| View previous topic :: View next topic |
| Author |
Message |
lfs0a
Tux's lil' helper
Joined: 19 Oct 2016
Posts: 132
|
 Posted: Tue Jun 25, 2024 2:40 pm Post subject: Some doubts about LUKS2&dmcrypt |
 |
|
Hi guys,
I've managed to setup full disk encryption with LUKS2,(root partition encrypted with an ESP,an ext4 /boot partition)
Now I'm wandering:
1: when I reboot or shutdown,does it automatically umount and re-encrypt /?
2:I force it to encrypt 60 seconds,but after I input the passphrase,I took about 4-5 minutes to decrypt,why?(8250U, about 300G SSD, benchmark XTS about 2300MB/S)
Thanks in advance. |
|
| Back to top |
|
 |
sublogic
Apprentice
Joined: 21 Mar 2022
Posts: 232
Location: Pennsylvania, USA
|
| Posted: Tue Jun 25, 2024 11:59 pm Post subject: Re: Some doubts about LUKS2&dmcrypt |
|
|
| lfs0a wrote: | Hi guys,
I've managed to setup full disk encryption with LUKS2,(root partition encrypted with an ESP,an ext4 /boot partition) |
Just so we are on the same page: your ESP and /boot partitions are cleartext, and the rest are LVM logical volumes in a LUKS2-encrypted partition that spans the rest of the disk ?
| Quote: | Now I'm wandering:
1: when I reboot or shutdown,does it automatically umount and re-encrypt /? |
It's always encrypted. To illustrate with my own setup: | Code: | $ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 8M 0 part
├─sda2 8:2 0 256M 0 part
└─sda3 8:3 0 465.5G 0 part
└─root 254:0 0 465.5G 0 crypt
├─vg0-root 254:1 0 40G 0 lvm /
├─vg0-var 254:2 0 40G 0 lvm /var
├─vg0-home 254:3 0 40G 0 lvm /home
└─vg0-swap 254:4 0 64G 0 lvm [SWAP] |
My root partition is /dev/mapper/vg0-root. I also have /dev/mapper/vg0-home, /dev/mapper/vg0-var and /dev/mapper/vg0-swap. Above them, /dev/mapper/root is their LVM container (bad name, it is an LVM volume group and not the root partition). These are all virtual block devices. /dev/mapper/root is also the cleartext of /dev/sda3 past the LUKS header.
Encryption and decryption is done on demand as I/O is happens through the virtual block devices. Anything written to /dev/mapper/vg0-root (or -home, or -var, or -swap) is mapped to a part of /dev/mapper/root; from there it is encrypted and, finally written to /dev/sda3 on the disk. No cleartext ever hits the disk. When you shutdown, the cleartext devices disappear and only encrypted data remains. When you reboot, your initramfs prompts you for a passphrase, brings back the virtual devices and finishes booting to the decrypted root.
| Quote: | | 2:I force it to encrypt 60 seconds, |
I don't understand. What command did you run to do that, and at what stage ?
| Quote: | | but after I input the passphrase,I took about 4-5 minutes to decrypt,why?(8250U, about 300G SSD, benchmark XTS about 2300MB/S) |
I speculate that you overdid the key derivation parameters. Your passphrase is not the volume key, your passphrase is used to encrypt the volume key before storing it in the LUKS header. Furthermore, your passphrase is not used directly: it is hashed repeatedly with an expensive function and it is the final digest that encrypts the volume key. This is to mitigate attacks against weak passphrases. When you run luksFormat you decide how expensive this step must be if you don't like the defaults.
If that is your predicament, you can run cryptsetup luksAddKey to add a new passphrase with easier hash parameters. There is only one volume key but you can have up to 32 passphrases. When you add a new one, you are asked for the new passphrase but you also have to type a valid existing passhprase and it will take 4-5 minutes to add the new key. You can pass --key-slot number to luksOpen to test the new passphrase. If all is well you can run cryptsetup luksKillSlot to delete the slow one.
IF YOU KILL ALL YOUR KEY SLOTS, YOUR DATA IS GONE FOREVER !!. So be careful. Read all the cryptsetup man pages. Consider running cryptsetup luksHeaderBackup and save a copy of the LUKS header to a USB thumb drive. And test the backup header ! |
|
| Back to top |
|
|
lfs0a
Tux's lil' helper
Joined: 19 Oct 2016
Posts: 132
|
| Posted: Wed Jun 26, 2024 12:49 am Post subject: Re: Some doubts about LUKS2&dmcrypt |
|
|
| sublogic wrote: | | lfs0a wrote: | Hi guys,
I've managed to setup full disk encryption with LUKS2,(root partition encrypted with an ESP,an ext4 /boot partition) |
Just so we are on the same page: your ESP and /boot partitions are cleartext, and the rest are LVM logical volumes in a LUKS2-encrypted partition that spans the rest of the disk ?
| Quote: | Now I'm wandering:
1: when I reboot or shutdown,does it automatically umount and re-encrypt /? |
It's always encrypted. To illustrate with my own setup: | Code: | $ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 8M 0 part
├─sda2 8:2 0 256M 0 part
└─sda3 8:3 0 465.5G 0 part
└─root 254:0 0 465.5G 0 crypt
├─vg0-root 254:1 0 40G 0 lvm /
├─vg0-var 254:2 0 40G 0 lvm /var
├─vg0-home 254:3 0 40G 0 lvm /home
└─vg0-swap 254:4 0 64G 0 lvm [SWAP] |
My root partition is /dev/mapper/vg0-root. I also have /dev/mapper/vg0-home, /dev/mapper/vg0-var and /dev/mapper/vg0-swap. Above them, /dev/mapper/root is their LVM container (bad name, it is an LVM volume group and not the root partition). These are all virtual block devices. /dev/mapper/root is also the cleartext of /dev/sda3 past the LUKS header.
Thanks for reply,sublogic.
1,I did it without LVM,the ESP and /boot partitions are cleartext.
2,There is a /etc/init.d/dmcrypt which I added to boot runlevel,should I?
3,I did something with the derivation parameters,my questions is ,It took about 5 minutes to decrypt,what did it do in the 4 minutes after derivation?
Have a nice day!
Encryption and decryption is done on demand as I/O is happens through the virtual block devices. Anything written to /dev/mapper/vg0-root (or -home, or -var, or -swap) is mapped to a part of /dev/mapper/root; from there it is encrypted and, finally written to /dev/sda3 on the disk. No cleartext ever hits the disk. When you shutdown, the cleartext devices disappear and only encrypted data remains. When you reboot, your initramfs prompts you for a passphrase, brings back the virtual devices and finishes booting to the decrypted root.
| Quote: | | 2:I force it to encrypt 60 seconds, |
I don't understand. What command did you run to do that, and at what stage ?
| Quote: | | but after I input the passphrase,I took about 4-5 minutes to decrypt,why?(8250U, about 300G SSD, benchmark XTS about 2300MB/S) |
I speculate that you overdid the key derivation parameters. Your passphrase is not the volume key, your passphrase is used to encrypt the volume key before storing it in the LUKS header. Furthermore, your passphrase is not used directly: it is hashed repeatedly with an expensive function and it is the final digest that encrypts the volume key. This is to mitigate attacks against weak passphrases. When you run luksFormat you decide how expensive this step must be if you don't like the defaults.
If that is your predicament, you can run cryptsetup luksAddKey to add a new passphrase with easier hash parameters. There is only one volume key but you can have up to 32 passphrases. When you add a new one, you are asked for the new passphrase but you also have to type a valid existing passhprase and it will take 4-5 minutes to add the new key. You can pass --key-slot number to luksOpen to test the new passphrase. If all is well you can run cryptsetup luksKillSlot to delete the slow one.
IF YOU KILL ALL YOUR KEY SLOTS, YOUR DATA IS GONE FOREVER !!. So be careful. Read all the cryptsetup man pages. Consider running cryptsetup luksHeaderBackup and save a copy of the LUKS header to a USB thumb drive. And test the backup header ! |
|
|
| Back to top |
|
|
sublogic
Apprentice
Joined: 21 Mar 2022
Posts: 232
Location: Pennsylvania, USA
|
| Posted: Wed Jun 26, 2024 9:57 pm Post subject: Re: Some doubts about LUKS2&dmcrypt |
|
|
| lfs0a wrote: | Thanks for reply,sublogic.
1,I did it without LVM,the ESP and /boot partitions are cleartext. |
OK. That's simple. You have a root partition with everything on in, and no swap.
(I didn't ask, but: you have an initramfs that prompts you for a passphrase and sets up the encrypted root ?)
| Quote: | | 2,There is a /etc/init.d/dmcrypt which I added to boot runlevel,should I? |
You don't need it. It opens additional encrypted partitions after root is mounted, and you don't have any. Look at /etc/conf.d/dmcrypt if you're curious.
| lfs0a wrote: | | 3,I did something with the derivation parameters,my questions is ,It took about 5 minutes to decrypt,what did it do in the 4 minutes after derivation? |
I don't know what's going on here. I'll repeat my question:
| lfs0a wrote: | | I force it to encrypt 60 seconds |
What does that mean ? What command did you run, and at what stage of the installation ? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Other Things Gentoo
