meta data for this page
This is an old revision of the document!
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
LUKS on LVM Benefit:
- Every logical volume is encrypted with separate password
- good for multiuser environment
- root system can be on unencrypted partition (no password to boot). The same can be achieved with LVM on LUKS on separate partition.
LVM on LUKS (preffered) Block device is encrypted and on top of block device LVM is configured. Benefit:
- one unlock of block device give access to all LVM volume created on it.
- it is easier to change volumes sizes without touching encryption layer
cryptsetup benchmark
Advices
XTS
- doesn't require ESSIV (aes-xts-plain)
- <font 14px line-height: 18.2000007629395px;/ ;;rgb(51, 51, 51) font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 14px; line-height: 18.2000007629395px;;;inherit>half of your key is used by XTS, meaning your original key must be twice as long (hence 512-bit instead of 256-bit).</font>
CBC
- should be protected with ESSIV (aes-cbc-essiv)
If password are used instead of keyfile:
- choose very long password to prevent dictionary attacks.
- use big hash like SHA512
<font 12px line-height: 17px; white-space: pre-wrap; background-color: rgb(243, 243, 243);/ ;;rgb(51, 51, 51) font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 14px; line-height: 18.2000007629395px;;;rgb(243, 243, 243)>aes-cbc-essiv:sha256</font>
Setup /dev/sda5 as LUKS device:
cryptsetup -y -v luksFormat /dev/sda5
will create aes-xts-plain64 256bits
cryptsetup luksFormat -c aes-cbc-plain -s 256 /dev/sda5 cryptsetup luksFormat -c aes-cbc-plain -s 256 --hash sha1 /dev/sda5
TOOD:
- SHA512
cryptsetup -v -c aes-cbc-essiv:sha256 -s 256 -y luksFormat /dev/loop0
- iterations
Open LUKS device
cryptsetup luksOpen /dev/sda5 sda5
Examing status of LUKS
cryptsetup status sda5 cryptsetup luksDump /dev/sda5
Closing LUKS device
cryptsetup luksClose sda5