Misplaced Pages

Linux Unified Key Setup

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

The Linux Unified Key Setup ( LUKS ) is a disk encryption specification created by Clemens Fruhwirth in 2004 and originally intended for Linux .

#460539

24-459: LUKS implements a platform-independent standard on-disk format for use in various tools. This facilitates compatibility and interoperability among different programs and operating systems, and assures that they all implement password management in a secure and documented manner. LUKS is used to encrypt a block device . The contents of the encrypted device are arbitrary, and therefore any filesystem can be encrypted, including swap partitions . There

48-521: A LUKS2 header are null-terminated strings . Directly after the binary header comes the JSON area, containing the objects config (configuration), keyslots , digests , segments (describes encrypted areas on the disk), and tokens containing extra metadata. The binary format for regular luks2 keyslots are mostly similar to their predecessor, with the addition of different per-keyslot algorithms. Another type of key exists to allow redundancy in

72-426: A block device. Both methods have similar syntax: Password management A password manager is a software program to prevent password fatigue by automatically generating , autofilling and storing passwords . It can do this for local applications or web applications such as online shops or social media . Web browsers tend to have a built-in password manager. Password managers typically require

96-467: A metadata format. Available cryptographic algorithms depend on individual kernel support of the host. Libgcrypt can be used as a backend for hashing, which supports all of its algorithms. It is up to the operating system vendor to choose the default algorithm. LUKS1 makes use of an anti-forensics technique called AFsplitter, allowing for secure data erasure and protection. Logical Volume Management can be used alongside LUKS. A common usage of LUKS

120-498: A user to create and remember a single password to unlock to access the stored passwords. Password managers can integrate multi-factor authentication . The first password manager software designed to securely store passwords was Password Safe created by Bruce Schneier , which was released as a free utility on September 5, 1997. Designed for Microsoft Windows 95 , Password Safe used Schneier's Blowfish algorithm to encrypt passwords and other sensitive data. Although Password Safe

144-407: A user-selected master password or passphrase to form the key used to encrypt passwords stored for the application to read. The security of this approach depends on the strength of the chosen password (which may be guessed through malware), and also that the passphrase itself is never stored locally where a malicious program or individual could read it. A compromised master password may render all of

168-480: Is a data breach at the password manager itself. If such an event were to occur, attackers could potentially gain access to a large number of user credentials. A 2022 security incident involving LastPass exemplifies this risk. Some password managers may include a password generator. Generated passwords may be guessable if the password manager uses a weak method of randomly generating a "seed" for all passwords generated by this program. There are documented cases, like

192-403: Is an unencrypted header at the beginning of an encrypted volume, which allows up to 8 (LUKS1) or 32 (LUKS2) encryption keys to be stored along with encryption parameters such as cipher type and key size. The presence of this header is a major difference between LUKS and dm-crypt , since the header allows multiple different passphrases to be used, with the ability to change and remove them. If

216-478: Is based on an enhanced version of cryptsetup , using dm-crypt as the disk encryption backend. Under Microsoft Windows , LUKS-encrypted disks can be used via the Windows Subsystem for Linux . (Formerly, this was possible with LibreCrypt, which currently has fundamental security holes, and which succeeded FreeOTFE , formerly DoxBox.) DragonFly BSD supports LUKS. Several Linux distributions allow

240-418: Is not a KDE, KaOS or Manjaro project. Calamares is very configurable using a mix of code modules and built in tools. Distro developers can add their own branding and configuration to Calamares. However, some distro makers opt to leave the installer to its default look feel and options. This installation software article is a stub . You can help Misplaced Pages by expanding it . This Linux -related article

264-477: Is to provide full disk encryption , which involves encrypting the root partition of an operating system installation, which protects the operating system files from being tampered with or read by unauthorized parties . On a Linux system, the boot partition ( /boot ) may be encrypted if the bootloader itself supports LUKS (e.g. GRUB ). This is undertaken to prevent tampering with the Linux kernel . However,

SECTION 10

#1732786807461

288-601: The Live medium of Debian , and several less known Linux distributions. It also has been used to automate the installation of command line distributions and to make custom distros. Development was started in 2014 by Manjaro community member Teo Mrnjavac β€œwith support from Blue Systems ” and then picked up by KaOS. Calamares is currently maintained by the Calamares team , most of which are KDE Developers and has no exclusive association with any Linux distribution. Calamares

312-452: The first stage bootloader or an EFI system partition cannot be encrypted (see Full disk encryption#The boot key problem ). On mobile Linux systems, postmarketOS has developed osk-sdl to allow a full disk encrypted system to be unlocked using a touch screen. For systems running systemd , the systemd-homed component can be used to encrypt individual home directories . The reference implementation for LUKS operates on Linux and

336-441: The "master password". Some password managers attempt to use virtual keyboards to reduce this risk - though this is still vulnerable to key loggers that take the keystrokes and send what key was pressed to the person/people trying to access confidential information. Cloud-based password managers offer a centralized location for storing login credentials. However, this approach raises security concerns. One potential vulnerability

360-557: The case that a re-encryption process is interrupted. Cryptsetup is the reference implementation of the LUKS frontend. To encrypt a device with the path /dev/sda1 : To unlock an encrypted device, where name is the mapped device name: Re-encrypting a LUKS container can be done either with the cryptsetup tool itself, or with a legacy tool called cryptsetup-reencrypt . These tools can also be used to add encryption to an existing unencrypted filesystem, or remove encryption from

384-416: The header is lost or corrupted, the device will no longer be decryptable. Encryption is done with a multi-layer approach. First, the block device is encrypted using a master key. This master key is encrypted with each active user key . User keys are derived from passphrases, FIDO2 security keys, TPMs or smart cards . The multi-layer approach allows users to change their passphrase without re-encrypting

408-541: The master password used to access the password manager, granting full access to all stored credentials. Clipboard sniffers can capture sensitive information copied from the manager, and some malware might even steal the encrypted password vault file itself. In essence, a compromised device with password-stealing malware can bypass the security measures of the password manager, leaving the stored credentials vulnerable. As with password authentication techniques, key logging or acoustic cryptanalysis may be used to guess or copy

432-646: The one with Kaspersky Password Manager in 2021, where a flaw in the password generation method resulted in predictable passwords. A 2014 paper by researchers at Carnegie Mellon University found that while browsers refuse to autofill passwords if the login page protocol differs from when the password was saved ( HTTP vs. HTTPS ), some password managers insecurely filled passwords for the unencrypted (HTTP) version of saved passwords for encrypted (HTTPS) sites. Additionally, most managers lacked protection against iframe and redirection -based attacks , potentially exposing additional passwords when password synchronization

456-472: The protected passwords vulnerable, meaning that a single point of entry can compromise the confidentiality of sensitive information. This is known as a single point of failure . While password managers offer robust security for credentials, their effectiveness hinges on the user's device security. If a device is compromised by malware like Raccoon, which excels at stealing data, the password manager's protections can be nullified. Malware like keyloggers can steal

480-569: The relevant password web form . This option is now consequently ignored on encrypted sites , such as Firefox 38, Chrome 34, and Safari from about 7.0.2. Calamares (software) Calamares is a free and open-source independent and "distribution-agnostic" system installer for Linux distributions . Calamares is used by NixOS , CachyOS , Garuda Linux , Huayra_GNU/Linux , Manjaro , Netrunner , KaOS , KDE neon , Kubuntu , Lubuntu , Sabayon Linux , Chakra , EndeavourOS , Peppermint OS , Artix Linux , OpenMandriva Lx , Q4OS ,

504-420: The root device to be encrypted upon OS installation. These installers include Calamares , Ubiquity , Debian-Installer , and more. LUKS headers are backward compatible; newer versions of LUKS are able to read headers of previous versions. LUKS2 devices begin with a binary header intended to allow recognition and fast detection by blkid , which also contains information such as checksums . All strings used in

SECTION 20

#1732786807461

528-501: The whole block device. Key slots can contain information to verify user passphrases or other types of keys. There are two versions of LUKS, with LUKS2 featuring resilience to header corruption, and using the Argon2 key derivation function by default, whereas LUKS1 uses PBKDF2 . Conversion between both versions of LUKS is possible in certain situations, but some features may not be available with LUKS1 such as Argon2. LUKS2 uses JSON as

552-719: Was released as a free utility, due to export restrictions on cryptography from the United States , only U.S. and Canadian citizens and permanent residents were initially allowed to download it. As of October 2024 , the built in Google Password Manager in Google Chrome became the most used password manager. Some applications store passwords as an unencrypted file, leaving the passwords easily accessible to malware or people attempted to steal personal information. Some password managers require

576-602: Was used across multiple devices. Various high-profile websites have attempted to block password managers, often backing down when publicly challenged. Reasons cited have included protecting against automated attacks , protecting against phishing , blocking malware , or simply denying compatibility. The Trusteer client security software from IBM features explicit options to block password managers. Such blocking has been criticized by information security professionals as making users less secure. The typical blocking implementation involves setting autocomplete='off' on

#460539