Dm-crypt full disk encryption

This article Article description::discusses several aspects of using Dm-crypt for (full) disk encryption. It is primarily meant as a source of supplementary information not already discussed within the Dm-crypt, genkernel, or initramfs wiki pages.

Which cipher:hash combination?
The default cipher for LUKS is nowadays, i.e. AES as cipher and XTS as mode of operation. This should be changed only under very rare circumstances. The default is a very reasonable choice security wise and by far the best choice performance wise that can deliver between 2-3 GiB/s encryption/decryption speed on CPUs with AES-NI. XTS uses two AES keys, hence possible key sizes are  and.

The default choice of cipher and key size can be overriden by the command line parameters  and , for example

If you want to know more about the performance on a given set of cipher and mode of operation you can run. Issuing the command without  and   runs the benchmark for a number of different choices. For example, a (slightly shortened) output for a mid-2014 Intel Core i7 CPU might look like:

What choice of hash for key derivation?
LUKS uses PBKDF2 for key derivation. In essence, the supplied passphrase by the user is combined with a salt and hashed a specified number of rounds. This key stretching makes the password more secure against brute force attacks. The hash function used in PBKDF2 can be set via. The default is  and can (depending on taste) be changed to another secure hash algorithm. The total number of iterations is determined by the speed of the current hardware and can be influenced by setting the number of milliseconds that shall be spent in PBKDF2 passphrase processing by. To increase the default from 2s to 3s and use sha512 one could for example use

On passphrases, detached LUKS headers, and (encrypted) keyfiles
Use a reasonably long passphrase (use, e.g., 8-12 common random words, see xkcd on that subject) in combination with PBKDF2 for key stretching.

Additional protection against brute force attacks can be achieved by setting up a an external USB flash drive to store essential decryption information (like a keyfile, or the LUKS header itself). The flash drive then has the equivalent function of a physical key; opening the encrypted partition is only possible if both, flash drive and passphrase, are provided. However, this comes with a significant downside in terms of complexity, for example for setting up full disk encryption, or potential to lose decryption keys (by losing the USB flash drive).

Detached LUKS header
It is possible to encrypt a partition with detached LUKS header (where all information about password derivation is stored) that is stored at (physically) different location, e.g., a USB flash drive. This leaves an attacker that is not in possession of the flash drive with no information about key derivation and encryption algorithms used. This makes brute force attacks potentially more difficult.

The following commands first create a file  with a fixed size of 5MB. Then, a detached LUKS header is written to the file. (See the dm-crypt wiki page for further information on how to use, or  .)

To check that the header was written successfully, run. In order to open the encrypted device,

Generating a GnuPG encrypted keyfile
The more traditional approach to use a USB flash drive is to store a GnuPG encrypted keyfile (that contains sufficient entropy) on it. Such a key file is readily supported by genkernel.

The following commands create a GnuPG encrypted keyfile of 512 bits and set up an encrypted partition with it:

In order to open the encrypted device,

Preparing disks
It is sometimes recommended to overwrite the whole disk with random numbers prior to setting up disk encryption. The rationale behind this recommendation is that reading an encrypted disk should leak as little information as possible. But if unused blocks (by the file system) are still all zero, an adversary can recover some high level information by determining which (encryption) blocks are likely used (because they contain random looking data) and which are unused (because they are, for example, all zero). The number and location of likely used encryption blocks can reveal information such as disk usage, the file system in use, or likely average file size.

Thus, a somewhat effective (but time consuming) counter measure is to overwrite the disk with random data before using it. An efficient way to do generate large amounts of random data quickly is to use a cryptsetup mapping. For example, in order to overwrite, use

After that, format the disk with

Dm-crypt on SSDs and hybrid drives
For additional information about security aspects of using dm-crypt on SSDs and hybrid drives, have a look at the cryptsetup FAQ.

Cryptsetup can transparently forward discard operations to an SSD. This feature is activated by using the  option in combination with. Enabling discards on an encrypted SSD can be a measure to ensure effective wear levelling and longevity, especially if the full disk is encrypted. For an in detail discussion about the security implications, have a look at the cryptsetup FAQ and the man page of cryptsetup.

Generating an initramfs
After encrypting system or disk(s), one will need an initramfs so that rootfs can be mounted in there and then pass the control to real init. There are a few generic initramfs builder that can be used to accomplish the task such as dracut, mkinitcpio (there's a thread in the forums and an ebuild: sys-kernel/mkinitramfs-ll) or even genkernel (or the next variant) which has LUKS support.

Genkernel/Genkernel-next
To use or, edit  to enable the cryptsetup USE flag before emerging it. The static USE flag may also be enabled on the so that genkernel will use the system binaries (otherwise it will build its own private copy). The following example will build only an initramfs (not an entire kernel) and enable support for luks. Even if you don't use lvm, `--lvm' option is required to include necessary udev rules.

For a more complete set of explanations refer to the comments in itself or to the output of.

The initrd will require parameters to tell it how to decrypt the drive, and they are supplied the same way as other kernel parameters. For example:

Further information can be found in the genkernel article.

Dracut
The package was ported from the RedHat project and serves a similar tool for generating an initramfs. Some modules may be desired, please refer to dracut. Generally, the following command will generate a usable default initramfs.

The initrd will require parameters to tell it how to decrypt the drive, and they are supplied the same way as other kernel parameters. For example:

For a comprehensive list of luks options within dracut please see the section in the dracut manual.

Mkinitramfs-LL
The unofficial sys-kernel/mkinitramfs-ll (found in tokiclover's bar-overlay) is a lightweight and modular variant of the previous well known initramfs generating tools which comes with udev free dependency. It depends only on busybox with mdev by default and depends on extra packages for additional functionalities. So, nor bash, coreutils nor util-linux is bundled into the initramfs. Extra flexibilities are offered as well, like the possibility to have DM-Crypt LUKS on top of LVM or vice versa, btrfs or ZFS on top of DM-Crypt LUKS, DM-Crypt LUKS on top of RAID, detached header (to a device or a file) for dm-crypt LUKS et al.

Use the following GRUB2 configuration excerpt to get going for LVM/LUKS and regular key file on a removable device setup.