cryptsetup – LUKS (Linux Unified Key Setup)
Our goal is to encrypt a disk volume. Either is a partition, a physical or virtual disk the process is the same.
Luks has two sections:
- Header
- Key(s) slot(s) – containers
At the header section are stored informations about the cipher we used, some bits and some salt!
Header section is including and the key(s) slot(s) but for a better understanding, i will "separate" them
The second section stores the key(s) in 8 slots. These slots contain the salt and the key (passphrase or a key file) and if not used are marked as DISABLED. It is important to understand that disabling all the slots (removing all keys) the volume is unaccessible and there for trash. So be very careful with deleting a key from a slot.
There is the right way and the wrong way to encrypt a volume disk.
Encrypted your volume with a key passphrase is the wrong way unless the key is so big as your _ (leave this field intentional blank).
Be aware that encrypted volumes with a small and easy key passphrase are just a moment away from cracking them with a brute force software. If everything are encrypted but the key is 123456 then perhaps it should be unencrypted and focus on other parts of security. This is something i've learned by the hard (easy for someone else) way!
So what is the right way ?
Create random keys for every volume you want to encrypt:
dd if=/dev/urandom of=~/keyfile.key bs=4096 count=1
ok. we now have at hand the key(file) to encrypt/decrypt our volume disk.
Store this file somewhere (really) safe.
encrypt your disk volume:
$ sudo cryptsetup luksFormat /dev/vg_diskA/lv_test --key-file /tmp/testkey WARNING! ======== This will overwrite data on /dev/vg_diskA/lv_test irrevocably. Are you sure? (Type uppercase yes): YES YES
after that a confirmation is always a good thing:
$ sudo cryptsetup luksDump /dev/vg_diskA/lv_test
LUKS header information for /dev/vg_diskA/lv_test
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: 71 08 f4 23 7b e3 df ed ae 30 57 aa 55 bd 76 b0 20 43 7f 4a
MK salt: fe 9b 6d 76 92 cb 7d b0 69 dd 8c 3f c8 fd ac 3e
11 8f 0c 6d 5c 6c 52 a3 c8 eb e4 6e 40 73 ec fe
MK iterations: 28500
UUID: 6fe83dcc-35a3-418c-a10e-bff49955d442
Key Slot 0: ENABLED
Iterations: 112280
Salt: d4 99 81 c7 43 63 3f 8f 44 16 4d ca 22 a9 c9 d2
1a 1e fa 37 8f 93 93 15 11 04 48 d3 c6 b4 ee 14
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Now lets do another test: If you have already a luks volume with a key passphrase and you want to change all that.
First create (as above) a new key and then add this key to a new keyslot.
before:
$ sudo cryptsetup luksFormat /dev/vg_diskA/lv_test
WARNING!
========
This will overwrite data on /dev/vg_diskA/lv_test irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase: 123456
Verify passphrase: 123456
$ sudo cryptsetup luksDump /dev/vg_diskA/lv_test
LUKS header information for /dev/vg_diskA/lv_test
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: a0 60 1e ff 87 d1 b9 94 bd 3d ca 13 d2 4b f4 be 08 ea 28 ff
MK salt: 81 0a b8 4a 1b 7b 86 3c 52 02 ea 69 bd 2c 16 3e
7a 16 27 1f a9 7b 52 7b 7b 99 bb 11 92 54 ec 65
MK iterations: 27875
UUID: 4a5bb291-4d54-440e-997c-40885e1ac908
Key Slot 0: ENABLED
Iterations: 112280
Salt: d6 d5 9e 3b 6c 8e 91 9e 9b c6 26 ce b5 68 b8 b7
d1 62 9a 8f 9f 22 8c ad 3e d2 08 1c 1e 4b bc 5e
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDadd the keyfile into a new key slot:
$ sudo cryptsetup luksAddKey /dev/vg_diskA/lv_test /tmp/testkey
Enter any passphrase: 123456
$ sudo cryptsetup luksDump /dev/vg_diskA/lv_test
LUKS header information for /dev/vg_diskA/lv_test
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: a0 60 1e ff 87 d1 b9 94 bd 3d ca 13 d2 4b f4 be 08 ea 28 ff
MK salt: 81 0a b8 4a 1b 7b 86 3c 52 02 ea 69 bd 2c 16 3e
7a 16 27 1f a9 7b 52 7b 7b 99 bb 11 92 54 ec 65
MK iterations: 27875
UUID: 4a5bb291-4d54-440e-997c-40885e1ac908
Key Slot 0: ENABLED
Iterations: 112280
Salt: d6 d5 9e 3b 6c 8e 91 9e 9b c6 26 ce b5 68 b8 b7
d1 62 9a 8f 9f 22 8c ad 3e d2 08 1c 1e 4b bc 5e
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 111692
Salt: f9 9f bb 58 62 a1 97 8a 65 df b9 aa ce b8 fe 8d
15 09 dc 75 74 22 ac 5b b0 78 fe af c6 76 2e a0
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
noticed that always the first key (slot 0) is the "master key" to add or remove keys from slots.
the same rule applies if you are using a keyfile.
now its time to remove the key passphrase from slot 0:
sudo cryptsetup luksKillSlot /dev/vg_diskA/lv_test 0 --key-file /tmp/testkey
$ sudo cryptsetup luksDump /dev/vg_diskA/lv_test
LUKS header information for /dev/vg_diskA/lv_test
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
Payload offset: 4096
MK bits: 256
MK digest: a0 60 1e ff 87 d1 b9 94 bd 3d ca 13 d2 4b f4 be 08 ea 28 ff
MK salt: 81 0a b8 4a 1b 7b 86 3c 52 02 ea 69 bd 2c 16 3e
7a 16 27 1f a9 7b 52 7b 7b 99 bb 11 92 54 ec 65
MK iterations: 27875
UUID: 4a5bb291-4d54-440e-997c-40885e1ac908
Key Slot 0: DISABLED
Key Slot 1: ENABLED
Iterations: 111692
Salt: f9 9f bb 58 62 a1 97 8a 65 df b9 aa ce b8 fe 8d
15 09 dc 75 74 22 ac 5b b0 78 fe af c6 76 2e a0
Key material offset: 264
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDas you see, slot 0 is DISABLED and we used the keyfile as the "master" key to this encrypted volume disk.