Skip to content

Instantly share code, notes, and snippets.

@daniel-j-h
Created November 5, 2022 17:56
Show Gist options
  • Save daniel-j-h/ff5ea91bc8b421206d8fb84639a24091 to your computer and use it in GitHub Desktop.
Save daniel-j-h/ff5ea91bc8b421206d8fb84639a24091 to your computer and use it in GitHub Desktop.
Re-key your encrypted volumes

Re-key your encrypted volumes

When you encrypt volumes like your laptop's SSD or USB sticks on Linux there's a high chance you're using Linux Unified Key Setup (LUKS) in the background. To decrypt volumes, LUKS uses your secret passphrase and puts it through a function to derive the actual volume decryption key. The key derivation function is supposed to be expensive to compute so that brute-force attacks are hard to pull off.

There are three problems with the LUKS setup in practice

  1. The key derivation function gets benchmarked and tuned to your system to keep the decryption process short e.g. below a second because no one wants to wait too long
  2. Therefore, if you encrypt volumes with a weak device like a laptop, the key derivation function will we weak
  3. If you encrypted a device in the past and are still using its volume, you will not benefit from more recent key derivation function algorithms which have stronger guarantees against brute force attacks e.g. using GPUs

That's why you should re-key your devices every 5-10 years; as of 2022 with LUKS2 and the Argon2id key derivation function.

How do I re-key my encrypted volumes

Unfortunately, user interfaces like Gnome Disks will not help here, so we need to drop to the terminal.

If your systems support it (e.g. Ubuntu 22.04), use LUKS2 and the Argon2id key derivation function that's coming with LUKS2. Then set Argon2id's parameters to use as much memory as you can spare and then tune the number of iterations to adjust the time it takes to decrypt.

Here is an example how to re-key an ecrypted USB stick used for backups to use Argon2id and take longer to decrypt on a laptop which is fine because I use it rarely and for cold storage.

# Check for encrypted LUKS volums; say the output shows it's at /dev/sdb1
lsblk --fs

# See the current encryption and key derivation function settings
sudo cryptsetup luksDump /dev/sdb1

# Change the key derivation function while keeping the actual encrypted data untouched
sudo cryptsetup-reencrypt --keep-key --pbkdf argon2id --pbkdf-memory 1024000 --pbkdf-force-iterations 20 --pbkdf-parallel 4 /dev/sdb1

I want to know more

https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment