made.
NO WARNING ON NON-INERACTIVE FORMAT: If you feed cryptsetup from
- STDIN (e.g. via GPG) on LUKS format, it does not give you the
+ STDIN (e.g. via GnuPG) on LUKS format, it does not give you the
warning that you are about to format (and e.g. will lose any
pre-existing LUKS container on the target), as it assumes it is
- used form a script. In this scenario, the responsibility for
+ used from a script. In this scenario, the responsibility for
warning the user and possibly checking for an existing LUKS header
goes over to the script. This is a more general form of the
previous item.
passphrase, see next FAQ item.
Still, if you want good security, a high-entropy passphrase is the
- only option. Use at least 64 bits for secret stuff. That is 64
- characters of English text (but only if randomly chosen) or a
- combination of 12 truly random letters and digits.
+ only option. For example, a low-entropy passphrase can never be
+ considered secure against a TLA-level (Three Letter Agency level,
+ i.e. government-level) attacker, no matter what tricks are used in
+ the key-derivation function. Use at least 64 bits for secret stuff.
+ That is 64 characters of English text (but only if randomly chosen)
+ or a combination of 12 truly random letters and digits.
For passphrase generation, do not use lines from very well-known
texts (religious texts, Harry potter, etc.) as they are to easy to
and ending at a word boundary would take only something like 20
days on a single CPU and is entirely feasible. To put that into
perspective, using a number of Amazon EC2 High-CPU Extra Large
- instances (each gives about 8 real cores), this tests costs
+ instances (each gives about 8 real cores), this test costs
currently about 50USD/EUR, but can be made to run arbitrarily fast.
On the other hand, choosing 1.5 lines from, say, the Wheel of Time
CPU, and possibly far less.
In addition, the attacker can both parallelize and use special
- hardware like GPUs to speed up the attack. The attack can also
- happen quite some time after the luksFormat operation and CPUs can
- have become faster and cheaper. For that reason you want a bit
- of extra security. Anyways, in Example 1 your are screwed. In
- example 2, not necessarily. Even if the attack is faster, it still
- has a certain cost associated with it, say 10000 EUR/USD with
- iteration and 1 EUR/USD without iteration. The first can be
+ hardware like GPUs or FPGAs to speed up the attack. The attack can
+ also happen quite some time after the luksFormat operation and CPUs
+ can have become faster and cheaper. For that reason you want a
+ bit of extra security. Anyways, in Example 1 your are screwed.
+ In example 2, not necessarily. Even if the attack is faster, it
+ still has a certain cost associated with it, say 10000 EUR/USD
+ with iteration and 1 EUR/USD without iteration. The first can be
prohibitively expensive, while the second is something you try
- even without solid proof that the decryption will yield something
+ even without solid proof that the decryption will yield something
useful.
The numbers above are mostly made up, but show the idea. Of course
alignment is not recomended.
That said, with default parameters, the data area starts at
- exactly 2MB offset (at 0x101000 for crptsetup versions before 1.3).
- The smallest data area you can have is one sector of 512 bytes.
- Data areas of 0 bytes can be created, but fail on mapping.
+ exactly 2MB offset (at 0x101000 for cryptsetup versions before
+ 1.3). The smallest data area you can have is one sector of 512
+ bytes. Data areas of 0 bytes can be created, but fail on mapping.
While you cannot put a filesystem into something this small, it may
- still be used to contain, for eamcple, key. Note that with current
+ still be used to contain, for example, key. Note that with current
formatting tools, a partition for a container this size will be
3MiB anyways. If you put the LUKS container into a file (via
losetup and a loopback device), the file needs to be 2097664 bytes
in size, i.e. 2MiB + 512B.
- The two ways to influence the start of the data area are key-size
+ There two ways to influence the start of the data area are key-size
and alignment.
For alignment, you can go down to 1 on the parameter. This will
still leave you with a data-area starting at 0x101000, i.e.
1MiB+4096B (default parameters) as alignment will be rounded up to
- the next multiple of 8 (i.e. 4096 bytes) (TODO: need to verify
- this).
+ the next multiple of 8 (i.e. 4096 bytes) If in doubt, do a dry-run
+ on a larger file and dump the LUKS header to get actual
+ information.
For key-size, you can use 128 bit (e.g. AES-128 with CBC), 256 bit
(e.g. AES-256 with CBC) or 512 bit (e.g. AES-256 with XTS mode).
- You can do 64 bit (e.g. blofish-64 with CBC), but anything below
+ You can do 64 bit (e.g. blowfish-64 with CBC), but anything below
128 bit has to be considered insecure today.
Example 1 - AES 128 bit with CBC: