๐ LUKS#
Overview
LUKS, or Linux Unified Key Setup, is a disk encryption specification created by Clemens Fruhwirth in 2004 and serves as the standard for block device encryption on Linux systems.
It provides a platform-independent on-disk format that enables compatibility and interoperability among various tools and operating systems, ensuring secure and documented password management.
LUKS operates at the kernel level using the device mapper subsystem via the dm-crypt module, allowing transparent encryption and decryption of data as it is read from or written to block devices.
The core of LUKS is its header, stored at the beginning of the encrypted device, which contains critical metadata such as the encryption algorithm, cipher mode, key size, and up to eight key slots for storing encrypted master keys derived from passphrases or other authentication methods.
This header allows multiple passphrases to unlock the same volume without sharing passwords, and key slots can be added, changed, or removed without re-encrypting the entire device.
The master key, randomly generated by the system, is used to encrypt the actual data, while each userโs passphrase is used to encrypt the master key, creating a multi-layered security approach.
There are two main versions: LUKS1, released in 2005, and LUKS2, introduced in 2018, which offers enhanced features such as resilience to header corruption, the use of the Argon2 key derivation function by default, and a JSON-based metadata format.
LUKS can be used to encrypt entire partitions, logical volumes (LVM), swap space, or even entire disk drives, making it ideal for full disk encryption on laptops, removable media, and network-attached storage (NAS) devices.
The reference implementation is provided by the cryptsetup command-line utility, which is available on most Linux distributions and can be used during system installation or on existing devices.
New Methods in Hard Disk Encryption by Clemens Fruhwirth
Create a LUKS encrypted USB drive#
Check the target device.
lsblk /dev/sda
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 1 14.4G 0 disk
โโsda1 8:1 1 14.4G 0 part
Remove old data and create a new partition.
shred -n 1 -v /dev/sda
gdisk /dev/sda
Command (? for help): p
Command (? for help): n
Command (? for help): w
Encrypt the new partition.
cryptsetup luksFormat /dev/sda
WARNING!
========
This will overwrite data on /dev/sda irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sda:
Verify passphrase:
Open the crypted device.
cryptsetup luksOpen /dev/sda crypted_usb
Enter passphrase for /dev/sda:
Create the filesystem end mount.
mkfs.vfat -F 32 -n GUISAM /dev/mapper/crypted_usb
mount /dev/mapper/crypted_usb /mnt/test/
Unmount and close the crypted device.
umount /mnt/test
cryptsetup luksClose crypted_usb
Connect a crypted USB drive#
Password request on Gnome desktop.
Gnome notification.
Manage LUKS passphrases#
Look for the crypted device(s).
lsblk /dev/nvme0n1
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 238,5G 0 disk
โโnvme0n1p1 259:1 0 300M 0 part /boot/efi
โโnvme0n1p2 259:2 0 238,2G 0 part
โโluks-408551ce-44cb-4dfa-ac3f-b68a2a43025f 254:0 0 238,2G 0 crypt /
Check the device key storage.
awk '/Key Slot/' <(cryptsetup luksDump /dev/nvme0n1p2)
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Add a new key.
cryptsetup luksAddKey /dev/nvme0n1p2
Check the valid keys.
awk '/ENABLED/' <(cryptsetup luksDump /dev/nvme0n1p2)
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key Slot 2: ENABLED
Remove a key.
cryptsetup --key-slot 2 luksRemoveKey /dev/nvme0n1p2