Hits : 2535


cryptsetup – LUKS (Linux Unified Key Setup)


Our goal is to encrypt a disk volume. Either is a partition, a physical or virtual disk the process is the same.


Luks has two sections:

  1. Header
  2. Key(s) slot(s) – containers

At the header section are stored informations about the cipher we used, some bits and some salt!
Header section is including and the key(s) slot(s) but for a better understanding, i will "separate" them


The second section stores the key(s) in 8 slots. These slots contain the salt and the key (passphrase or a key file) and if not used are marked as DISABLED. It is important to understand that disabling all the slots (removing all keys) the volume is unaccessible and there for trash. So be very careful with deleting a key from a slot.


There is the right way and the wrong way to encrypt a volume disk.


Encrypted your volume with a key passphrase is the wrong way unless the key is so big as your _ (leave this field intentional blank).


Be aware that encrypted volumes with a small and easy key passphrase are just a moment away from cracking them with a brute force software. If everything are encrypted but the key is 123456 then perhaps it should be unencrypted and focus on other parts of security. This is something i've learned by the hard (easy for someone else) way!


So what is the right way ?


Create random keys for every volume you want to encrypt:


dd if=/dev/urandom of=~/keyfile.key bs=4096 count=1


ok. we now have at hand the key(file) to encrypt/decrypt our volume disk.


Store this file somewhere (really) safe.


encrypt your disk volume:


$ sudo cryptsetup luksFormat /dev/vg_diskA/lv_test --key-file /tmp/testkey

WARNING!
========
This will overwrite data on /dev/vg_diskA/lv_test irrevocably.

Are you sure? (Type uppercase yes): YES
YES


after that a confirmation is always a good thing:


$ sudo cryptsetup luksDump /dev/vg_diskA/lv_test
LUKS header information for /dev/vg_diskA/lv_test

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	71 08 f4 23 7b e3 df ed ae 30 57 aa 55 bd 76 b0 20 43 7f 4a 
MK salt:       	fe 9b 6d 76 92 cb 7d b0 69 dd 8c 3f c8 fd ac 3e 
               	11 8f 0c 6d 5c 6c 52 a3 c8 eb e4 6e 40 73 ec fe 
MK iterations: 	28500
UUID:          	6fe83dcc-35a3-418c-a10e-bff49955d442

Key Slot 0: ENABLED
	Iterations:         	112280
	Salt:               	d4 99 81 c7 43 63 3f 8f 44 16 4d ca 22 a9 c9 d2 
	                      	1a 1e fa 37 8f 93 93 15 11 04 48 d3 c6 b4 ee 14 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED


Now lets do another test: If you have already a luks volume with a key passphrase and you want to change all that.
First create (as above) a new key and then add this key to a new keyslot.


before:


$ sudo cryptsetup luksFormat /dev/vg_diskA/lv_test 

WARNING!
========
This will overwrite data on /dev/vg_diskA/lv_test irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 123456
Verify passphrase: 123456


$ sudo cryptsetup luksDump /dev/vg_diskA/lv_test 
LUKS header information for /dev/vg_diskA/lv_test

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	a0 60 1e ff 87 d1 b9 94 bd 3d ca 13 d2 4b f4 be 08 ea 28 ff 
MK salt:       	81 0a b8 4a 1b 7b 86 3c 52 02 ea 69 bd 2c 16 3e 
               	7a 16 27 1f a9 7b 52 7b 7b 99 bb 11 92 54 ec 65 
MK iterations: 	27875
UUID:          	4a5bb291-4d54-440e-997c-40885e1ac908

Key Slot 0: ENABLED
	Iterations:         	112280
	Salt:               	d6 d5 9e 3b 6c 8e 91 9e 9b c6 26 ce b5 68 b8 b7 
	                      	d1 62 9a 8f 9f 22 8c ad 3e d2 08 1c 1e 4b bc 5e 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED


add the keyfile into a new key slot:


$ sudo cryptsetup luksAddKey /dev/vg_diskA/lv_test /tmp/testkey 
Enter any passphrase: 123456

$ sudo cryptsetup luksDump /dev/vg_diskA/lv_test 
LUKS header information for /dev/vg_diskA/lv_test

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	a0 60 1e ff 87 d1 b9 94 bd 3d ca 13 d2 4b f4 be 08 ea 28 ff 
MK salt:       	81 0a b8 4a 1b 7b 86 3c 52 02 ea 69 bd 2c 16 3e 
               	7a 16 27 1f a9 7b 52 7b 7b 99 bb 11 92 54 ec 65 
MK iterations: 	27875
UUID:          	4a5bb291-4d54-440e-997c-40885e1ac908

Key Slot 0: ENABLED
	Iterations:         	112280
	Salt:               	d6 d5 9e 3b 6c 8e 91 9e 9b c6 26 ce b5 68 b8 b7 
	                      	d1 62 9a 8f 9f 22 8c ad 3e d2 08 1c 1e 4b bc 5e 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: ENABLED
	Iterations:         	111692
	Salt:               	f9 9f bb 58 62 a1 97 8a 65 df b9 aa ce b8 fe 8d 
	                      	15 09 dc 75 74 22 ac 5b b0 78 fe af c6 76 2e a0 
	Key material offset:	264
	AF stripes:            	4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED


noticed that always the first key (slot 0) is the "master key" to add or remove keys from slots.
the same rule applies if you are using a keyfile.


now its time to remove the key passphrase from slot 0:


sudo cryptsetup luksKillSlot /dev/vg_diskA/lv_test 0 --key-file /tmp/testkey

$ sudo cryptsetup luksDump /dev/vg_diskA/lv_test 
LUKS header information for /dev/vg_diskA/lv_test

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	a0 60 1e ff 87 d1 b9 94 bd 3d ca 13 d2 4b f4 be 08 ea 28 ff 
MK salt:       	81 0a b8 4a 1b 7b 86 3c 52 02 ea 69 bd 2c 16 3e 
               	7a 16 27 1f a9 7b 52 7b 7b 99 bb 11 92 54 ec 65 
MK iterations: 	27875
UUID:          	4a5bb291-4d54-440e-997c-40885e1ac908

Key Slot 0: DISABLED
Key Slot 1: ENABLED
	Iterations:         	111692
	Salt:               	f9 9f bb 58 62 a1 97 8a 65 df b9 aa ce b8 fe 8d 
	                      	15 09 dc 75 74 22 ac 5b b0 78 fe af c6 76 2e a0 
	Key material offset:	264
	AF stripes:            	4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED


as you see, slot 0 is DISABLED and we used the keyfile as the "master" key to this encrypted volume disk.