Linux Crypto Tip: Using LUKS to provide confidentiality

Learn about LUKS (Linux Unified Key Setup), an industrial-strength drive encryption tool from Fedora Core 5 which will stand up to brute force attacks and forensic analysis.

Once customers' confidential data has been stolen and leaked, not much can be done to protect victims from targeted

attacks on identity or credit. While companies debate how to handle such attacks, sensitive data continues to be left unprotected far too often and with great consequence. Why is it that we so often forget that basic truth that prevention is better than cure?

Securing valuable data need not be a difficult proposition. New tools are hitting the market every month to make this task easier than ever. The Linux Unified Key Setup (LUKS) is an industrial-strength drive encryption tool that works so much better than the broken crypto-loop framework used by many contemporary Linux drive encryption technologies.

The release of Fedora Core 5 brought a string of much needed security enhancements, one of which was LUKS. LUKS establishes a simple solution for creating encrypted volumes out of on-disk files, partitions and disk drives in a dynamic nature. Partitions can be resized. Keys and pass phrases can be issued and revoked at will. Keys and pass phrases can also be layered with a mixture of logical volumes (LVM), RAID and journaling file systems like ext3, JFS or XFS. Furthermore, LUKS is sharable between Windows and Linux hosts using free on-the-fly encryption (FreeOTFE), and it is integrated into HAL and GNOME (thanks to David Zeuthen of Red Hat), which translates to dialog-driven desktop interaction for better usability.

LUKS is built upon enterprise-grade software components like the password-based key derive function (PBKDF2, as documented in the TKS1 specification provided by the author), which works well with low-entropy sources. The implementation itself stands up well against brute force attacks and forensic analysis.

The command line sequences below demonstrate an example using a standard USB flash drive.

  • Create a new volume by formatting USB storage as a LUKS partition encrypted with the AES cipher, using a predefined 256-byte GPG keyfile:
    # /sbin/cryptsetup -v -c aes-cbc-essiv:sha256 luksFormat /dev/sdb1 \
     --key-file ${HOME}/.gnupg/keyfile.gpg --key-size 256
  • Open the newly formed volume so that it can be usable to the system as "usb-crypto":
    # /sbin/cryptsetup -v luksOpen /dev/sda1 usb-crypto
  • Format the unencrypted volume as type VFAT so that it can be shared between Linux and Windows (with FreeOTFE):
    # /sbin/mkfs.vfat /dev/sdb1
  • Then mount the VFAT volume to begin using it:
    # /bin/mount /dev/mapper/usb-crypto /media/usb-crypto
  • Closing the USB drive is even simpler:
    # /bin/umount usb-crypto
     # cryptsetup luksClose usb-crypto

Going forward, HAL and gnome-mount will identify the drive and provide interactive dialogs for using the volume from the desktop instead of opening a console every time. This trivializes the encryption process without compromising integrity. Theft of the LUKS-protected physical media yields essentially useless information without knowledge of pass phrases and/or possession of key files.

Use drive encryption whenever anyone must carry confidential or otherwise private information beyond the safety of the enterprise environment. Laptop theft can happen to anyone. Maintaining the integrity of privileged information can and should be done with LUKS, especially when customer or client confidentiality is at stake.

LUKS by itself does nothing to secure Windows laptops, but a LUKS volume can be read within Windows using FreeOTFE if both share a common file or partition format (VFAT and LUKS on a USB drive, for example).

Ed Tittel is a full-time freelance writer and trainer based in Austin, Tex., who specializes in markup languages, information security and IT certifications. Justin Korelc is a longtime Linux hacker who works with Ed and concentrates on hardware and software security topics. Both contributed to a recent book on Home Theater PCs; right now, both are busy at work on a book about the Linux-based MythTV environment.


This was first published in June 2006

Dig deeper on Linux security risks and threats

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close