[SOLVED] Using hash algorithms other than SHA1 for LUKS header

MkFly · 2010-01-06 03:11:34

I'm wanting to set up a LUKS-encrypted LVM on a new system before setup.

Is there any support for hashing with anything other than SHA1 with LUKS?

Last edited by MkFly (2010-07-05 20:21:08)

MkFly · 2010-07-05 19:53:35

From what I can tell, support for this was added with cryptsetup 1.1.0, released a couple of weeks after my original post:

Cryptsetup 1.1.0 Release Notes
* Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option.
Please note that using different hash for LUKS header make device incompatible with old cryptsetup releases.

# sudo cryptsetup luksFormat /dev/sda1 --hash sha512

# sudo cryptsetup luksDump /dev/sda1
Version:           1
Cipher name:       aes
Cipher mode:       cbc-essiv:sha256
Hash spec:         sha512

From cryptsetup manpage:

WARNING: setting hash other than sha1 causes LUKS device incompatible with older version of cryptsetup.
The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. Default is set during compilation, compatible values with old version of cryptsetup are "ripemd160" for create action and "sha1" for luksFormat.

# cryptsetup --help

Default compiled-in device cipher parameters:
    plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
    LUKS1: aes-cbc-essiv:sha256, Key: 256 bits, LUKS header hashing: sha1

Last edited by MkFly (2010-07-31 19:04:44)

Arch Linux

#1 2010-01-06 03:11:34

[SOLVED] Using hash algorithms other than SHA1 for LUKS header

#2 2010-07-05 19:53:35

Re: [SOLVED] Using hash algorithms other than SHA1 for LUKS header

Board footer