AUTHENTICATED DISK ENCRYPTION

[git70]

What do you think about adding the --integrity function when creating the LUKS2 volume? What encryption algorithms support authentication?

[mhogomchungu]

Will look into it, i am aware of its existence but never looked into it

I plan to make a new release on October 1st, 2019 and the feature will get in if its not too much work.

[mhogomchungu]

This feature is still experimental according changelog of version 2.1.0, relevant section of the changelog is below.

Unfinished things & TODO for next releases
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Optional authenticated encryption is still an experimental feature
  and can have performance problems for high-speed devices and device
  with larger IO blocks (like RAID).

* Authenticated encryption does not use encryption for a dm-integrity
  journal. While it does not influence data confidentiality or
  integrity protection, an attacker can get some more information
  from data journal or cause that system will corrupt sectors after
  journal replay. (That corruption will be detected though.)

* The LUKS2 metadata area increase is mainly needed for the new online
  reencryption as the major feature for the next release.

[git70]

Thanks for the info. I think it's better to wait for stable status ;)

[mhogomchungu]

A bit of progress on this feature, zuluCrypt now identify authenticated luks2 devices as "luks2+".

[git70]

WOW! :)

[mhogomchungu]

Its now possible to create an authenticated luks2 volume using zuluCrypt-cli, GUI support will follow but not anytime soon.

Implementing this feature in the GUI maybe a bit problematic. "Normal" luks2 volumes are created in constant time and the duration is independent of the volume size.

Authenticated luks2 volume requires the entire volume to be "wiped" when the volume is being created and this means the total time it will take to create a luks2+ volume will depend on the size of the volume and this could take a very long time if the volume is large enough.

zuluCrypt-cli show progress as seen below and zuluCrypt-gui will also have to show this progress and with the ability to cancel the whole operation and this will probably require a bit more thinking.

The last component of the "-g" options triggers the integrity functionality and also sets the hash function to be used.

[ink@mtz ~]$ /usr/bin/zuluCrypt-cli -ck -d /dev/XYZ -t luks2 -g /dev/urandom.aes.xts-plain64.512.sha512.0.hmac\(sha256\)
Enter passphrase: 
Re enter passphrase: 
----Starting to wipe an integrity device----
% complete: 5
% complete: 10
% complete: 15
% complete: 20
% complete: 25
% complete: 30
% complete: 35
% complete: 40
% complete: 45
% complete: 50
% complete: 55
% complete: 60
% complete: 65
% complete: 70
% complete: 75
% complete: 80
% complete: 85
% complete: 90
% complete: 95
% complete: 100
----Finish wiping an integrity device----
SUCCESS: Volume created successfully

Creating a backup of the "luks2" volume header is strongly adviced.
Please read documentation on why this is important

[ink@mtz ~]$ 

[git70]

Once you come up with a way to show the progress of the luks2+ operation, will the other types of operation (normal luks, dm-crypt, etc) also show the progress? I would be very happy, because soon I will be encrypting large disks (6-10TB) and it would be great to see progress ;)

Is it true that not all algorithms and modes are supported in authenticated mode? Information from the man cryptsetup:

1. "Some integrity modes requires two independent keys (key for encryption and for authentication). Both these keys are stored in one LUKS keyslot"
2. "only some modes available for now. Note that there are a very few authenticated encryption algorithms that are suitable for disk encryption".

[mhogomchungu]

Once you come up with a way to show the progress of the luks2+ operation, will the other types of operation (normal luks, dm-crypt, etc) also show the progress?

No, they don't need to show progress because they work in constant time(a few seconds) and the time is independent of the size of the volume.

With your 10TB drive for example:

1. It would take less than 3 seconds to create a plain dm-crypt volume.
2. It would take less than 5 seconds to create a luks2 volume.
3. It would take hours and hours and more hours to create a luks2+ volume and this is why these volumes need a progress indicator.

Is it true that not all algorithms and modes are supported in authenticated mode?

From what i have gathered so far from looking at the code, Yes.

According to cryptsetup code, a list of supported integrity hash algorithms and their sizes is here[1] and they will be usable only if they are also supported in the kernel[2].

This line[3] says integrity keysize can not be equal or greater than encryption key size and this means you can not create a volume with a 256bit key and use hmac(sha256) for integrity because both use 256bit key.

Of the combination that work, i do not know which ones are suitable for disk encryption but i think the one i used in my example above is one of the combinations that work. There is very little documentation out there about this feature.

[1] https://gitlab.com/cryptsetup/cryptsetup/blob/583d05e32a3579225875f72f51b70b9fa15c7f23/lib/utils_crypt.c#L88

[2] https://gitlab.com/cryptsetup/cryptsetup/blob/583d05e32a3579225875f72f51b70b9fa15c7f23/lib/setup.c#L1682

[3] https://gitlab.com/cryptsetup/cryptsetup/blob/583d05e32a3579225875f72f51b70b9fa15c7f23/lib/setup.c#L1629

[git70]

Indeed, this is a very experimental feature :( I'm afraid that it's not worth the risk in a production environment ;)