Skip to main content
Unix & Linux

About

Ask Question
Tag Info
Info Newest Frequent Score Active Unanswered

Questions specific to LUKS (Linux Unified Key Setup) disk-encryption specification in general, such as setup questions or questions about how LUKS works. Use this tag if your question directly involves the LUKS disk encryption; do not use it if you just happen to be using an encrypted LUKS disk and your question is about a specific Linux configuration.

LUKS (Linux Unified Key Setup) is a disk-encryption specification. It is the standard for Linux hard disk encryption. LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.

There are two versions of the LUKS specification, LUKS1 and LUKS2, the former intended for compatibility purposes. LUKS1 only supports the PBKDF2 (Password-Based Key Derivation Function 2) algorithm, while LUKS2 supports more key derivation functions such as Argon2, which is recommended, safer, and uses more memory.

Both have headers that store important metadata such as the encryption algorithm and keyslots. LUKS1 stores its metadata all in one block in the beginning of the partition while LUKS2 stores it in various sections, which allows redundant copies that is useful in case a part of the header is corrupted.

The header can be viewed with cryptsetup luksDump [device].
The following header shows a LUKS2-encrypted partitions header data:

LUKS header information
Version:        2
Epoch:          12881
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           8b46a37c-db28-4f62-b577-c8d7229374e1
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 16777216 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 512 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  4
        Memory:     588842
        Threads:    4
        Salt:       [redacted]
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
        Hash:       sha256
        Iterations: 200000
        Salt:       [redacted] 
        Digest:     [redacted]

This is an example of a LUKS1-encrypted partition's data:

LUKS header information for /dev/sda3

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 32768
MK bits:        256
MK digest:      [redacted]
MK salt:        [redacted]
MK iterations:  500000
UUID:           91d99fbc-a325-498b-86aa-18c03348fc82

Key Slot 0: ENABLED
        Iterations:             9000000
        Salt:                   [redacted]
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

cryptsetup is a useful CLI tool that can manage LUKS devices.

Links

LUKS1 specifications: https://gitlab.com/cryptsetup/cryptsetup/-/raw/master/docs/on-disk-format.pdf

LUKS2 specifications: https://gitlab.com/cryptsetup/cryptsetup/-/raw/master/docs/on-disk-format-luks2.pdf

cryptsetup's repository: https://gitlab.com/cryptsetup/cryptsetup

Wikipedia page on LUKS: http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

Arch Wiki on DM-crypt, related to LUKS: https://wiki.archlinux.org/title/Dm-crypt

History Usage Guidance history