60addcffa6
Fix possible attacks against data confidentiality through LUKS2 online reencryption extension crash recovery. An attacker can modify on-disk metadata to simulate decryption in progress with crashed (unfinished) reencryption step and persistently decrypt part of the LUKS device. This attack requires repeated physical access to the LUKS device but no knowledge of user passphrases. The decryption step is performed after a valid user activates the device with a correct passphrase and modified metadata. There are no visible warnings for the user that such recovery happened (except using the luksDump command). The attack can also be reversed afterward (simulating crashed encryption from a plaintext) with possible modification of revealed plaintext. The problem was caused by reusing a mechanism designed for actual reencryption operation without reassessing the security impact for new encryption and decryption operations. While the reencryption requires calculating and verifying both key digests, no digest was needed to initiate decryption recovery if the destination is plaintext (no encryption key). Also, some metadata (like encryption cipher) is not protected, and an attacker could change it. Note that LUKS2 protects visible metadata only when a random change occurs. It does not protect against intentional modification but such modification must not cause a violation of data confidentiality. The fix introduces additional digest protection of reencryption metadata. The digest is calculated from known keys and critical reencryption metadata. Now an attacker cannot create correct metadata digest without knowledge of a passphrase for used keyslots. For more details, see LUKS2 On-Disk Format Specification version 1.1.0.
What the ...?
Cryptsetup is a utility used to conveniently set up disk encryption based on the DMCrypt kernel module.
These include plain dm-crypt volumes, LUKS volumes, loop-AES, TrueCrypt (including VeraCrypt extension) and BitLocker formats.
The project also includes a veritysetup utility used to conveniently setup DMVerity block integrity checking kernel module and, since version 2.0, integritysetup to setup DMIntegrity block integrity kernel module.
LUKS Design
LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not
only facilitate compatibility among distributions, but also provides secure management of multiple user passwords.
LUKS stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
Last version of the LUKS2 format specification is available here.
Last version of the LUKS1 format specification is available here.
Why LUKS?
- compatibility via standardization,
- secure against low entropy attacks,
- support for multiple keys,
- effective passphrase revocation,
- free.
Project home page.
Frequently asked questions (FAQ)
Download
All release tarballs and release notes are hosted on kernel.org.
The latest stable cryptsetup version is 2.3.6
- cryptsetup-2.3.6.tar.xz
- Signature cryptsetup-2.3.6.tar.sign (You need to decompress file first to check signature.)
- Cryptsetup 2.3.6 Release Notes.
Previous versions
Source and API docs
For development version code, please refer to source page, mirror on kernel.org or GitHub.
For libcryptsetup documentation see libcryptsetup API page.
The libcryptsetup API/ABI changes are tracked in compatibility report.
NLS PO files are maintained by TranslationProject.
Help!
Please always read FAQ first. For cryptsetup and LUKS related questions, please use the dm-crypt mailing list, dm-crypt@saout.de.
If you want to subscribe just send an empty mail to dm-crypt-subscribe@saout.de.
You can also browse list archive or read and search it through web interface on lore.kernel.org or alternatively on marc.info.