31

I am curious about the following claim from the Cryptsetup FAQ:

2.4 What is the difference between "plain" and LUKS format?

First, unless you happen to understand the cryptographic background well, you should use LUKS. It does protect the user from a lot of common mistakes. Plain dm-crypt is for experts.

After reading through the manual I can see the benefit of LUKS in particular situations. However, I do NOT see the need to "understand the cryptographic background" to use plain dm-crypt.

From reading the manual, I understand that:

  • There are some things done in LUKS (like hashing) that don't happen in plain dm-crypt. The result is that I need a bit more entropy in my passphrase to make it safe.
  • In plain mode you can argue it's easier to accidentally overwrite encrypted data.

The second point is not really related to understanding cryptography, and it doesn't seem to require expert cryptography knowledge to prevent this (note that I do agree that this is a risk and it can easily happen, even to the best, but I would just argue that having or not having expert cryptography knowledge does not have much of an impact).

So on to the first point. In the same manual the following is stated:

5.12 What about iteration count with plain dm-crypt?

Simple: There is none. There is also no salting. If you use plain dm-crypt, the only way to be secure is to use a high entropy passphrase. If in doubt, use LUKS instead.

This implies to me that the only thing that is needed to have a secure setup with plain dm-crypt, cryptography wise, is to use a high entropy passphrase (higher than what could be used in LUKS for the same lever of security). Again, it doesn't take rocket science to understand or apply this.

Likely, I am not understanding or capturing something important here, but my question is therefore: what is the kind of cryptography knowledge required that makes dm-crypt only recommended to experts? If I stick to standard operations, and I do not require any of the features from LUKS, what risks am I as a non-expert taking?

please delete me
  • 1,235
  • 2
  • 10
  • 7

3 Answers3

39

If I stick to standard operations, and I do not require any of the features from LUKS, what risks am I as a non-expert taking?

LUKS partitions have a header that ensures such a partition won't be seen as ext2, vfat, etc. A plain dm-crypt partition may coincidentally end up looking like a unencrypted filesystem, and has a chance of being written to accidentally, destroying your data.

LUKS checks if you entered the correct passphrase. If you put in the wrong passphrase, plain dm-crypt won't pick up on this; instead, it will happily give you garbled crypto-mapping which may also coincidentally look like an unencrypted filesystem, and has a chance of being written to accidentally, destroying your data.

LUKS stores the type of encryption used, while dm-crypt requires you to supply the same options each time. If, after a period of not using your encrypted device, you find there are a few gaps in your recollection of what the password was, and it turns out you forgot the encryption options as well, you are doubly hosed (this happened to me personally before LUKS existed; the encrypted data wasn't so important so I just reformatted after unsuccessfully trying to get in for an hour or so).

Also, there may have been a period during the development of cryptsetup in which essiv was not the default for dm-crypt, but was for LUKS, and the documentation you are reading may have been intended to allude to that.

Finally, some of the options of LUKS do things that are important from a security standpoint. For example, suppose you fall asleep while authenticating with gmail and accidentally type in your drive password. In dm-crypt there is no way to change the password without re-encrypting your whole device (and doing so in-place is risky, since a system crash or power loss event will leave you with a guaranteed hosed system). With LUKS, you can change the password.

Atsby
  • 1,098
  • 7
  • 6
  • 1
    Thanks! However, from your explanation I feel that it is a bit misleading in the referenced FAQ if they say that you have to be an expert to use plain dm-crypt. It seems that it would be better to phrase it that you have to be a cautious user, or risk losing data through trivial errors, if you want to use plain dm-crypt. Expert-understanding of cryptography seems to be a bit of a stretch. – please delete me May 30 '15 at 11:05
  • 7
    Sounds like you misread it, and the intention was to say "Plain dm-crypt is for expert **computer users**", not expert cryptographers. – Dan Getz May 30 '15 at 22:37
  • 2
    While I agree with this answer, I think the chance of a randomized block device being recognized as a valid filesystem is overwhelmingly small. – forest Jun 16 '18 at 00:31
4

I feel this should be mentioned, here.

By far the most questions searched about cryptsetup and LUKS problems are from people that have managed to damage the start of their LUKS partitions, the LUKS header. If the LUKS header is lost or corrupt (which happens more often than you'd like), it is impossible to recover the data even if you have the key! Make sure you understand the problem and limitations imposed by the LUKS security model BEFORE you're faced with such a miserable situation.

That may not exactly answer the question, why is plain dm-crypt only for experts? But from some people's perspective, you're an 'expert' once you've been through the above scenario with LUKS and realized that, in many use cases, plain dm-crypt is far superior. It reliably encrypts (and does do password hashing) and if you know what you're doing you can change the cipher parameters to what suites you.

Expert sysops should understand that the lack of a LUKS header prevents many tools from knowing that the drive is encrypted. To some, that's a valuable feature. Why go through the bother of encrypting something if everyone knows its encrypted, and with what cipher name and mode (which is easy to obtain from a valid/backup LUKS header without a key). In many cases, LUKS is far less secure AND less reliable.

Atsby touched on another, older view of plain dm-crypt, in that aes cbc (without essiv) is considered unsafe. That's expert cryptographer stuff. This explains that fairly well, imho; XTS vs AES-CBC with ESSIV for file-based filesystem encryption

Community
  • 1
Anonymous
  • 61
  • 1
  • 5
    I'm pretty confident that arguing that plain dm-crypt is **superior** because it does not have a header that can be damaged is counter-intuitive. Encryption is not about creating a cypher, there's also **key management** and the LUKS header exists for the purpose of key management. Therefore **saying that something without key management is less secure than something with key management features is plain wrong**. – grochmal Jan 18 '17 at 22:50
  • 1
    Not having a LUKS header can help you to deny that your disk is not encrypted, should your computer be confiscated. Effectively, not having LUKS header can possibly save you from being tortured to release your passwords. – caveman Apr 29 '20 at 14:50
-3

plain dm-crypt does not use salt, wich means that if you cipher the same data with the same password you end up with the same result. That is a big weakness, specialy if the attacker knows you encrypted a file system, he can gess how your data look and try keys to see if it matches.

François Nalin
  • 11