LUKS is a good choice when it comes to encryption. It’s an extension for plain dm-crypt and has a couple of advantages to give extra security and features.
How does a drive look like after being entirely encrypted with LUKS?
The first part of the drive contains the LUKS header (a few MB’s) with 8 keyslots, followed by the data area. The header is not secret, so not encrypted. The rest of the drive will look like random data.
What’s in the header and what does ‘detached’ mean?
The LUKS header stores important information which is needed to decrypt the LUKS device. That includes metadata, the keyslots and the SALT.
When using a default LUKS device, the header is stored on the same device as the data area. It is possible to detach the header and therefore store it on a different disk.
Why detaching the header?
There are some security advantages that we gain by using a detached header.
- The encrypted data disk looks like random data. As there is no header, nothing will indicate that this is a LUKS device.
- It is absolutely NOT POSSIBLE to decrypt the LUKS device without the header because of the SALT in it. No known technology could decrypt the device without the SALT. That’s a very strong cryptographically NOT POSSIBLE. It would take something far beyond quantum computing.
What is a SALT?
The SALT is a random key with 256 bits, stored in the LUKS header (not kept secret). It will be used together with the passphrase when decrypting a LUKS device. The SALT will be appended to the passphrase.
Setting up a LUKS device with a detached header
We assume that we have 2 devices. We are working as root and the procedure will erase existing data on those drives. We want the data area to be on sda and the header on sdb (small SD card for example).
Creating the LUKS device
cryptsetup luksFormat /dev/sda --header /dev/sdb --align-payload=0
Opening the device
cryptsetup luksOpen /dev/sda --header /dev/sdb Luks
Creating a file system within the LUKS device
Mounting the device
mount /dev/mapper/Luks /mnt/
Un-mounting and closing the LUKS device
cryptsetup luksClose /dev/mapper/Luks
More information about LUKS can be found here.