such a disaster! In particular, make sure you have a current header
backup before doing any potentially dangerous operations.
+ BACKUP: Yes, encrypted disks die, just as normal ones do. A full
+ backup is mandatory, see Section "6. Backup and Data Recovery" on
+ options for doing encrypted backup.
+
DISTRIBUTION INSTALLERS: Some distribution installers offer to
create LUKS containers in a way that can be mistaken as activation
of an existing container. Creating a new LUKS container on top of
installers after a complete backup of all LUKS containers has been
made.
+ NO WARNING ON NON-INERACTIVE FORMAT: If you feed cryptsetup from
+ STDIN (e.g. via GnuPG) on LUKS format, it does not give you the
+ warning that you are about to format (and e.g. will lose any
+ pre-existing LUKS container on the target), as it assumes it is
+ used from a script. In this scenario, the responsibility for
+ warning the user and possibly checking for an existing LUKS header
+ goes over to the script. This is a more general form of the
+ previous item.
+
LUKS PASSPHRASE IS NOT THE MASTER KEY: The LUKS passphrase is not
used in deriving the master key. It is used in decrypting a master
key that is randomly selected on header creation. This means that
4. Troubleshooting
+ * I get the error "LUKS keyslot x is invalid." What does that mean?
+
+ This means that the given keyslot has an offset that points
+ outside the valid keyslot area. Typically, the reason is a
+ corrupted LUKS header because something was written to the start of
+ the device the LUKS contaner is on. Refer to Section "Backup and
+ Data Recovery" and ask on the mailing list if you have trouble
+ diagnosing and (if still possible) repairing this.
+
+
* Can a bad RAM module cause problems?
LUKS and dm-crypt can give the RAM quite a workout, especially when
passphrase, see next FAQ item.
Still, if you want good security, a high-entropy passphrase is the
- only option. Use at least 64 bits for secret stuff. That is 64
- characters of English text (but only if randomly chosen) or a
- combination of 12 truly random letters and digits.
+ only option. For example, a low-entropy passphrase can never be
+ considered secure against a TLA-level (Three Letter Agency level,
+ i.e. government-level) attacker, no matter what tricks are used in
+ the key-derivation function. Use at least 64 bits for secret stuff.
+ That is 64 characters of English text (but only if randomly chosen)
+ or a combination of 12 truly random letters and digits.
For passphrase generation, do not use lines from very well-known
texts (religious texts, Harry potter, etc.) as they are to easy to
and ending at a word boundary would take only something like 20
days on a single CPU and is entirely feasible. To put that into
perspective, using a number of Amazon EC2 High-CPU Extra Large
- instances (each gives about 8 real cores), this tests costs
+ instances (each gives about 8 real cores), this test costs
currently about 50USD/EUR, but can be made to run arbitrarily fast.
On the other hand, choosing 1.5 lines from, say, the Wheel of Time
CPU, and possibly far less.
In addition, the attacker can both parallelize and use special
- hardware like GPUs to speed up the attack. The attack can also
- happen quite some time after the luksFormat operation and CPUs can
- have become faster and cheaper. For that reason you want a bit
- of extra security. Anyways, in Example 1 your are screwed. In
- example 2, not necessarily. Even if the attack is faster, it still
- has a certain cost associated with it, say 10000 EUR/USD with
- iteration and 1 EUR/USD without iteration. The first can be
+ hardware like GPUs or FPGAs to speed up the attack. The attack can
+ also happen quite some time after the luksFormat operation and CPUs
+ can have become faster and cheaper. For that reason you want a
+ bit of extra security. Anyways, in Example 1 your are screwed.
+ In example 2, not necessarily. Even if the attack is faster, it
+ still has a certain cost associated with it, say 10000 EUR/USD
+ with iteration and 1 EUR/USD without iteration. The first can be
prohibitively expensive, while the second is something you try
- even without solid proof that the decryption will yield something
+ even without solid proof that the decryption will yield something
useful.
The numbers above are mostly made up, but show the idea. Of course
partition creation. Example:
- cryptsetup luksHeaderBackup --header-backup-file h /dev/mapper/c1
+ cryptsetup luksHeaderBackup --header-backup-file h <device>
To restore, use the inverse command, i.e.
- cryptsetup luksHeaderRestore --header-backup-file h /dev/mapper/c1
+ cryptsetup luksHeaderRestore --header-backup-file h <device>
+
+
+ * How do I test a LUKS header?
+
+ Use
+
+ cryptsetup -v isLuks <device>
+
+ on the device. Without the "-v" it just signals its result via
+ exit-status. You can alos use the more general test
+
+ blkid -p <device>
+ which will also detect other types and give some more info. Omit
+ "-p" for old versions of blkid that do not support it.
+
* How do I backup a LUKS or dm-crypt partition?
* How do I recover the master key from a mapped LUKS container?
This is typically only needed if you managed to damage your LUKS
- header, but the container is still mapped, i.e. "luksOpen"ed.
+ header, but the container is still mapped, i.e. "luksOpen"ed. It
+ also helps if you have a mapped container that you forgot or do not
+ know a passphrase for (e.g. on a long running server.)
+
+ WARNING: Things go wrong, do a full backup before trying this!
WARNING: This exposes the master key of the LUKS container. Note
that both ways to recreate a LUKS header with the old master key
key afterwards. Changing the master key requires a full data
backup, luksFormat and then restore of the backup.
- First, there is a script by Milan that tries to automatize the
- whole process, including generating a new LUKS header with the old
- master key:
+ First, there is a script by Milan that automatizes the whole
+ process, except generating a new LUKS header with the old master
+ key (it prints the command for that though):
http://code.google.com/p/cryptsetup/source/browse/trunk/misc/luks-header-from-active
do this manually, e.g. with hexedit. You can also use the tool
"xxd" from vim like this:
- echo "a1704d9....53d0d09" | xxd -r -p > master_key
+ echo "a1704d9....53d0d09" | xxd -r -p > <master-key-file>
- - Do a luksFormat to create a new LUKS header. Unmapthe device
- before you do that (luksClose). Replace \dev\dsa10 with the device
- the LUKS container is on:
+ - Do a luksFormat to create a new LUKS header.
+
+ NOTE: If your header is intact and you just forgot the
+ passphrase, you can just set a new passphrase, see next subitem.
- cryptsetup luksFormat --master-key-file=master_key \dev\sda10
+ Unmap the device before you do that (luksClose). Then do
+
+ cryptsetup luksFormat --master-key-file=<master-key-file> <luks device>
Note that if the container was created with other than the default
settings of the cryptsetup version you are using, you need to give
- additional parameters specifying the deviations. If in doubt, just
- do the first step, keep the whole result safe and try with the
- script by Milan. It does recover the other parameters as well.
+ additional parameters specifying the deviations. If in doubt, try
+ the script by Milan. It does recover the other parameters as well.
Side note: This is the way the decrypt_derived script gets at the
master key. It just omits the conversion and hashes the master key
string.
+ - If the header is intact and you just forgot the passphrase, just
+ set a new passphrase like this:
+
+ cryptsetup luksAddKey --master-key-file=<master-key-file> <luks device>
+
+ You may want to disable the old one afterwards.
+
* What does the on-disk structure of dm-crypt look like?
0xc1000-0xe0400. The space to the next full sector address is
padded with zeros. Never used key-slots are filled with what the
disk originally contained there, a key-slot removed with
- "luksRemoveKey" or "luksKillSlot" gets filled with 0xff. Start of
- bulk data is at 0x101000, i.e. at 1'052'672 bytes, i.e. at 1MiB
- + 4096 bytes from the start of the partition. This is also the
- value given by command "luksDump" with "Payload offset: 2056",
- just multiply by the sector size (512 bytes). Incidentally,
- "luksHeaderBackup" for a LUKS container created with default
- parameters dumps exactly the first 1'052'672 bytes to file and
- "luksHeaderRestore" restores them.
+ "luksRemoveKey" or "luksKillSlot" gets filled with 0xff. Due to
+ 2MiB default alignment, start of the data area for cryptsetup 1.3
+ and later is at 2MiB, i.e. at 0x200000. For older versions, it is
+ at 0x101000, i.e. at 1'052'672 bytes, i.e. at 1MiB + 4096 bytes
+ from the start of the partition. Incidentally, "luksHeaderBackup"
+ for a LUKS container created with default parameters dumps exactly
+ the first 2MiB (or 1'052'672 bytes for headers created with
+ cryptsetup versions < 1.3) to file and "luksHeaderRestore" restores
+ them.
For non-default parameters, you have to figure out placement
- yourself. "luksDump" helps. For the most common non-default
- settings, namely aes-xts-plain with 512 bit key, the offsets are:
- 1st keyslot 0x1000-0x3f800, 2nd keyslot 0x40000-0x7e000, 3rd
- keyslot 0x7e000-0xbd800, ..., and start of bulk data at 0x200000.
+ yourself. "luksDump" helps. See also next item. For the most common
+ non-default settings, namely aes-xts-plain with 512 bit key, the
+ offsets are: 1st keyslot 0x1000-0x3f800, 2nd keyslot
+ 0x40000-0x7e000, 3rd keyslot 0x7e000-0xbd800, ..., and start of
+ bulk data at 0x200000.
The exact specification of the format is here:
http://code.google.com/p/cryptsetup/wiki/Specification
+ * What is the smallest possible LUKS container?
+
+ Note: From cryptsetup 1.3 onwards, alignment is set to 1MB. With
+ modern Linux partitioning tools that also align to 1MB, this will
+ result in aligmnet to 2k secors and typical Flash/SSD sectors,
+ which is highly desirable for a number of reasons. Changing the
+ alignment is not recomended.
+
+ That said, with default parameters, the data area starts at
+ exactly 2MB offset (at 0x101000 for cryptsetup versions before
+ 1.3). The smallest data area you can have is one sector of 512
+ bytes. Data areas of 0 bytes can be created, but fail on mapping.
+
+ While you cannot put a filesystem into something this small, it may
+ still be used to contain, for example, key. Note that with current
+ formatting tools, a partition for a container this size will be
+ 3MiB anyways. If you put the LUKS container into a file (via
+ losetup and a loopback device), the file needs to be 2097664 bytes
+ in size, i.e. 2MiB + 512B.
+
+ There two ways to influence the start of the data area are key-size
+ and alignment.
+
+ For alignment, you can go down to 1 on the parameter. This will
+ still leave you with a data-area starting at 0x101000, i.e.
+ 1MiB+4096B (default parameters) as alignment will be rounded up to
+ the next multiple of 8 (i.e. 4096 bytes) If in doubt, do a dry-run
+ on a larger file and dump the LUKS header to get actual
+ information.
+
+ For key-size, you can use 128 bit (e.g. AES-128 with CBC), 256 bit
+ (e.g. AES-256 with CBC) or 512 bit (e.g. AES-256 with XTS mode).
+ You can do 64 bit (e.g. blowfish-64 with CBC), but anything below
+ 128 bit has to be considered insecure today.
+
+ Example 1 - AES 128 bit with CBC:
+
+ cryptsetup luksFormat -s 128 --align-payload=8 <device>
+
+ This results in a data offset of 0x81000, i.e. 516KiB or 528384
+ bytes. Add one 512 byte sector and the smallest LUKS container size
+ with these parameters is 516KiB + 512B or 528896 bytes.
+
+ Example 2 - Blowfish 64 bit with CBC (WARNING: insecure):
+
+ cryptsetup luksFormat -c blowfish -s 64 --align-payload=8 /dev/loop0
+
+ This results in a data offset of 0x41000, i.e. 260kiB or 266240
+ bytes, with a minimal LUKS conatiner size of 260kiB + 512B or
+ 266752 bytes.
+
+
* I think this is overly complicated. Is there an alternative?
Not really. Encryption comes at a price. You can use plain