meta data for this page
  •  

This is an old revision of the document!

https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system

LUKS on LVM vs LVM on LUKS

LUKS on LVM Benefit:

  1. Every logical volume is encrypted with separate password
  2. good for multiuser environment
  3. root system can be on unencrypted partition (no password to boot). The same can be achieved with LVM on LUKS on separate partition.

LVM on LUKS (preffered)

Block device is encrypted and on top of block device LVM is configured. Benefit:

  1. one unlock of block device give access to all LVM volume created on it.
  2. it is easier to change volumes sizes without touching encryption layer
cryptsetup benchmark

Advices

plain vs plain64

  • Do not use plain for disc greater than 2TB (use plain64 instead)

XTS

  • doesn't require ESSIV (aes-xts-plain)
  • half of your key is used by XTS, meaning your original key must be twice as long (hence 512-bit instead of 256-bit).</font>

CBC

  • should be protected with ESSIV (aes-cbc-essiv)

​If password are used instead of keyfile, to prevent brute force attack:

  • choose very long password to prevent dictionary attacks.
  • use big hash like SHA512
  • increase number of iterations

Setup /dev/sda5 as LUKS device:

cryptsetup luksFormat -y -v /dev/sda5

will create by default aes-xts-plain64 256bits 

cryptsetup luksFormat -c aes-cbc-plain -s 256 /dev/sda5
cryptsetup luksFormat -c aes-cbc-plain -s 256 --hash sha1 -i 2000 --use-random /dev/sda5
cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 -y -v /dev/sda5
cryptsetup -y -v -c aes-xts-plain:sha256 -s 256 luksFormat /dev/sda5
cryptsetup -y -v -c aes-xts-plain:sha256 -s 512 luksFormat /dev/sda5

Open LUKS device

cryptsetup luksOpen /dev/sda5 sda5

Examing status of LUKS

cryptsetup status sda5 cryptsetup luksDump /dev/sda5

Closing LUKS device

cryptsetup luksClose sda5