Skip to main content
Unix & Linux

Return to the luks wiki

Expand, include more links, and add a description about LUKS1 and LUKS2 and LUKS headers (no baeldung links, these are low-quality)
Source Link
Marcus Müller
Marcus Müller
  • 51.2k
  • 4
  • 78
  • 120
Expand, include more links, and add a description about LUKS1 and LUKS2 and LUKS headers
Source Link
edit approved Jul 2 at 16:52
horsey_guy
edit approved Jul 2 at 16:52
horsey_guy
  • 712
  • 7
  • 30

WebsiteThere are two versions of the LUKS specification, LUKS1 and LUKS2, the former intended for compatibility purposes. LUKS1 only supports the PBKDF2 (Password-Based Key Derivation Function 2) algorithm, while LUKS2 supports more key derivation functions such as Argon2, which is recommended, safer, and uses more memory.

Both have headers that store important metadata such as the encryption algorithm and keyslots. LUKS1 stores its metadata all in one block in the beginning of the partition while LUKS2 stores it in various sections, which allows redundant copies that is useful in case a part of the header is corrupted.

The header can be viewed with cryptsetup luksDump [device].
The following header shows a LUKS2-encrypted partitions header data:

LUKS header information
Version:        2
Epoch:          12881
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           8b46a37c-db28-4f62-b577-c8d7229374e1
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 512 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  4
        Memory:     588842
        Threads:    4
        Salt:       [redacted]
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 200000
        Salt:       [redacted] 
        Digest:     [redacted]

This is an example of a LUKS1-encrypted partition's data:

LUKS header information for /dev/sda3

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 32768
MK bits:        256
MK digest:      [redacted]
MK salt:        [redacted]
MK iterations:  500000
UUID:           91d99fbc-a325-498b-86aa-18c03348fc82

Key Slot 0: ENABLED
        Iterations:             9000000
        Salt:                   [redacted]
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

cryptsetup is a useful CLI tool that can manage LUKS devices.

Links

LUKS1 specifications: https://gitlab.com/cryptsetup/cryptsetup/-/raw/master/docs/on-disk-format.pdf LUKS2 specifications: https://gitlab.com/cryptsetup/cryptsetup/-/raw/master/docs/on-disk-format-luks2.pdf
A comparison on LUKS1 and LUKS2: https://www.baeldung.com/linux/luks1-vs-luks2

cryptsetup's repository: https://gitlab.com/cryptsetup/cryptsetup

Wikipedia page on LUKS: http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

Arch Wiki on DM-crypt, related to LUKS: https://wiki.archlinux.org/title/Dm-crypt

Website: https://gitlab.com/cryptsetup/cryptsetup

Wikipedia: http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

There are two versions of the LUKS specification, LUKS1 and LUKS2, the former intended for compatibility purposes. LUKS1 only supports the PBKDF2 (Password-Based Key Derivation Function 2) algorithm, while LUKS2 supports more key derivation functions such as Argon2, which is recommended, safer, and uses more memory.

Both have headers that store important metadata such as the encryption algorithm and keyslots. LUKS1 stores its metadata all in one block in the beginning of the partition while LUKS2 stores it in various sections, which allows redundant copies that is useful in case a part of the header is corrupted.

The header can be viewed with cryptsetup luksDump [device].
The following header shows a LUKS2-encrypted partitions header data:

LUKS header information
Version:        2
Epoch:          12881
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           8b46a37c-db28-4f62-b577-c8d7229374e1
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 512 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  4
        Memory:     588842
        Threads:    4
        Salt:       [redacted]
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 200000
        Salt:       [redacted] 
        Digest:     [redacted]

This is an example of a LUKS1-encrypted partition's data:

LUKS header information for /dev/sda3

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 32768
MK bits:        256
MK digest:      [redacted]
MK salt:        [redacted]
MK iterations:  500000
UUID:           91d99fbc-a325-498b-86aa-18c03348fc82

Key Slot 0: ENABLED
        Iterations:             9000000
        Salt:                   [redacted]
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

cryptsetup is a useful CLI tool that can manage LUKS devices.

Links

LUKS1 specifications: https://gitlab.com/cryptsetup/cryptsetup/-/raw/master/docs/on-disk-format.pdf LUKS2 specifications: https://gitlab.com/cryptsetup/cryptsetup/-/raw/master/docs/on-disk-format-luks2.pdf
A comparison on LUKS1 and LUKS2: https://www.baeldung.com/linux/luks1-vs-luks2

cryptsetup's repository: https://gitlab.com/cryptsetup/cryptsetup

Wikipedia page on LUKS: http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

Arch Wiki on DM-crypt, related to LUKS: https://wiki.archlinux.org/title/Dm-crypt

LUKS repo migrated from Google Code to GitLab.
Source Link
edit approved Jan 21, 2019 at 11:33
Tsundoku
edit approved Jan 21, 2019 at 11:33
Tsundoku
  • 838
  • 1
  • 9
  • 23

LUKS (Linux Unified Key Setup) is a disk-encryption specification. It is the standard for Linux hard disk encryption. LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.

Website: http://code.google.com/p/cryptsetup/https://gitlab.com/cryptsetup/cryptsetup

Wikipedia: http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

LUKS (Linux Unified Key Setup) is a disk-encryption specification. It is the standard for Linux hard disk encryption. LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.

Website: http://code.google.com/p/cryptsetup/

Wikipedia: http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

LUKS (Linux Unified Key Setup) is a disk-encryption specification. It is the standard for Linux hard disk encryption. LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.

Website: https://gitlab.com/cryptsetup/cryptsetup

Wikipedia: http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

added 375 characters in body
Source Link
edit approved Apr 21, 2013 at 21:59
superuser0
edit approved Apr 21, 2013 at 21:59
superuser0
  • 1.8k
  • 1
  • 11
  • 20
Link
Community Bot
Community Bot
  • 1