7 5. Backup and Data Recovery
8 6. Issues with Specific Versions of cryptsetup
17 This is the FAQ (Frequently Asked Questions) for cryptsetup. It
18 covers Linux disk encryption with plain dm-crypt (one passphrase,
19 no management, no descriptor on disk) and LUKS (multiple user keys
20 with one master key, anti-forensics, descriptor block at start of
21 device, ...). The latest version should usually be available at
22 http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
24 ATTENTION: If you are going to read just one thing, make it the
25 section on Backup and Data Recovery. By far the most questions on
26 the cryptsetup mailing list are from people that just managed to
27 somehow format or overwrite the start of their LUKS partitions.
28 Usually, there is nothing that can be done to help these poor souls
29 recover their data. Make sure you understand the problem and
30 limitations imposed by the LUKS security model BEFORE you face such
36 Current FAQ maintainer is Arno Wagner <arno@wagner.name>. Other
37 contributors are listed at the end. If you want to contribute, send
38 your article, including a descriptive headline, to the maintainer,
39 or the dm-crypt mailing list with something like "FAQ ..." in the
40 subject. Please note that by contributing to this FAQ, you accept
41 the license described below.
43 This work is under the "Attribution-Share Alike 3.0 Unported"
44 license, which means distribution is unlimited, you may create
45 derived works, but attributions to original authors and this
46 license statement must be retained and the derived work must be
47 under the same license. See
48 http://creativecommons.org/licenses/by-sa/3.0/ for more details of
51 Side note: I did text license research some time ago and I think
52 this license is best suited for the purpose at hand and creates the
59 * Can I encrypt an already existing, non-empty partition to use
62 There is no converter, and it is not really needed. The way to do
63 this is to make a backup of the device in question, securely wipe
64 the device (as LUKS device initialization does not clear away old
65 data), do a luksFormat, optionally overwrite the encrypted device,
66 create a new filesystem and restore your backup on the now
67 encrypted device. Also refer to sections "Security Aspects" and
68 "Backup and Data Recovery".
70 For backup, plain GNU tar works well and backs up anything likely
71 to be in a filesystem.
74 * How do I use LUKS with a loop-device?
76 Just the same as with any block device. If you want, for example,
77 to use a 100MiB file as LUKS container, do something like this:
79 head -c 100M /dev/zero > luksfile # create empty file
80 losetup /dev/loop0 luksfile # map luksfile to /dev/loop0
81 cryptsetup luksFormat /dev/loop0 # create LUKS on the loop device
83 Afterwards just use /dev/loop0 as a you would use a LUKS partition.
84 To unmap the file when done, use "losetup -d /dev/loop0".
87 * How do I read a dm-crypt key from file?
89 Note that the file will still be hashed first, just like keyboard
90 input. Use the --key-file option, like this:
92 cryptsetup create --key-file keyfile e1 /dev/loop0
95 * How do I read a LUKS slot key from file?
97 What you really do here is to read a passphrase from file, just as
98 you would with manual entry of a passphrase for a key-slot. You can
99 add a new passphrase to a free key-slot, set the passphrase of an
100 specific key-slot or put an already configured passphrase into a
101 file. In the last case make sure no trailing newline (0x0a) is
102 contained in the key file, or the passphrase will not work because
103 the whole file is used as input.
105 To add a new passphrase to a free key slot from file, use something
108 cryptsetup luksAddKey /dev/loop0 keyfile
110 To add a new passphrase to a specific key-slot, use something like
113 cryptsetup luksAddKey --key-slot 7 /dev/loop0 keyfile
115 To supply a key from file to any LUKS command, use the --key-file
116 option, e.g. like this:
118 cryptsetup luksOpen --key-file keyfile /dev/loop0 e1
121 * How do I read the LUKS master key from file?
123 The question you should ask yourself first, is why you would want
124 to do this. The only legitimate reason I can think of is if you
125 want to have two LUKS devices with the same master key. Even then,
126 I think it would be preferable to just use key-slots with the same
127 passphrase, or to use plain dm-crypt instead. If you really have a
128 good reason, please tell me. If I am convinced, I will add how to
132 * What are the security requirements for a key read from file?
134 A file-stored key or passphrase has the same security requirements
135 as one entered interactively, however you can use random bytes and
136 thereby use bytes you cannot type on the keyboard. You can use any
137 file you like as key file, for example a plain text file with a
138 human readable passphrase. To generate a file with random bytes,
139 use something like this:
141 head -c 256 /dev/random > keyfile
144 * If I map a journaled file system using dm-crypt/LUKS, does it
145 still provide its usual transactional guarantees?
147 As far as I know you do (but I may be wrong), but please note that
148 these "guarantees" are far weaker than they appear to be. For
149 example, you not not get a hard flush to disk surface even on a
150 call to fsync. In addition, the HDD itself may do independent
151 write reordering. Some other things can go wrong as well. The
152 filesystem developers are aware of these problems and typically
153 can make it work anyways. That said, dm-crypt/LUKS should not make
156 Personally, I have several instances of ext3 on dm-crypt and have
157 not noticed any specific issues so far.
159 Update: I did run into frequent small freezes (1-2 sec) when putting
160 a vmware image on ext3 over dm-crypt. This does indicate that the
161 transactional guarantees are in place, but at a cost. When I went
162 back to ext2, the problem went away.
165 * Can I use LUKS or cryptsetup with a more secure (external) medium
166 for key storage, e.g. TPM or a smartcard?
168 Yes, see the answers on using a file-supplied key. You do have to
169 write the glue-logic yourself though. Basically you can have
170 cryptsetup read the key from STDIN and write it there with your
171 own tool that in turn gets the key from the more secure key
175 * Can I resize a dm-crypt or LUKS partition?
177 Yes, you can, as neither dm-crypt nor LUKS stores partition size.
178 Whether you should is a different question. Personally I recommend
179 backup, recreation of the encrypted partition with new size,
180 recreation of the filesystem and restore. This gets around the
181 tricky business of resizing the filesystem. The backup is really
182 non-optional here, as a lot can go wrong, resulting in partial or
183 complete data loss. Using something like gparted to resize an
184 encrypted partition is slow, but pretty safe and should be fine.
185 This will not change the size of the filesystem hidden under the
188 You also need to be aware of size-based limitations. The one
189 currently relevant is that aes-xts-plain should not be used for
190 encrypted container sizes larger than 2TiB. Use aes-xts-plain64
197 * My dm-crypt/LUKS mapping does not work! What general steps are
198 there to investigate the problem?
200 If you get a specific error message, investigate what it claims
201 first. If not, you may want to check the following things.
203 - Check that "/dev", including "/dev/mapper/control" is there. If it is
204 missing, you may have a problem with the "/dev" tree itself or you
205 may have broken udev rules.
207 - Check that you have the device mapper and the crypt target in your kernel.
208 The output of "dmsetup targets" should list a "crypt" target. If it
209 is not there or the command fails, add device mapper and
210 crypt-target to the kernel.
212 - Check that the hash-functions and ciphers you want to use are in the kernel.
213 The output of "cat /proc/crypto" needs to list them.
216 * My dm-crypt mapping suddenly stopped when upgrading cryptsetup.
218 The default cipher, hash or mode may have changed (the mode changed
219 from 1.0.x to 1.1.x). See under "6. Issues With Specific Versions of
223 * When I call cryptsetup from cron/CGI, I get errors about unknown
226 If you get errors about unknown parameters or the like that are not
227 present when cryptsetup is called from the shell, make sure you
228 have no older version of cryptsetup on your system that then gets
229 called by cron/CGI.For example some distributions install
230 cryptsetup into /usr/sbin, while a manual install could go to
231 /usr/local/sbin. As a debugging aid, call "cryptsetup --version"
232 from cron/CGI or the non-shell mechanism to be sure you have the
236 * Unlocking a LUKS device takes very long. Why?
238 The iteration time for every key-slot (iteration is needed to
239 prevent dictionary attacks) is calculated during the luksFormat
240 operation. By default it is 1 second on the machine where the
241 format operation is done. If you format a device on a fast machine
242 and then unlock it on a slow machine, the unlocking time can be
243 much more longer. Also take into account that up to 8 key-slots
244 have to be tried in order to find the right one.
246 If this is problem, you can add another key-slot using the slow
247 machine with the same passphrase and then remove the old key-slot.
248 The new key-slot will have an iteration count adjusted to 1 second
249 on the slow machine. Use luksKeyAdd and then luksKillSlot or
250 luksRemoveKey. However, this operation will not change volume key
251 iteration count. In order to change that, you will have to backup
252 the data in the LUKS container, luksFormat on the slow machine and
256 * "blkid" sees a LUKS UUID and an ext2/swap UUID on the same device.
259 Some old versions of cryptsetup have a bug where the header does
260 not get completely wiped during LUKS format and an older ext2/swap
261 signature remains on the device. This confuses blkid.
263 Fix: Wipe the unused header areas by doing a backup and restore of
264 the header with cryptsetup 1.1.x:
266 cryptsetup luksHeaderBackup --header-backup-file <file> <device>
267 cryptsetup luksHeaderRestore --header-backup-file <file> <device>
269 If you cannot use a 1.1.x cryptsetup, you can also do a manual wipe
270 of the area in question with the command below. Be very, VERY,
271 careful and make sure to do a backup of the header before. If you
272 get this wrong, your device may become permanently inaccessible.
274 dd if=/dev/zero of=<device> bs=512 seek=2 count=6
277 * cryptsetup segfaults on Gentoo amd64 hardened ...
279 There seems to be some inteference between the hardening and and
280 the way cryptsetup benchmarks PBKDF2. The solution to this is
281 currently not quite clear for an encrypted root filesystem. For
282 other uses, you can apparently specify USE="dynamic" as compile
283 flag, see http://bugs.gentoo.org/show_bug.cgi?id=283470
289 * Should I initialize (overwrite) a new LUKS/dm-crypt partition?
291 If you just create a filesystem on it, most of the old data will
292 still be there. If the old data is sensitive, you should overwrite
293 it before encrypting. In any case, not initializing will leave the
294 old data there until the specific sector gets written. That may
295 enable an attacker to determine how much and where on the
296 partition data was written. If you think this is a risk, you can
297 prevent this by overwriting the encrypted device (here assumed to
298 be named "e1") with zeros like this:
300 dd_rescue -w /dev/zero /dev/mapper/e1
302 or alternatively with one of the following more standard commands:
304 cat /dev/zero > /dev/mapper/e1
305 dd if=/dev/zero of=/dev/mapper/e1
308 * How do I securely erase a LUKS (or other) partition?
310 For LUKS, if you are in a desperate hurry, overwrite the first few
311 kilobytes of the LUKS partition. This erases the salts and makes
312 access impossible. However a LUKS header backup or full backup will
313 still grant access to most or all data.
315 To do this right, overwrite the whole LUKS partition with a single
316 pass of zeros. This is enough for current HDDs. For SDDs you may
317 want to erase the whole drive several times to be sure data is not
318 retained by wear leveling. This is possibly insecure as SDD
319 technology is not fully understood in this regard. Still, due to
320 the anti-forensic properties of the LUKS key-slots, a single
321 overwrite of an SSD could be enough. If in doubt, use physical
322 destruction in addition. Keep in mind to also erase all backups.
324 Example for a zero-overwrite erase of partition sda10 done with
327 dd_rescue -w /dev/zero /dev/sda10
330 * How do I securely erase a backup of a LUKS partition or header?
332 That depends on the medium it is stored on. For HDD and SSD, use
333 overwrite with zeros. For an SSD, you may want to overwrite the
334 complete SSD several times and use physical destruction in addition,
335 see last item. Treat USB flash drives the same as SSDs. For
336 re-writable CD/DVD, a single overwrite should also be enough, due
337 to the anti-forensic properties of the LUKS keyslots. For
338 write-once media, use physical destruction. For low security
339 requirements, just cut the CD/DVD into several parts. For high
340 security needs, shred or burn the medium. If your backup is on
341 magnetic tape, I advise physical destruction by shredding or
342 burning. The problem with magnetic tape is that it has a higher
343 dynamic range than HDDs and older data may well be recoverable
344 after overwrites. Also write-head alignment issues can lead to
345 data not actually being deleted at all during overwrites.
348 * What about backup? Does it compromise security?
350 That depends. See next section.
353 * Why was the default aes-cbc-plain replaced with aes-cbc-essiv?
355 The problem is that cbc-plain has a fingerprint vulnerability, where
356 a specially crafted file placed into the crypto-container can be
357 recognized from the outside. The issue here is that for cbc-plain
358 the initialization vector (IV) is the sector number. The IV gets
359 XORed to the first data chunk of the sector to be encrypted. If you
360 make sure that the first data block to be stored in a sector
361 contains the sector number as well, the first data block to be
362 encrypted is all zeros and always encrypted to the same ciphertext.
363 This also works if the first data chunk just has a constant XOR
364 with the sector number. By having several shifted patterns you can
365 take care of the case of a non-power-of-two start sector number of
368 This mechanism allows you to create a pattern of sectors that have
369 the same first ciphertext block and signal one bit per sector to the
370 outside, allowing you to e.g. mark media files that way for
371 recognition without decryption. For large files this is a
372 practical attack. For small ones, you do not have enough blocks to
373 signal and take care of different file starting offsets.
375 In order to prevent this attack, the default was changed to
376 cbc-essiv. ESSIV uses a keyed hash of the sector number, with the
377 encryption key as key. This makes the IV unpredictable without
378 knowing the encryption key and the watermarking attack fails.
381 * Are there any problems with "plain" IV? What is "plain64"?
383 First, "plain" and "plain64" are both not safe to use with CBC, see
386 However there are modes, like XTS, that are secure with "plain" IV.
387 The next limit is that "plain" is 64 bit, with the upper 32 bit set
388 to zero. This means that on volumes larger than 2TiB, the IV
389 repeats, creating a vulnerability that potentially leaks some
390 data. To avoid this, use "plain64", which uses the full sector
391 number up to 64 bit. Note that "plain64" requires a kernel >=
392 2.6.33. Also note that "plain64" is backwards compatible for
393 volume sizes <= 2TiB, but not for those > 2TiB. Finally, "plain64"
394 does not cause any performance penalty compared to "plain".
397 * What about XTS mode?
399 XTS mode is potentially even more secure than cbc-essiv (but only if
400 cbc-essiv is insecure in your scenario). It is a NIST standard and
401 used, e.g. in Truecrypt. At the moment, if you want to use it, you
402 have to specify it manually as "aes-xts-plain", i.e.
404 cryptsetup -c aes-xts-plain luksFormat <device>
406 For volumes >2TiB and kernels >= 2.6.33 use "plain64" (see FAQ
407 item on "plain" and "plain64"):
409 cryptsetup -c aes-xts-plain64 luksFormat <device>
411 There is a potential security issue with XTS mode and large blocks.
412 LUKS and dm-crypt always use 512B blocks and the issue does not
416 5. Backup and Data Recovery
419 * Does a backup compromise security?
421 Depends on how you do it. First, a backup is non-optional with
422 encrypted data just the same way it is with non-encrypted data.
423 Disks do break and they do not care whether they make plain or
424 encrypted data inaccessible.
426 However there are risks introduced by backups. For example if you
427 change/disable a key-slot in LUKS, a binary backup of the partition
428 will still have the old key-slot. To deal with this, you have to
429 be able to change the key-slot on the backup as well, or use a
430 different set-up. One option is to have a different passphrase on
431 the backup and to make the backup with both containers open.
432 Another one is to make a backup of the original, opened container to
433 a single file, e.g. with tar, and to encrypt that file with
434 public-key-cryptography, e.g. with GnuPG. You can then keep the
435 secret key in a safe place, because it is only used to decrypt a
436 backup. The key the backup is encrypted with can be stored without
437 special security measures, as long as an attacker cannot replace
440 If you use dm-crypt, backup is simpler: As there is no key
441 management, the main risk is that you cannot wipe the backup when
442 wiping the original. However wiping the original for dm-crypt
443 should consist of forgetting the passphrase and that you can do
444 without actual access to the backup.
446 In both cases, there is an additional (usually small) risk: An
447 attacker can see how many sectors and which ones have been changed
448 since the backup. This is not possible with the public-key method
451 My personal advice is to use one USB disk (low value date) or three
452 disks (high value data) in rotating order for backups, and either
453 use different passphrases or keep them easily accessible in case
454 you need to disable a key-slot. If you do network-backup or
455 tape-backup, I strongly recommend to go the public-key path,
456 especially as you typically cannot reliably delete data in these
457 scenarios. (Well, you can burn the tape if it is under your
461 * What happens if I overwrite the start of a LUKS partition or
462 damage the LUKS header or key-slots?
464 There are two critical components for decryption: The salt values
465 in the header itself and the key-slots. If the salt values are
466 overwritten or changed, nothing (in the cryptographically strong
467 sense) can be done to access the data, unless there is a backup of
468 the LUKS header. If a key-slot is damaged, the data can still be
469 read with a different key-slot, if there is a remaining undamaged
470 and used key-slot. Note that in order to make a key-slot
471 unrecoverable in a cryptographically strong sense, changing about
472 4-6 bits in random locations of its 128kiB size is quite enough.
475 * What happens if I (quick) format a LUKS partition?
477 I have not tried the different ways to do this, but very likely you
478 will have written a new boot-sector, which in turn overwrites the
479 LUKS header, including the salts. You may also damage the key-slots
480 in part or in full. See also last item.
483 * What does the on-disk structure of dm-crypt look like?
485 There is none. dm-crypt takes a block device and gives encrypted
486 access to each of its blocks with a key derived from the passphrase
487 given. If you use a cipher different than the default, you have to
488 specify that as a parameter to cryptsetup too. If you want to
489 change the password, you basically have to create a second
490 encrypted device with the new passphrase and copy your data over.
491 On the plus side, if you accidentally overwrite any part of a
492 dm-crypt device, the damage will be limited to the are you
496 * What does the on-disk structure of LUKS look like?
498 A LUKS partition consists of a header, followed by 8 key-slot
499 descriptors, followed by 8 key slots, followed by the encrypted
502 Header and key-slot descriptors fill the first 592 bytes. The
503 key-slot size depends on the creation parameters, namely on the
504 number of anti-forensic stripes and on key block alignment.
506 With 4000 stripes (the default), each key-slot is a bit less than
507 128kiB in size. Due to sector alignment of the key-slot start,
508 that means the key block 0 is at offset 0x1000-0x20400, key block
509 1 at offset 0x21000-0x40400, and key block 7 at offset
510 0xc1000-0xe0400. The space to the next full sector address is
511 padded with zeros. Never used key-slots are filled with what the
512 disk originally contained there, a key-slot removed with
513 "luksRemoveKey" or "luksKillSlot" gets filled with 0xff. Start of
514 bulk data (with the default 4000 stripes and 8 key-slots) is at
515 0x101000, i.e. at 1'052'672 bytes, i.e. at 1MiB + 4096 bytes from
516 the start of the partition. This is also the value given by command
517 "luksDump" with "Payload offset: 2056", just multiply by the sector
518 size (512 bytes). Incidentally, "luksHeaderBackup" dumps exactly
519 the first 1'052'672 bytes to file and "luksHeaderRestore" restores
522 The exact specification of the format is here:
523 http://code.google.com/p/cryptsetup/wiki/Specification
526 * How do I backup a LUKS header?
528 While you could just copy the appropriate number of bytes from the
529 start of the LUKS partition, the best way is to use command option
530 "luksHeaderBackup" of cryptsetup. This protects also against errors
531 when non-standard parameters have been used in LUKS partition
535 cryptsetup luksHeaderBackup --header-backup-file h_bak /dev/mapper/c1
538 * How do I backup a LUKS partition?
540 You do a sector-image of the whole partition. This will contain the
541 LUKS header, the keys-slots and the data ares. It can be done
542 under Linux e.g. with dd_rescue (for a direct image copy) and with
543 "cat" or "dd". Example:
545 cat /dev/sda10 > sda10.img
546 dd_rescue /dev/sda10 sda10.img
548 You can also use any other backup software that is capable of making
549 a sector image of a partition. Note that compression is
550 ineffective for encrypted data, hence it does not sense to use it.
553 * Do I need a backup of the full partition? Would the header and
554 key-slots not be enough?
556 Backup protects you against two things: Disk loss or corruption and
557 user error. By far the most questions on the dm-crypt mailing list
558 about how to recover a damaged LUKS partition are related to user
559 error. For example, if you create a new filesystem on a LUKS
560 partition, chances are good that all data is lost permanently.
562 For this case, a header+key-slot backup would often be enough. But
563 keep in mind that a HDD has roughly a failure risk of 5% per year.
564 It is highly advisable to have a complete backup to protect against
568 * Are there security risks from a backup of the LUKS header or a
569 whole LUKS partition?
571 Yes. One risk is that if you remove access rights for specific
572 key-slots by deleting their contents, the data can still be
573 accessed with invalidated passphrase and the backup. The other risk
574 is that if you erase a LUKS partition, a backup could still grant
575 access, especially if you only erased the LUKS header and not the
579 * I think this is overly complicated. Is there an alternative?
581 Yes, you can use plain dm-crypt. It does not allow multiple
582 passphrases, but on the plus side, it has zero on disk description
583 and if you overwrite some part of a plain dm-crypt partition,
584 exactly the overwritten parts are lost (rounded up to sector
588 6. Issues with Specific Versions of cryptsetup
591 * When using the create command for plain dm-crypt with cryptsetup
592 1.1.x, the mapping is incompatible and my data is not accessible
595 With cryptsetup 1.1.x, the distro maintainer can define different
596 default encryption modes for LUKS and plain devices. You can check
597 these compiled-in defaults using "cryptsetup --help". Moreover, the
598 plain device default changed because the old IV mode was
599 vulnerable to a watermarking attack.
601 If you are using a plain device and you need a compatible mode, just
602 specify cipher, key size and hash algorithm explicitly. For
603 compatibility with cryptsetup 1.0.x defaults, simple use the
606 cryptsetup create -c aes-cbc-plain -s 256 -h ripemd160 <name> <device>
608 LUKS stores cipher and mode in the metadata on disk, avoiding this
612 * cryptsetup on SLED 10 has problems...
614 SLED 10 is missing an essential kernel patch for dm-crypt, which
615 is broken in its kernel as a result. There may be a very old
616 version of cryptsetup (1.0.x) provided by SLED, which should also
617 not be used anymore as well. My advice would be to drop SLED 10.
619 A. Contributors In no particular order: