How secure is an encrypted LUKS filesystem?

encryption luks

Solution 1:

Yes, it is secure. Ubuntu uses AES-256 to encrypt the disk volume and has a cypher feedback to help protect it from frequency attacks and others attacks that target statically encrypted data.

As an algorithm, AES is secure and this has been proved by crypt-analysis testing. The weakness actually lies within the cypher and the software to pass it the keys. Specifically lies in the keystore (which is stored in the header of the volume), the keystore is secured by a passphrase. Passphrases are of course open to some attacks such as dictionary/brute force (if this was successful, it would decrypt the keystore). Using long "complex" non-word passwords would reduce the chance of this happening.

The only other possibility to decrypt is using recording devices or social engineering to determine your passphrase.

In short, your computer is reasonably safe unless you are subject to serious organised cyber crime or Government investigation!

Solution 2:

Here are two resources about attacks on this type of file system that seem to be interesting: http://dx.eng.uiowa.edu/dave/luks.php http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/

In short, the latter document describes that it is possible to inject a remote code execution backdoor into the LUKS setup created by the Ubuntu 12.04 installer. This attack only needs access to the encrypted hard drive (it does not rely on manipulating the unencrypted /boot partition or the BIOS).

While the attack is pretty bad, it does not apply to modern LUCS setups. The attack can only be applied if the block mode is CBC, for example if the cipher aes-cbc-essiv is used. Modern setups use other block modes, like the cipher aes-xts-plain64 (see this article on the ArchLinux wiki).

To check which cipher is used by your setup, run:

sudo cryptsetup status [device]

where [device] is your mapping, like /dev/mapper/sda3_crypt.

Solution 3:

I have created a Windows program that will perform a dictionary attack on Luks volumes. http://code.google.com/p/luks-volume-cracker/

Its slow by design, trying around 3 keys a second. Other dictionary attacks will be similarly slow, so unless you've chosen an easy passphrase the weakness will not be the algorithm.

Be aware of key stealing from memory, and caching of files, however.

Related

How to set the JDK for Android Studio?
How do you add "open in terminal" to the right-click mouse menu for folders/directories?
curl is not working on Ubuntu 18.04 LTS
dpkg --get-selections shows packages marked "deinstall"
Deleting contents of ~/.local/share/Trash/expunged .....?
How can I run Unity in a virtual machine?
How to find out why process was killed on server
What is the significance of '*' (star, asterisk) in the file listing results?
How do I set up ccache?
Diablo III Installation Size
Minecraft 1.16 Nether Fortress Location/Generation
How can I speed up the cooldown for the helicopter homie?