brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
075e6064be2bd968ec69d25615643f1b396011f1
oam/knowledge base/cryptsetup.md

3.0 KiB
Raw Blame History

Cryptsetup

Table of contents

  1. TL;DR
  2. Crypt a device
  3. Troubleshooting
    1. The process is killed due to too much memory used
  4. Further readings

TL;DR

# crypt a device
sudo cryptsetup luksFormat /dev/sdb
sudo cryptsetup luksOpen /dev/sdb crypted-device
sudo mkfs.btrfs --label data /dev/mapper/crypted-device
sudo mount --types btrfs --options compress-force=zstd:3 /dev/mapper/crypted-device /media/data
sudo umount /media/data
sudo cryptsetup luksClose /dev/mapper/crypted-device

Crypt a device

  1. create the luks partition

    sudo cryptsetup luksFormat /dev/sdb

    as of cryptsetup version 2.3.4, this is equivalent to

    cryptsetup --type luks2 --cipher aes-xts-plain64 --hash sha256 --iter-time 2000 --key-size 256 --pbkdf argon2i --sector-size 512 --use-urandom --verify-passphrase luksFormat device

  2. open the luks partition

    sudo cryptsetup luksOpen /dev/sdb samsung_860_evo_1tb

  3. format the partition

    sudo mkfs.btrfs --label samsung_860_evo_1tb /dev/mapper/samsung_860_evo_1tb

  4. mount the partition

    sudo mount --types btrfs --options compress-force=zstd:0,nodev,nosuid,uhelper=udisks2 /dev/mapper/samsung_860_evo_1tb /mnt/samsung_860_evo_1tb

  5. do what you need

  6. umount the partition

    sudo umount /mnt/samsung_860_evo_1tb

  7. close the luks partition

    sudo cryptsetup luksFormat /dev/sdb

Troubleshooting

The process is killed due to too much memory used

Should you get the following result during any operation:

$ sudo cryptsetup luksOpen /dev/sdb1 crypted-data
Enter passphrase for /dev/sdb1: ***
killed

it could be the process is using too much memory.
This is due to the LUKS2 format using by default the Argon2i key derivation function, that is so called memory-hard function - it requires certain amount of physical memory (to make dictionary attacks more costly).

The solution is simple; either:

  1. switch to LUKS1, or

  2. use LUKS2, but switch to PBKDF2 (the one used in LUKS1); just add the --pbkdf pbkdf2 option to luksFormat or to any command that creates keyslots, or

  3. use LUKS2 but limit the memory assigned to Argon2i function; for example, to use up to 256kB just add the --pbkdf-memory 256 option to the command as follows:

    $ sudo cryptsetup luksOpen --pbkdf-memory 256 /dev/sdb1 lacie
Enter passphrase for /dev/sda1: ***

Further readings