Questions tagged [luks]
LUKS (Linux Unified Key Setup) is a disk-encryption specification.
157 questions
1
vote
1
answer
75
views
Can you bypass PIN requirement of FIDO token protected LUKS device with hex editor?
I noticed that with Linux pam-u2f module whether you are required to input your PIN can be changed by simply editing ~/.config/Yubico/u2f_keys file and either adding +pin to your configuration line or ...
- 111
12
votes
3
answers
4k
views
Why shred before LUKS disk encryption?
I read the following article and it says to "Stuff random data to the device" (using shred) before encrypting with LUKS.
How to enable LUKS disk encryption with keyfile on Linux
Why would ...
- 121
2
votes
3
answers
1k
views
Clarifying BitLocker Full Disk Encryption and the role of TPM
Question 1:
Can you confirm that in a full disk encryption setup like BitLocker, when we normally boot the system, use the password, and log in, the key to decrypt the disk is loaded into RAM?
If so, ...
- 537
2
votes
1
answer
787
views
Recovering LUKS Encrypted Data
Its a tale as old as full-disk encryption. Another victim of complicated passwords succumbs to LUKS on the Linux system.
I recently changed my LUKS encrypted drive password on a laptop, but my laptop ...
- 21
0
votes
1
answer
306
views
luks increase delays between password attempts
From what I understand, argon provides a delay between password attempts. Does luks allow increasing or reducing the delay?
- 121
1
vote
1
answer
440
views
Using TPM to unlock LUKS/dm-crypt volume
I am trying to understand the risks of configuring passwordless decryption via TPM of a LUKS/dm-crypt system with something like:
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+2+3+4+5+7+8 /...
- 301
1
vote
1
answer
1k
views
How does a TPM module protect keys LUKS keys on Linux
I'm looking into hardening an embedded device using TPM2 with an encrypted root (/) Linux partition. I've found various articles explaining how to embed LUKS keys into the TPM (eg this one). Unless ...
- 153
1
vote
1
answer
345
views
Remote Laptop disk encryption, break glass
I am stuck with an issue of needing a break glass account on remote laptops.
It's a bit a strange situation. The laptops are built and rebuilt remotely using a small PXE setup that goes with the ...
- 11
1
vote
2
answers
757
views
Full disk encryption with LUKS?
I encrypted my Ubuntu Desktop 20.04.3 with LVM/LUKS during the installation process. If I turn off the computer, is the brute force the only attack available for getting the password and accessing the ...
- 11
2
votes
1
answer
332
views
LibreOffice password vs cryptocontainer (LUKS, VeraCrypt etc.)
How much worse is encrypting a LibreOffice document with the built-in mechanism than using a cryptocontainer (LUKS, VeraCrypt, etc.) and storing the document in it?
I am more comfortable using the ...
- 21
1
vote
1
answer
173
views
Does filesystem compression aid cryptanalysis?
I use LUKS to encrypt all sensitive data on my computer. If I switch to using a filesystem with on-the-fly data compression such as ZFS, should I use its compression feature together with LUKS? Does ...
- 43
1
vote
1
answer
818
views
LUKS: longer passphrase iteration count
From the manual of cryptsetup:
Passphrase processing: Whenever a passphrase is added to a LUKS header
(luksAddKey, luksFormat), the user may specify how much the time the
passphrase processing should ...
- 111
0
votes
3
answers
2k
views
How difficult is it to decrypt a disk encrypted with luksOpen?
I have encrypted a disk on my Ubuntu machine using
sudo cryptsetup luksOpen /dev/sdb1 sdb1
I'm wondering how difficult is it to decrypt this disk using bruteforce password guessing?
What does the ...
- 373
0
votes
1
answer
2k
views
is it possible to change luks2 --key-size from 512b to 256b without losing data?
I created luks2 device with default options which used aes-xts with 512b key size.I figured out that 256b is somewhat faster than 512b from benchmarks. So, I just want to use 256b but not sure if it's ...
- 105
0
votes
1
answer
351
views
Bypass encryption by altering source code
In the Cryptsetup Frequently Asked Questions page it says:
You are asked a passphrase of an existing key-slot first, before you can enter the passphrase for the new key-slot. Otherwise you could ...
- 103
20
votes
3
answers
17k
views
Is LUKS still an effective option for consumer FDE considering Elcomsoft can break it?
I use Fedora Linux and was recently looking into doing Full Disk Encryption on data drives such as /home on some of my / my family's PCs. I understand that LUKS security will be partially dependent on ...
- 331
2
votes
1
answer
456
views
Security against local attack for remote FDE decryption?
Is there any remote FDE decryption that is resistant to an attacker that has local physical access?
Tools like dracut-sshd need to store the private key used for the sshd server on the unencrypted ...
- 31
1
vote
1
answer
2k
views
Is it secure to automatically unlock encrypted system drive using the TPM PCR values?
A simple way of automatically decrypting system drive at boot time:
clevis luks bind -d /dev/yourdrive tpm2 '{"pcr_ids":"4,5"}'
systemctl enable clevis-luks-askpass.path
When I ...
1
vote
0
answers
509
views
Better security for storing certificates in LUKS or softhsm?
What is the best place to store certificates and keys which are confidential and sensitive?
As I understand LUKS is fine and kernel transparently handles encryption/decryption. Also, the LUKS volume ...
0
votes
0
answers
2k
views
How to find the encrypted master key in LUKS header
One assignement of my teacher is driving me crazy because I don't think I'm that far from the solution but I still can't get it so I hope someone will be able to help me figure it out.
Assignment
The ...
1
vote
0
answers
250
views
Entered FDE password in GRUB by mistake
For several reasons (I have an external monitor, etc.) when I booted the laptop I typed the FDE (Full Disk Encryption on Linux, LUKS) without looking at the monitor, and I ended up typing the full ...
- 16k
0
votes
1
answer
642
views
Full disk encryption and remote unlocking a mail server in the hand of a possible attacker, what could go wrong?
Since I cannot receive email directly from my home server, I need an external device to receive messages for me and deliver them to my MTA via another port or via VPN. Instead of renting a VPS just ...
- 173
3
votes
4
answers
5k
views
How safe is dm-crypt/LUKS? Would TPM make me more secure in this case?
I’ve been looking to purchase a new laptop and I need to have security in mind. I’ve specifically been looking for laptops with discrete or integrated TPM because it’s been my understanding that TPM ...
- 41
3
votes
3
answers
310
views
Drawback of Multi Level Encryption
I am backing up my files to a RAID mirrored HDD, that has full disk encryption (FDE) in place with LUKS. Until now I did this with rsync, but I recently switched to a new backup program that does file ...
- 131
48
votes
4
answers
16k
views
Aren't keyfiles defeating the purpose of encryption?
I just added a drive to my system which is basically a partition mounted for extra storage. I'd like to encrypt it to protect my data in case of god knows what, and by doing that I'd need to enter the ...
- 787