installation - "Guided - use entire disk and set up encrypted LVM" LUKS or plain dm-crypt?

23
2014-04
  • user50910

    Does the alternate installer's "Guided - use entire disk and set up encrypted LVM" use LUKS or plain dm-crypt?

  • Answers
  • Lekensteyn

    The encryption uses LUKS with dm-crypt (not plain dm-crypt).

    Quoting http://code.google.com/p/cryptsetup/wiki/DMCrypt:

    cryptsetup utility support several modes. Plain mode is just equivalent of direct configuration of dmcrypt target with passphrase hashing but without on-disk metadata.

    LUKS (Linux Unified Key Setup) is now the preferred way to set up disk encryption with dm-crypt using the cryptsetup utility

    It's more likely that Ubuntu uses the recommended and more secure way of disk encryption. Now, to verify so, read the contents of the disk (assuming that /dev/sda2 contains your encrypted partition):

    sudo dd if=/dev/sda2 bs=512 count=1 | xxd
    

    You'll see several options, such as the cipher being used and the ID of the encrypted partition.

    Side note: if you only have one partition to encrypt, I suggest you to avoid LVM at all and use LUKS only (which can be done with the manual partitioning method). This avoid the overhead of LVM which you don't need for just a single partition. On the other hand, if you have multiple partitions to encrypt (/, /home, swap), LVM on the top of LUKS is more convenient as you have to enter your passphrase only once. (physical - LUKS - LVM - /home, /, swap, etc)

  • andol

    Yes, it setups dm-crypt using LUKS.


  • Related Question

    encryption - How secure is an encrypted LUKS filesystem?
  • browep

    I recently installed 11.10 on a fresh disk using entire disk encryption. Can someone tell me how secure the encryption algorithm is? Has there been any recent breaches with said algorithm? I use a 36 character random passphrase so I know thats not a weak link. What are the chances my client's data could be compromised if the hard drive was stolen?


  • Related Answers
  • BrownE

    Yes, it is secure. Ubuntu uses AES-256 to encrypt the disk volume and has a cypher feedback to help protect it from frequency attacks and others attacks that target statically encrypted data.

    As an algorithm, AES is secure and this has been proved by crypt-analysis testing. The weakness actually lies within the cypher and the software to pass it the keys. Specifically lies in the keystore (which is stored in the header of the volume), the keystore is secured by a passphrase. Passphrases are of course open to some attacks such as dictionary/brute force (if this was successful, it would decrypt the keystore). Using long "complex" non-word passwords would reduce the chance of this happening.

    The only other possibility to decrypt is using recording devices or social engineering to determine your passphrase.

    In short, your computer is reasonably safe unless you are subject to serious organised cyber crime or Government investigation!

  • chris

    I have created a Windows program that will perform a dictionary attack on Luks volumes. http://code.google.com/p/luks-volume-cracker/

    Its slow by design, trying around 3 keys a second. Other dictionary attacks will be similarly slow, so unless you've chosen an easy passphrase the weakness will not be the algorithm.

    Be aware of key stealing from memory, and caching of files, however.