You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2024-03-04 05:42:18
- Tom5
- Member
- Registered: 2024-03-04
- Posts: 3
howto create a file for LUKS, header=key?
What is the right way to create a 10 GB file for a luks encrypted image file with detached header?
fallocate -l 10G datei
dd if=/dev/zero of=file bs=1G count=10
dd if=/dev/urandom of=file bs=1G count=10
openssl enc -aes-256-ctr -pbkdf2 -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero | head -c 10G | pv -pterb -s10G > file
if "file" is there, than:
cryptsetup luksFormat ...
(Header in file.header, Key in file.key)
cryptsetu luksOpen ...
mkfs.ext4 ...
mount ...
than copy into it what should be in, if space left they will fill up with data from urandom.
umount ...
cryptsetup luksClose ...
What is the right way the create "file"?
Whit fallocate the file is immediately there, only a marker in the filesystem.
With dd and openssl it takes only a few seconds (1,5 GB/s).
With data from urandom. it takes a moment longer (400 MB/s).
Time doesn't matter.
I have read, in the LUKS header is the master key to unlock, so why should i use and need a key for the header? my header is detached from the encrypted "file".
Can my header be my key? Can i use LUKS without key/pass? Is this a good idea?
Last edited by Tom5 (2024-03-04 05:43:50)
Offline
#2 2024-03-04 08:51:43
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,647
Re: howto create a file for LUKS, header=key?
If you don't mind sparse files / zeroes in free space regions, it's completely fine to use truncate or fallocate. Otherwise, urandom or another way to randomize (openssl rand, or just write zeroes through cryptsetup and follow with another luksFormat).
`bs=1G` will eat 1G of your RAM, it's not necessary and not any faster (or even slower) than regular `bs=1M`. With (recent) dd you can use `count=10GiB` (must end with B) to specify a size. Alternatively use `head --bytes=10G /dev/urandom > somefile` (you already used head this way in your openssl command).
You can specify an external header using the --header option. It will create the file for you if necessary.
# cryptsetup luksFormat myfile.img --header myfile.img.luks
WARNING!
========
Header file does not exist, do you want to create it?The resulting header will use a data offset 0 bytes which is only possible with external headers:
# cryptsetup luksDump myfile.img.luks
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 3a007979-146c-4538-af2a-2709860be2ac
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 0 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 4096 [bytes]Can i use LUKS without key/pass?
That's not really part of the concept. At most you can just hit Enter to make an empty passphrase. cryptsetup open will still ask you for one all the same, though. If you want to open without interaction, you'll have to pass a --key-file. What you put in that (empty file, the LUKS header UUID, whatevers) is your call then.
The LUKS header itself cannot and must not be the key file. Since adding the LUKS header as a keyfile to itself, doing so changes the LUKS header, and it now requires the previously unchanged LUKS header as the keyfile. Effectively you're locking yourself out if you attempt to do that.
By default the LUKS 2 header will be 16M large. If you don't intend to use many keyslots, you can create the file yourself to be only 1M large (3 keyslots) or 2M large (8 keyslots).
In general it can make sense to add another passphrase (even if it's the same passphrase) so that the header will store the master key twice; makes it a little more resilient to corruption. Otherwise a single bit error will lock you out.
Last edited by frostschutz (2024-03-04 09:37:40)
Offline
Pages: 1