17

I was searching for a valid and still up-to-date way of encrypting hard disks. After some research I encountered LUKS and decided to give it a shot. So I looked up some examples of how to properly encrypt an HDD with it, like this:

cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda3

The --cipher and --hash part of it was most interesting for me, so I tried to inform myself regarding different ciphers and hashes that are specifically usable for LUKS. I couldn't find any useful information besides opening a file which shows the available encryption forms in a machine-friendly formatting for the currently used Linux. But as I was told even this file is probably missing the full extent of all encryption ways besides it being very hard to read for someone who doesn't deal with it on a daily basis, anyway.

My question: is there a full list of ciphers/hashes for LUKS encryption?

One that simply shows me what I can choose... and maybe gives a short description on what exactly the differences between those different ways are.

Akito
  • 558
  • 1
    I'm voting to close this question as off-topic because it's about using and configuring LUKS and the Linux kernel, not about the cryptography that these tools use. It would be on-topic on [unix.se]. I've flagged this question for migration, please do not repost unless it gets closed without migration. – Gilles 'SO- stop being evil' Mar 29 '17 at 21:12
  • I specifically chose the Cryptography area, because my question is directed towarda ciphers and hashes. I took the "tour" for this area and it literally has it in the "Questions you should ask:" slot. Look it up, if you want. – Akito Mar 29 '17 at 21:18
  • That's why I didn't put the question in Unix & Linux because it would be off-topic there.... – Akito Mar 29 '17 at 21:20
  • gives a short description on what exactly the differences between those different ways are This is the only part of your question that is on-topic. What's the main difference between AES and Twofish? Well, AES uses a substitution permutation network while Twofish uses a Feistel network. Based on this information, you should clearly select AES because there is nothing wrong with a Feistel network in principle. – DepressedDaniel Mar 30 '17 at 01:49

2 Answers2

12

That's basically up to your kernel, so "See /proc/crypto" is supposed to be "the answer." The cryptsetup man page says this:

NOTES ON SUPPORTED CIPHERS, MODES, HASHES AND KEY SIZES

   The available combinations of ciphers, modes, hashes and key  sizes  depend
   on  kernel  support.  See /proc/crypto for a list of available options. You
   might need to load additional kernel crypto modules in order  to  get  more
   options.

   For  the  --hash option, if the crypto backend is libgcrypt, then all algo‐
   rithms supported by the gcrypt library are  available.   For  other  crypto
   backends some algorithms may be missing.

However, my /proc/crypto doesn't mention any serpent, or xts(aes), so instead I'd recommend seeing what cryptsetup benchmark reports (and it would show (ram) speeds too). For example:

$ cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1       292752 iterations per second
PBKDF2-sha256     221362 iterations per second
PBKDF2-sha512     142010 iterations per second
PBKDF2-ripemd160  277124 iterations per second
PBKDF2-whirlpool  155727 iterations per second
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   164.7 MiB/s   164.5 MiB/s
 serpent-cbc   128b   119.5 MiB/s   205.0 MiB/s
 twofish-cbc   128b   163.5 MiB/s   208.6 MiB/s
     aes-cbc   256b   148.4 MiB/s   147.9 MiB/s
 serpent-cbc   256b   128.1 MiB/s   205.3 MiB/s
 twofish-cbc   256b   202.3 MiB/s   213.1 MiB/s
     aes-xts   256b   165.4 MiB/s   145.3 MiB/s
 serpent-xts   256b   150.0 MiB/s   194.5 MiB/s
 twofish-xts   256b   206.4 MiB/s   206.9 MiB/s
     aes-xts   512b   149.4 MiB/s   147.5 MiB/s
 serpent-xts   512b   181.7 MiB/s   195.0 MiB/s
 twofish-xts   512b   207.1 MiB/s   208.6 MiB/s

The hashes are the first few lines (sha1, sha256, sha512, ripemd160, whirlpool). Ciphers are under the Algorithm header.

Looking at what the defaults are gives a good idea of what's considered "pretty good" too:

$ cryptsetup --help|tail -n 8
Default compiled-in key and passphrase parameters:
    Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF2 iteration time for LUKS: 1000 (ms)

Default compiled-in device cipher parameters:
    loop-AES: aes, Key 256 bits
    plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
    LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha1, RNG: /dev/urandom

And using a higher key size (with --key-size) should only be stronger, if slightly slower. 

   --key-size, -s <bits>
          Sets  key  size in bits. The argument has to be a multiple of 8.
          The possible key-sizes are limited by the cipher and mode used.

          See /proc/crypto for more information.  Note  that  key-size  in
          /proc/crypto is stated in bytes.
Xen2050
  • 2,354
  • 2
    That's exactly what I complained about... /proc/crypto is highly unreadable and therefore useless. Some ciphers are even twice in the list and I don't know why. – Akito Apr 09 '17 at 01:54
  • Ah, I wasn't sure, wasn't in the question, but that's definitely a concern, even a web search about /proc/crypto doesn't reveal any obvious guides. I'm noticing some differences, and I think cryptsetup uses block ciphers only, for encrypting disk blocks, so the 'type: blkcipher' ones seem logical. But I'm also noticing mine doesn't mention any serpent, or xts-aes... but I've got another idea that might be better, I'll edit it into the answer – Xen2050 Apr 09 '17 at 04:13
5

in reference to the work of user notdavidcronenberg: The only answer I found is in the document LUKS On-Disk Format Specification (PDF).

Valid cipher names

Valid cipher modes

  • ecb The cipher output is used directly.
  • cbc-plain The cipher is operated in CBC mode. The CBC chaining is cut every sector, and reinitialised with the sector number as initial vector (converted to 32-bit and to little-endian). This mode is specified in [Fru05b], Chapter 4.
  • cbc-essiv:{hash} The cipher is operated in ESSIV mode using hash for generating the IV key for the original key. For instance, when using sha256 as hash, the cipher mode spec is “cbcessiv:sha256”. ESSIV is specified in [Fru05b], Chapter 4.
  • xts-plain64 plain64 is 64-bit version of plain initial vector

Valid hash specifications

Cyrbil
  • 389
  • 1
  • 4
  • 10
opinion_no9
  • 261