|
|
| (One intermediate revision by the same user not shown) |
| Line 1: |
Line 1: |
| THIS PAGE IS A DRAFT ! Information on this page is in need of further research and refinement ! | | THIS PAGE IS A DRAFT ! Information on this page is in need of further research and refinement ! |
|
| |
|
| This page will need to be split into " difficulty teirs " and since it's the first page this has been needed on , it makes it an excellent test subject to figure out the best way to do so . | | This page will need to be split into " difficulty tiers " and since it's the first page this has been needed on , it makes it an excellent test subject to figure out the best way to do so . |
|
| |
|
| = Beginners Guide to Decent LUKS Security on Linux =
| | This page is written with [[Tiers|Intermediate]] users in mind, but of course everyone is encouraged to try to understand. |
| If you just want to know the " best " command to run , you can skip to the bottom . But reading this post is encouraged , as it will give you a better understand of what the options do , and how they will affect the security of your data !
| |
|
| |
|
| If you want even more info on this topic , check the cryptsetup FAQ , as good amount of this information is pulled from there !
| | For more more info on this topic, check the cryptsetup FAQ, the Arch Wiki, or the [[Luks (Advanced)|Advanced Guide]]. '''TODO !!! LINK THESE''' |
|
| |
|
| For more information on how to use LUKS tools , the arch wiki is a great resource .
| | = Guide to Decent LUKS Security on Linux = |
| | If you just want to know the "best" command to run, you can skip to the bottom. But reading this Guide is encouraged, as it will give you a better understand of what the options do, and how they will affect the security of your data! |
|
| |
|
| == Ciphers == | | == Ciphers == |
| Ciphers are the algorithms that encrypt the data that will be written to the disk . Picking one that is resistant to attacks is critical , as otherwise your data is potentially vulnerable , even without the key . | | Ciphers scramble the files that will be saved, so it's important to pick a good one. Computers have had, for many decades now, built in support for AES, making it the fastest and most secure option for pretty much everyone. |
| | |
| Of the widely supported options , generally the two worth considering are Serpent and AES . Twofish ''may'' be better in lower-security applications where there's no AES acceleration ''and'' writes happen more often than reads , but generally , not a great option .
| |
| | |
| Serpent may theoretically be more secure , though in practice its potential advantages seem pretty minimal . It also hasn't been tested as much as AES , so it ''may'' have potential vulnerabilities not yet known about .
| |
| | |
| Another consideration is the actual implementation . Serpent has potential vulnerabilities depending on the details of the implementation . Without looking into the specific implementation in-depth , it's hard to say how secure it is .
| |
| | |
| On the other hand , having hardware acceleration for AES has a number of advantages for security , most notably resistance to side channel attacks , and of course , speed . Some chips however , ( usually not x86 ) , do not have hardware accelerated AES . It's also possible that your CPU may have a vulnerability , so that's something you want to look into . Not currently aware of anything like this , though some Ryzen chips recently had an AES vulnerability that allowed unauthorized microcode to be installed . To be very clear , this has been patched with a microcode update , and is also not directly relevant to use in disk unlocking . Practically speaking , the advantages of having hardware accelerated AES likely make it more secure than using Serpent in nearly all cases .
| |
|
| |
|
| == On-disk Format == | | == On-disk Format == |