Are default options of cryptsetup/luks secure?

Question

I'm setting up a partition for a linux distribution and I use the command : cryptsetup -y -v luksFormat /dev/sda1.

I believe the default options for the current version of cryptsetup are :

--hash  ripemd160   
--cipher    aes-cbc-essiv:sha256    
--key-size  256 
--offset    0   
--key-file  default uses a passphrase   
--keyfile-offset    0   
--keyfile-size  8192kB

Source

Now I am wondering if the default options are safe enough or if I should modify some for more security. For instance what would be the tradeoff if I changed the key-size to 512 or the hash to sha512 ? Are other parameters worth changing ?

An answer to this question would qualify as product recommendation. (which is out of scope for this website). If you would like an answer you should change your question to a specific one. like what is the difference between cipher x and y when using luks. — LvB, Jul 26 '16 at 09:54
@LvB IMO it isn't completely off-topic. It stick to the topic of linux disk-encryption. You can't expect that people ask questions which answer is forever suitable. Technology evolves, that doesn't mean people don't have questions of current technologies. — , Jul 26 '16 at 13:06
when I conceptualize tis question I get "Security and safe ==> what should I do." when I then add the subject "luks" I get the following Question. "What setup do you recommend when using disc encryption on linux" which in my opinion is a product recommendation. when the scope would be limited, this luckily can change. and therefor (and I agree with you there @Ay0 ) is not completely off-topic, it just need a 'patch'. — LvB, Jul 26 '16 at 14:22

score 6 · Answer 1 · answered Jul 27 '16 at 01:34

6

The default encryption options for LUKS volumes are actually:

password hash: sha1
encryption: aes-xts-plain64 with a 256-bit volume master key

For most purposes, the default options are secure. Three things you might want to change:

--iter-time: This is how long in milliseconds cryptsetup spends hashing your passphrase to create the initial slot key; this sets the number of iterations used in the future when unlocking the volume. If you're creating your volume on an unusually slow machine, you may want to set this higher than the default "1000" to improve security.

--hash: sha1 has no known weaknesses that would affect its use for password derivation, but you might want to replace it with something like sha256.

--use-random: Some copies of cryptsetup default to using /dev/urandom when creating the volume master key. The --use-random parameter will ensure that you're using /dev/random instead.

answered Jul 27 '16 at 01:34

Mark

34,646
9
87
137

1

Meanwhile, the default options have changed, currently (with e.g. 1.7.5), sha256 is used, by default. One can display the defaults of a given version like this: truncate -s 10M foo.img && cryptsetup luksFormat foo.img && cryptsetup luksDump foo.img Alternatively, one can look up the likely current defaults in the Arch documentation. – maxschlepzig Dec 16 '17 at 21:30
5

Actually, getting the defaults is easier than that: cryptsetup --help will give you the defaults as the last few lines of output. – Mark Dec 17 '17 at 07:17
1

update from 2019: Ubuntu 19.04's defaults are AES-XTS with a 512-bit key (that's a 256-bit AES key due to XTS weirdness), and argon2i for key derivation with an iteration time of 2 seconds. – user371366 Jul 17 '19 at 04:43

Are default options of cryptsetup/luks secure?

1 Answers1