Jump to content

Linux Unified Key Setup

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 172.218.5.205 (talk) at 05:45, 7 May 2022 (minor). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
"LUKS" redirects here. For the American painter, see George Luks.

The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux.

While most disk encryption software implements different, incompatible, and undocumented formats[citation needed], LUKS implements a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability among different programs, but also assures that they all implement password management in a secure and documented manner.[1]

LUKS is designed to conform to the TKS1 secure key setup scheme.[2]

Description

LUKS is used to encrypt a block device. The contents of the encrypted device are arbitrary, and therefore any filesystem can be encrypted, including swap partitions.[3] There is an unencrypted header at the beginning of an encrypted volume, which allows up to 8 (LUKS1) or 32 (LUKS2) encryption keys to be stored along with encryption parameters such as cipher type and key size.[4][5]

The presence of this header is a major difference between LUKS and plain dm-crypt, since the header allows multiple different passphrases to be used, with the ability to change and remove them with ease. However, if the header is lost or corrupted, the device will no longer be decryptable.[6]

Encryption is done with a multi-layer approach. First, the block device is encrypted using multiple master keys, each of which is encrypted with an active user key in each keyslot.[7] While keyslots often contain a passphrase, other kinds of keys include OpenPGP public keys or X.509 certificates. PGP public keys can be used in combination with an OpenPGP smart card which is inserted into the host.[8][9]

LVM can be used alongside LUKS. When LVM is used on an unlocked LUKS container (LVM on LUKS), all underlying partitions (which are LVM logical volumes) can be encrypted with a single key, while doing the opposite (LUKS on LVM) allows an encrypted volume to span multiple devices.[10][11][12]

There are two versions of LUKS, with LUKS2 having features such as resilience to header corruption, and using the Argon2 encryption algorithm by default, whereas LUKS1 uses PBKDF2.[13] Conversion between both versions of LUKS is possible in certain situations, but some features may not be available with LUKS1 such as Argon2.[4]

Full disk encryption

A common usage of LUKS is to provide full disk encryption, which involves encrypting the root partition of an operating system installation, which protects the operating system files from being tampered with or read by unauthorized parties.[10]

On a Linux system, the boot partition (/boot) may be encrypted if the bootloader itself supports LUKS (e.g. GRUB). This is undertaken to prevent tampering of the Linux kernel. However, the first stage bootloader or an EFI system partition cannot be encrypted (see Full disk encryption#The boot key problem).[10]

On mobile Linux systems, postmarketOS has developed osk-sdl to allow a full disk encrypted system to be unlocked using a touch screen.

Operating system support

The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend. Under Microsoft Windows, LUKS-encrypted disks can be used via the Windows Subsystem for Linux.[14] (Formerly, this was possible with LibreCrypt,[15] which currently has fundamental security holes, and which succeeded FreeOTFE, formerly DoxBox.)

DragonFly BSD supports LUKS.[16]

Installer support

Several Linux distributions allow the root device to be encrypted upon OS installation. These installers include Calamares[17], Ubiquity[18], Debian-Installer[19], and more.

Examples

Cryptsetup is the reference implementation of the LUKS frontend.

To encrypt a device with the path /dev/sda1: 

# cryptsetup luksFormat /dev/sda1

To unlock an encrypted device, where name is the mapped device name: 

# cryptsetup luksOpen /dev/sda1 name

See also

References

  1. ^ Fruhwirth, Clemens (2018-01-20). "LUKS On-Disk Format Specification Version 1.2.3" (PDF). Retrieved 2021-09-23.
  2. ^ Fruhwirth, Clemens (2004-07-15). "TKS1 – An anti-forensic, two level, and iterated key setup scheme" (PDF). Draft. Retrieved 2021-09-23.
  3. ^ "Encrypting drives using LUKS". Fedora Docs. Retrieved 6 May 2022.
  4. ^ a b "Chapter 12. Encrypting block devices using LUKS". Red Hat Customer Portal.
  5. ^ "How to Encrypt Hard Disk (partition) using LUKS in Linux".
  6. ^ "How to Encrypt Your Data with dm-crypt". Linode.
  7. ^ Bossi, Simone; Visconti, Andrea (2015). "What Users Should Know About Full Disk Encryption Based on LUKS" (PDF). {{cite journal}}: Cite journal requires |journal= (help)
  8. ^ "Full-Disk Encryption With cryptsetup/LUKS". Retrieved 6 May 2022.
  9. ^ "How to encrypt a LUKS container using a smart card or token".
  10. ^ a b c "dm-crypt/Encrypting an entire system". Retrieved 6 May 2022.
  11. ^ "LUKS on LVM: encrypted logical volumes and secure backups".
  12. ^ "Arch with LVM on LUKS".
  13. ^ "How LUKS works with Full Disk Encryption in Linux".
  14. ^ "Servicing the Windows Subsystem for Linux (WSL) 2 Linux Kernel". Microsoft Developer Blogs.
  15. ^ "LibreCrypt". GitHub.
  16. ^ "DragonFly's Major Features List". Retrieved 6 May 2022.
  17. ^ Michael Larabel (8 May 2016). "Calamares Installer Adds LUKS Encryption Support". Phoronix.
  18. ^ "How to Encrypt Your Hard Disk in Ubuntu". Make Tech Easier.
  19. ^ "PartmanCrypto". Debian Wiki. Retrieved 6 May 2022.


Retrieved from "https://en.wikipedia.org/w/index.php?title=Linux_Unified_Key_Setup&oldid=1086604042"