brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f6c023b3fb063161fcf636cddfdd482219cb7fcf
oam/knowledge base/cryptsetup.md
Michele Cereda 37306a1328 chore: imported articles from the private kb
2023-04-27 22:11:48 +02:00

2.6 KiB
Raw Blame History

Cryptsetup

TL;DR

# crypt a device
sudo cryptsetup luksFormat /dev/sdb
sudo cryptsetup luksOpen /dev/sdb crypted-device
sudo mkfs.btrfs --label data /dev/mapper/crypted-device
sudo mount --types btrfs --options compress-force=zstd:3 /dev/mapper/crypted-device /media/data
sudo umount /media/data
sudo cryptsetup luksClose /dev/mapper/crypted-device

Crypt a device

  1. create the luks partition

    sudo cryptsetup luksFormat /dev/sdb

    as of cryptsetup version 2.3.4, this is equivalent to

    cryptsetup --type luks2 --cipher aes-xts-plain64 --hash sha256 --iter-time 2000 --key-size 256 --pbkdf argon2i --sector-size 512 --use-urandom --verify-passphrase luksFormat device

  2. open the luks partition

    sudo cryptsetup luksOpen /dev/sdb samsung_860_evo_1tb

  3. format the partition

    sudo mkfs.btrfs --label samsung_860_evo_1tb /dev/mapper/samsung_860_evo_1tb

  4. mount the partition

    sudo mount --types btrfs --options compress-force=zstd:0,nodev,nosuid,uhelper=udisks2 /dev/mapper/samsung_860_evo_1tb /mnt/samsung_860_evo_1tb

  5. do what you need

  6. umount the partition

    sudo umount /mnt/samsung_860_evo_1tb

  7. close the luks partition

    sudo cryptsetup luksFormat /dev/sdb

Troubleshooting

The process is killed due to too much memory used

Should you get the following result during any operation:

$ sudo cryptsetup luksOpen /dev/sdb1 crypted-data
Enter passphrase for /dev/sdb1: ***
killed

it could be the process is using too much memory.
This is due to the LUKS2 format using by default the Argon2i key derivation function, that is so called memory-hard function - it requires certain amount of physical memory (to make dictionary attacks more costly).

The solution is simple; either:

  1. switch to LUKS1, or

  2. use LUKS2, but switch to PBKDF2 (the one used in LUKS1); just add the --pbkdf pbkdf2 option to luksFormat or to any command that creates keyslots, or

  3. use LUKS2 but limit the memory assigned to Argon2i function; for example, to use up to 256kB just add the --pbkdf-memory 256 option to the command as follows:

    $ sudo cryptsetup luksOpen --pbkdf-memory 256 /dev/sdb1 lacie
Enter passphrase for /dev/sda1: ***

Further readings