salt: 57 ee d2 39 47 9a 36 f8 18 71 e9 41 af 53 46 b9 2a 5b 88 00 ee 95 da 31 43 4b 84 4a 66 53 08 f6
- # iteration for the master Key hash: 58’500
For the moment, only on passphrase is enabled for this partition (key slot 0) but this is possible to add more passphrase. We can see that the passphrase uses another salt and the number of iteration is not the same too. In fact, each new passphrase, the salt and the number of iteration will be different. If you want to add another passphrase for this partition, you can use this command:
cryptsetup luksAddKey /dev/sdb
If we dump again the partition header, we can see the field “Key Slot 1” filled. This field correspond to the new passphrase.
Now, we can create the mapping under /dev/mapper.
cryptsetup open --type luks /dev/sdb myCryptedPartition Enter passphrase for /dev/sdb: ******
You will be asked for the passphrase of course. Normally we should see the special file /dev/mapper/myCryptedPartition.
ls -al /dev/mapper/myCryptedPartition lrwxrwxrwx 1 root root 7 Jun 29 00:29 /dev/mapper/myCryptedPartition -> ../dm-0
By default with Ubuntu, this command create a symbolic link to /dev/dm-0. I do not exactly why. For example, in a ARM-7 board, this symbolic link is not created. We can go to analyze the target of this link
ls -al /dev/dm-0 brw-rw---- 1 root disk 252, 0 Jun 29 00:29 /dev/dm-0
We can see that the permissions are better now. Only the owner (root) and members of root group have the read/write access to this block device. The next step is to format this partition. In this example, I will format it in EXT4.
sudo mkfs.ext4 /dev/dm-0
And now, it is possible to mount this partition where you want. For example in /mtn.
sudo mkdir /mnt/myLuksMountPoint sudo mount /dev/dm-0 /mnt/myLuksMountPoint
And now, we are able to see the mounted LUKS device.
ls -al /mnt/myLuksMountPoint/ total 24 drwxr-xr-x 3 root root 4096 Jun 29 00:34 . drwxr-xr-x 4 root root 4096 Jun 29 00:36 .. drwx------ 2 root root 16384 Jun 29 00:34 lost+found
The next figure resumes the work done in this tutorial.
If you are using Ubuntu, try to reboot now and normally Ubuntu will detect this new partition and show you an icon like this. Click on it and you will be asked for passphrase. Enter a valid passphrase and you will be able to use your encrypted partition.
That is done. I hope you will find this little tutorial interesting and do not hesitate to tell me if you want to read more detailed stuff about LUKS.