Linux Unified Key Setup

"LUKS" redirects here. For the American painter, see George Luks.

The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and originally intended for Linux.

LUKS implements a platform-independent standard on-disk format for use in various tools. This facilitates compatibility and interoperability among different programs and operating systems, and assures that they all implement password management in a secure and documented manner.[1]

Description

LUKS is used to encrypt a block device. The contents of the encrypted device are arbitrary, and therefore any filesystem can be encrypted, including swap partitions.[2] There is an unencrypted header at the beginning of an encrypted volume, which allows up to 8 (LUKS1) or 32 (LUKS2) encryption keys to be stored along with encryption parameters such as cipher type and key size.[3][4]

The presence of this header is a major difference between LUKS and dm-crypt, since the header allows multiple different passphrases to be used, with the ability to change and remove them. If the header is lost or corrupted, the device will no longer be decryptable.[5]

Encryption is done with a multi-layer approach. First, the block device is encrypted using a master key. This master key is encrypted with each active user key.[6] User keys are derived from passphrases, FIDO2 security keys, TPMs or smart cards.[7][8] The multi-layer approach allows users to change their passphrase without re-encrypting the whole block device. Key slots can contain information to verify user passphrases or other types of keys.

There are two versions of LUKS, with LUKS2 featuring resilience to header corruption, and using the Argon2 key derivation function by default, whereas LUKS1 uses PBKDF2.[9] Conversion between both versions of LUKS is possible in certain situations, but some features may not be available with LUKS1 such as Argon2.[3] LUKS2 uses JSON as a metadata format.[3][10]

Available cryptographic algorithms depend on individual kernel support of the host. Libgcrypt can be used as a backend for hashing, which supports all of its algorithms.[11] It is up to the operating system vendor to choose the default algorithm.[12] LUKS1 makes use of an anti-forensics technique called AFsplitter, allowing for secure data erasure and protection.[13]

LUKS with LVM

Logical Volume Management can be used alongside LUKS.[14]

LVM on LUKS
When LVM is used on an unlocked LUKS container, all underlying partitions (which are LVM logical volumes) can be encrypted with a single key. This is akin to splitting a LUKS container into multiple partitions. The LVM structure is not visible until the disk is decrypted.[15]
LUKS on LVM
When LUKS is used to encrypt LVM logical volumes, an encrypted volume can span multiple devices. The underlying LVM volume group is visible without decrypting the encrypted volumes.[16]

Full disk encryption

Debian-Installer showing an option for automated partitioning with LVM on LUKS

A common usage of LUKS is to provide full disk encryption, which involves encrypting the root partition of an operating system installation, which protects the operating system files from being tampered with or read by unauthorized parties.[14]

On a Linux system, the boot partition (/boot) may be encrypted if the bootloader itself supports LUKS (e.g. GRUB). This is undertaken to prevent tampering with the Linux kernel. However, the first stage bootloader or an EFI system partition cannot be encrypted (see Full disk encryption#The boot key problem).[14]

On mobile Linux systems, postmarketOS has developed osk-sdl to allow a full disk encrypted system to be unlocked using a touch screen.

For systems running systemd, the systemd-homed component can be used to encrypt individual home directories.[17]

Operating system support

The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend. Under Microsoft Windows, LUKS-encrypted disks can be used via the Windows Subsystem for Linux.[18] (Formerly, this was possible with LibreCrypt,[19] which currently has fundamental security holes,[20][21] and which succeeded FreeOTFE, formerly DoxBox.)

DragonFly BSD supports LUKS.[22]

Installer support

Several Linux distributions allow the root device to be encrypted upon OS installation. These installers include Calamares,[23] Ubiquity,[24] Debian-Installer,[25] and more.

On-disk format

LUKS headers are backward compatible; newer versions of LUKS are able to read headers of previous versions.[26]

LUKS1

LUKS1 Header[26]
Offset Data type Description
000 000hex char[6] Magic number {'L', 'U', 'K', 'S', 0xBA, 0xBE }
006 006hex uint16_t LUKS Version (0x0001 for LUKS1)
008 008hex char[32] Cipher Algorithm (e.g. "twofish", "aes")
040 028hex char[32] Cipher mode (e.g. "cbc-essiv:sha256")
072 048hex char[32] Cryptographic hash function (e.g. "sha1", "ripemd160")
104 068hex uint32_t Payload offset (position of encrypted data) in 512 byte offsets
108 06Chex uint32_t Number of key bytes
112 070hex char[20] PBKDF2 master key checksum
132 084hex char[32] PBKDF2 master key salt parameter
164 0A4hex uint32_t PBKDF2 master key iterations (Default: 10)
168 0A8hex char[40] UUID of the partition (e.g. "504c9fa7-d080-4acf-a829-73227b48fb89")
208 0D0hex (48 Bytes) Keyslot 1
544 220hex (48 Bytes) Keyslot 8
592 Bytes total
Format of each keyslot
Offset Data type Description
00 uint32_t State of keyslot: Active=0x00AC71F3; Disabled=0x0000DEAD
04 uint32_t PBKDF2 iteration parameter
08 char[32] PBKDF2 salt parameter
40 uint32_t Start sector of key
44 uint32_t Number of anti-forensic stripes (Default: 4000)
48 Bytes total

LUKS2

LUKS2 devices begin with a binary header intended to allow recognition and fast detection by blkid, which also contains information such as checksums. All strings used in a LUKS2 header are null-terminated strings. Directly after the binary header comes the JSON area, containing the objects config (configuration), keyslots, digests, segments (describes encrypted areas on the disk), and tokens containing extra metadata.[10]

The binary format for regular luks2 keyslots are mostly similar to their predecessor, with the addition of different per-keyslot algorithms. Another type of key exists to allow redundancy in the case that a re-encryption process is interrupted.[10]

Examples

Cryptsetup is the reference implementation of the LUKS frontend.

To encrypt a device with the path /dev/sda1: 

# cryptsetup luksFormat /dev/sda1

To unlock an encrypted device, where name is the mapped device name: 

# cryptsetup open /dev/sda1 name

Re-encrypting

Re-encrypting a LUKS container can be done either with the cryptsetup tool itself, or with a legacy tool called cryptsetup-reencrypt. These tools can also be used to add encryption to an existing unencrypted filesystem, or remove encryption from a block device.[11][27]

Both methods have similar syntax: 

# cryptsetup reencrypt /dev/sda1

# cryptsetup-reencrypt /dev/sda1

See also

References

  1. ^ Fruhwirth, Clemens (2018-01-20). "LUKS On-Disk Format Specification Version 1.2.3" (PDF). Retrieved 2021-09-23.
  2. ^ "Encrypting drives using LUKS". Fedora Docs. Retrieved 6 May 2022.
  3. ^ a b c "Chapter 12. Encrypting block devices using LUKS". Red Hat Customer Portal.
  4. ^ "How to Encrypt Hard Disk (partition) using LUKS in Linux". 27 February 2019.
  5. ^ "How to Encrypt Your Data with dm-crypt". Linode. 22 November 2022.
  6. ^ Bossi, Simone; Visconti, Andrea (2015). "What Users Should Know About Full Disk Encryption Based on LUKS" (PDF). {{cite journal}}: Cite journal requires |journal= (help)
  7. ^ "systemd-cryptenroll - ArchWiki". wiki.archlinux.org. Retrieved 2023-11-22.
  8. ^ "How to encrypt a LUKS container using a smart card or token". 20 April 2014.
  9. ^ "How LUKS works with Full Disk Encryption in Linux". 25 September 2021.
  10. ^ a b c "on-disk-format-luks2.pdf" (PDF). 7 March 2024.
  11. ^ a b cryptsetup(8) – Linux Administration and Privileged Commands Manual
  12. ^ "Breaking LUKS Encryption". eForensics. 21 August 2020.
  13. ^ "AFsplitter".
  14. ^ a b c "dm-crypt/Encrypting an entire system". Retrieved 6 May 2022.
  15. ^ "Arch with LVM on LUKS".
  16. ^ "LUKS on LVM: encrypted logical volumes and secure backups". 12 September 2014.
  17. ^ "Home Directories". systemd.
  18. ^ "Servicing the Windows Subsystem for Linux (WSL) 2 Linux Kernel". Microsoft Developer Blogs. 16 April 2021.
  19. ^ "LibreCrypt". GitHub. 27 July 2022.
  20. ^ "Flaw in driver allows privilege escalation. Feedback wanted · Issue #38 · t-d-k/LibreCrypt". GitHub. 30 September 2015.
  21. ^ "Driver allows writing to arbitrary devices · Issue #39 · t-d-k/LibreCrypt". GitHub. 7 October 2015.
  22. ^ "DragonFly's Major Features List". Retrieved 6 May 2022.
  23. ^ Michael Larabel (8 May 2016). "Calamares Installer Adds LUKS Encryption Support". Phoronix.
  24. ^ "How to Encrypt Your Hard Disk in Ubuntu". Make Tech Easier. 13 January 2017.
  25. ^ "PartmanCrypto". Debian Wiki. Retrieved 6 May 2022.
  26. ^ a b "LUKS On-Disk Format Specification" (PDF).
  27. ^ "CRYPTSETUP-REENCRYPT(8) Man page". man7.org.

Read other articles:

Monte Carlo

Artikel ini tidak memiliki referensi atau sumber tepercaya sehingga isinya tidak bisa dipastikan. Tolong bantu perbaiki artikel ini dengan menambahkan referensi yang layak. Tulisan tanpa sumber dapat dipertanyakan dan dihapus sewaktu-waktu.Cari sumber: Monte Carlo – berita · surat kabar · buku · cendekiawan · JSTOR Monte CarloKuartal dan Lingkungan MonakoPemandangan Monte CarloKoordinat: 43°44′23″N 7°25′38″E / 43.73972°N 7.42...

 

 

Sarthe

Sarthe ([sart']) ialah departemen di timur Prancis. Ibu kota: Le Mans. Departemen ini memiliki 375 kotamadya. Lihat pula Sungai Sarthe Pranala luar (Prancis) http://www.sarthe.pref.gouv.fr (Prancis) http://www.cg72.fr (Prancis) http://www.sarthemag.fr (Prancis) http://fr.wikivoyage.org/wiki/Sarthe lbsKomune di departemen Sarthe Aigné Aillières-Beauvoir Allonnes Amné Ancinnes Arçonnay Ardenay-sur-Mérize Arnage Arthezé Asnières-sur-Vègre Assé-le-Boisne Assé-le-Riboul Aubigné-Racan Le...

 

 

Pembicaraan Pengguna:Ariyanto

ꦄꦫꦶꦪꦤ꧀ꦠꦺꦴ Tiada 'cabal' di sini. Halaman ini diarsipkan secara otomatis oleh HsfBot (lihat instruksi) Pemblokiran Bung @Ariyanto, harap ubah pemblokiran Jasonplay638 ke selamanya dikarenakan pengguna tersebut adalah siluman dari LTA Woerayraiyan7 yang mana sempat mempunyai akun dengan nama serupa: Jasonmaynard489 dan terbukti menyalahgunakan beberapa akun. Terima kasih. BlackBlueRed (bicaratalk it) 13 Februari 2024 08.24 (UTC)[balas] Baik. Terima kasih atas informasinya. NB...

Norden Tenzing Bhutia

Indian singer and composer (1950–2019) Norden Tenzing Bhutiaनोर्देन तेन्जिङ भुटियाBorn(1950-01-21)21 January 1950Kolkata, IndiaDied4 August 2019(2019-08-04) (aged 69)Aldershot, United KingdomOccupation(s)Singer, musician, composer, ex-British GurkhaKnown forThe HimalayansSpouseAnne TenzinChildren3 Norden Tenzing Bhutia was an Indian musician, composer and singer of classic Nepali pop songs like 'Musu Musu Hasi Deu', 'Gajalu le Aakhai Chopne'...

 

 

2020年夏季奧林匹克運動會波蘭代表團

2020年夏季奥林匹克运动会波兰代表團波兰国旗IOC編碼POLNOC波蘭奧林匹克委員會網站olimpijski.pl(英文)(波兰文)2020年夏季奥林匹克运动会(東京)2021年7月23日至8月8日(受2019冠状病毒病疫情影响推迟,但仍保留原定名称)運動員206參賽項目24个大项旗手开幕式:帕维尔·科热尼奥夫斯基(游泳)和马娅·沃什乔夫斯卡(自行车)[1]闭幕式:卡罗利娜·纳亚(皮划艇)&#...

 

 

Diorite

Igneous rock type For the community in the United States, see Diorite, Michigan. For the nuclear research reactor in Switzerland, see DIORIT. Diorite Orbicular diorite from Corsica (corsite) QAPF diagram with dioritoid fields highlighted in yellow and diorite in red Mineral assemblage of igneous rocks Diorite (/ˈdaɪ.əraɪt/ DY-ə-ryte)[1][2] is an intrusive igneous rock formed by the slow cooling underground of magma (molten rock) that has a moderate content of silica and a...

Storiografia

La storiografia è una disciplina scientifica che si occupa della descrizione della storia (in greco historiographìa, da historìa, storia, e graphè, descrizione) e comprende tutte le forme di interpretazione, di trattazione e trasmissione di fatti e accadimenti della vita degli individui e delle società del passato storico.[1][2][3] Con il termine storiografia si indicano anche tutte le opere storiche relative a uno specifico periodo o che si riferiscono a un defin...

 

 

Велика українська енциклопедія

Ця стаття чи розділ висвітлює одну чи декілька запланованих чи очікуваних книг. Зміст може докорінно змінюватись у міру наближення дати випуску книги та появи нової інформації. «Велика українська енциклопедія» Логотип «Великої української енциклопедії»Автор різні ав...

 

 

Bank BJB Syariah

Artikel ini tidak memiliki referensi atau sumber tepercaya sehingga isinya tidak bisa dipastikan. Tolong bantu perbaiki artikel ini dengan menambahkan referensi yang layak. Tulisan tanpa sumber dapat dipertanyakan dan dihapus sewaktu-waktu.Cari sumber: Bank BJB Syariah – berita · surat kabar · buku · cendekiawan · JSTOR PT Bank BJB SyariahJenisAnak perusahaanIndustriJasa keuanganDidirikanBandung, Jawa barat Indonesia (2010)KantorpusatBandung, Indonesia...

American Red Cross

American nonprofit humanitarian organization This article's lead section may be too short to adequately summarize the key points. Please consider expanding the lead to provide an accessible overview of all important aspects of the article. (May 2024) American Red CrossAmerican Red Cross National Headquarters in Washington, D.C.FormationMay 21, 1881; 143 years ago (1881-05-21)FounderClara BartonTypeCharitable organizationTax ID no. 53-0196605Legal statusInstrumentality of the...

 

 

Wacky Races (1968 TV series)

American animated television series Wacky RacesWritten by Larz Bourne Dalton Sandifer Tom Dagenais Michael Maltese Directed by William Hanna Joseph Barbera Voices of Daws Butler Don Messick John Stephenson Janet Waldo Paul Winchell Narrated byDave WillockComposerHoyt CurtinCountry of originUnited StatesOriginal languageEnglishNo. of seasons1No. of episodes17 (34 segments)ProductionProducers William Hanna Joseph Barbera Editors Richard Allen Milton Krear Running time21 minutesProduction compan...

 

 

Republic of Pisa

Italian maritime republic (c. 1000–1406) Republic of PisaRepubblica di Pisa (Italian)c. 1000–1406 Flag Coat of arms Motto: Urbis me dignum pisane noscite signum(Latin for 'Know that I am a worthy sign of the city')Map of Pisa in the 11th centuryCapitalPisaCommon languagesTuscanLatinItalianReligion Roman CatholicismGovernmentOligarchic republicGovernanti della repubblica • 1063–? Giovanni Orlandi• 1081–1189 Consul• 1202–1312 Cons...

Cosmopolitanism

Idea that all human beings are members of a single community For other uses, see Cosmopolitan. Cosmopolitanism is the idea that all human beings are members of a single community. Its adherents are known as cosmopolitan or cosmopolite. Cosmopolitanism is both prescriptive and aspirational. The idea encompasses different dimensions and avenues of community, such as promoting universal moral standards or developing a platform for mutual cultural expression and tolerance.[1][2] F...

 

 

François Berléand

French actor (born 1952) François BerléandBorn (1952-04-22) 22 April 1952 (age 72)Paris, FranceOccupationActorYears active1973–present François Berléand (French: [fʁɑ̃swa bɛʁleɑ̃]; born 22 April 1952) is a French actor. He plays Gilles Triquet, the officer manager and equivalent of David Brent in Le Bureau, the French version of The Office, produced by Canal+. He also appeared in the 2002 film The Transporter as the French commissaire named Tarconi, an active an...

 

 

29-я пехотная дивизия (Российская империя)

У этого термина существуют и другие значения, см. 29-я дивизия.У этого термина существуют и другие значения, см. 29-я пехотная дивизия. 29-я пехотная дивизия Годы существования 1863 — 1918 Страна  Российская империя Подчинение начальнику дивизии Входит в 20-й армейский корпус Т�...

مارتن ساتريانو

مارتن ساتريانو معلومات شخصية الميلاد 20 فبراير 2001 (العمر 23 سنة)مونتفيدو  الطول 1.87 م (6 قدم 1 1⁄2 بوصة) مركز اللعب مهاجم الجنسية الأوروغواي إيطاليا  معلومات النادي النادي الحالي إمبولي (معارًا من إنتر ميلان) الرقم 9 مسيرة الشباب سنوات فريق 2015–2020 ناسيونال مونت�...

 

 

Herta Müller

Müller nel 2022 Premio Nobel per la letteratura 2009 Herta Müller (Nitzkydorf, 17 agosto 1953) è una scrittrice, saggista e poetessa tedesca, nata in Romania e vincitrice del Premio Nobel per la letteratura nel 2009. È nota per aver descritto nelle sue opere le condizioni di vita in Romania durante la dittatura di Nicolae Ceaușescu. Si guadagnò da vivere come maestra d'asilo e insegnante di lingua tedesca. Nel 1982 pubblica il suo primo libro, che esce in forma censurata, come gran ...

 

 

Ceres (planeta anão)

 Nota: Para outros significados, veja Ceres. Ceres Planeta anão Imagem em cores naturais de Ceres.Essa imagem foi registrada em maio de 2015, pela sonda Dawn. Características orbitais Semieixo maior 2,7663 UA Periélio 2,5468 UA Afélio 2,9858 UA Excentricidade 0,07934 Período orbital 1680,5 d (4,599 a) Velocidade orbital média 17,882 km/s Inclinação Com a eclíptica: 10,585° Com o plano invariável: 9,20 ° Argumento do periastro 72,825° Longitude do nó ascendente 80.399° Cara...

Sinclair BASIC

Il Sinclair BASIC (dal nome di Sir Clive Sinclair) è un dialetto del linguaggio di programmazione BASIC utilizzato negli home computer ad 8 bit prodotti da Sinclair Research e Timex Sinclair. L'interprete del Sinclair BASIC fu sviluppato da Nine Tiles Networks Ltd.. Indice 1 Storia 2 Caratteristiche 2.1 Operazioni matematiche e funzioni 2.2 Operazioni logiche 2.3 Operazioni sulle stringhe 2.4 Altre caratteristiche 2.5 Nomi delle variabili 3 Nei modelli di Spectrum 3.1 ZX Spectrum 4 Timex BAS...

 

 

Michail Jurjewitsch Lermontow

Mikhail Lermontov ist eine Weiterleitung auf diesen Artikel. Zum Kreuzfahrtschiff siehe Mikhail Lermontov (Schiff). Michail Jurjewitsch Lermontow (1837) Michail Jurjewitsch Lermontow (russisch Михаи́л Ю́рьевич Ле́рмонтов; wissenschaftliche Transliteration Michail Jur'evič Lermontov; * 3. Oktoberjul. / 15. Oktober 1814greg., Moskau; † 15. Julijul. / 27. Juli 1841greg. im Duell in Pjatigorsk) war ein russischer Dichter. Neben Alexa...