[dm-crypt] Basics

Arno Wagner arno at wagner.name
Sat Sep 26 01:03:09 CEST 2015

On Sat, Sep 26, 2015 at 00:24:10 CEST, Michael Kjörling wrote:
> On 25 Sep 2015 23:48 +0200, from promike1987 at gmail.com (Mike Nagie):
> > I'll probably use this command:
> > cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 (or 
> > an other one I haven't decided yet) --iter-time (about) 2000 (I'm 
> > generous, about 2 secs seems fine) --use-random
> Looks reasonable, except you forgot to pass "luksFormat" and a device
> to cryptsetup, so it won't know what to do with the rest. :-) (Oh, and
> note that as discussed here previously, the problems with SHA-1
> leading to its current sunsetting don't affect its usage in LUKS. In
> fact, I'd expect that for LUKS' purposes, even MD5 would still be a
> secure choice, if perhaps somewhat... unusual.)

It would be. And it will likely remain so for a long, long time.
Remember that the problems with SHA-1 and MD5 are collisions,
not has-reversing. Well, a collision for the use in LUKS
means that if you already have a valid passphrase, you can make 
another one. That does not break LUKS security at all.

Also keep in mind, that only non-iterated SHA-1 and MD5 are
vulnerable to this attack. While I am not aware of anybody
having investigates it, I think it is possible that SHA-1
and MD5 even iterated 2x is secure again against collisions,
as collision attacks are usually tried first against reduced
round version of a hash.

LUKS uses around 10'000 iterations for checking the master key and 
around 400'000 iteratiosn for the passphrase.

Of course, using SHA512 should not make sings weaker, but it
also does not make things any more secure.

As a side-note: It is not a good idea to tinker with crypto-
parameters unless you are an expert. A lot of things are non-obvious
and sometimes you will end up breaking things when you think you make
them more secure.
> If you want additional security against forensic analysis, a good
> strategy might be to set up a LUKS container with a throwaway
> passphrase and key, and then "dd" or "ddrescue" zeroes into it, then
> create your real LUKS container in place of the throwaway one. That
> will ensure that any remnants of old data are gone, and will prevent
> forensic analysis based around which parts of the container appear to
> hold encrypted data. In other words:

That is excessive effort. Just do what FAQ Item 2.19 says.


Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list