LUKS options: A recommendation

2023-10-01

Every so often I need to set up an encrypted storage drive, be it internal or external. I don't do this enough to actually remember what settings I should use, and so every time I actually have to do it I always go down a rabbithole of recommendations both for and against certain options.

Here's what I found this time.

DO NOT USE

Due to known vulnerabilities, attacks, or other issues, here are the options you should not use:

  • cipher: aes-cbc (vulnerable to bit-flipped ciphertext modification attacks)
  • cipher: aes-ecb (or any ECB, for that matter)

Consider switching

If you are using the following, consider switching in the near future:

  • hash: sha1 (only 160-bit, vulnerable to length extension attacks)
  • hash: ripemd160 (only 160-bit)
  • pbkdf: argon2i (more vulnerable to TMTO attacks than argon2id)
  • pbkdf: argon2d (more vulnerable to side-channel attacks than argon2id)

DO USE

  • cipher: aes-xts-plain64
  • hash: any 512-bit hashing function like sha3-512 or whirlpool, because of AES the actual size is 256.
  • itertime: more is always better, but slower when first opening. Default is 2000.

Type and PBKDF depends on if you need to boot or not. As of 2023, argon2id is still not supported by most bootloaders, which means that you won't be able to boot from that drive. When it comes to type (either luks1 or luks2) the last time I checked luks2 also didn't work for booting but that might be different now. If you don't need to boot use argon2id.

So, we end up with two recommendations.

For drives that need to boot:

# cryptsetup luksFormat \
--cipher aes-xts-plain64 \
--key-size 512 \
--hash whirlpool \
--iter-time 2048 \
--type luks1 \
--use-random \
/dev/sda

Note: when type is luks1 PBKDF2 is used by default, luks1 doesn't support anthing else.

For drives that don't need to boot:

# cryptsetup luksFormat \
--cipher aes-xts-plain64 \
--key-size 512 \
--hash whirlpool \
--iter-time 4096 \
--type luks2 \
--pbkdf argon2id \
--use-random \
/dev/sdb

Here, I've chosen whirlpool because it has fewer iterations per second. If you want SHA-512 instead I'd say at least use sha3-512.

--use-random is equivalent to --use-urandom now that the /dev/random blocking pool has been removed.

Feel free to up the iter-time if you'd like to wait longer (it's in milliseconds). I would avoid decreasing it, however.

Cheers.