Difference between revisions of "Linux Unified Key Setup (LUKS)"

Revision as of 13:52, 23 December 2013

Linux Unified Key Setup (LUKS) is commonly used by Linux to encrypt storage media volumes. LUKS is implemented in the Linux kernel in dm-crypt (dm = Device Mapper) and the user-space component cryptsetup.

LUKS supports various encryption methods, like:

• AES
• Anubis
• BlowFish
• Cast5
• Cast6
• Serpent
• Tnepres a reversed variant of Serpent
• TwoFish

These encryption methods can be used in various chaining modes and with various initialization vector modes.

How to detect

A LUKS encrypted volume starts with the "LUKS\xba\xbe" signature.

A hexdump of the start of the volume should look similar to:

00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  63 62 63 2d 65 73 73 69  |........cbc-essi|
00000030  76 3a 73 68 61 32 35 36  00 00 00 00 00 00 00 00  |v:sha256........|
00000040  00 00 00 00 00 00 00 00  72 69 70 65 6d 64 31 36  |........ripemd16|
00000050  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|

The encryption mode is in the format:

chaining_mode[-initialization_vector_mode[:initialization_vector_options]]

Which in the example is:

cbc-essiv:sha256

And the password hashing method in the example is:

ripemd160

External Links

• New Methods in Hard Disk Encryption, by Clemens Fruhwirth, July 18, 2005
• LUKS On-Disk Format Specification - Version 1.2.1, by Clemens Fruhwirth, October 16, 2011
• LUKS Disk Encryption, by RedHat
• LUKS Disk Encryption format specification, by the libluksde project, July 2013
• Practical malleability attack against CBC-Encrypted LUKS partitions, by Jakob Lell, December 22, 2013