You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2024-08-21 22:55:58
- 8Zephyr
- Member
- Registered: 2024-08-21
- Posts: 1
Is LUKS as secure as VeraCrypt on Windows?
Hello everyone! I have a laptop where I need to store important data, so I need to take full disk encryption seriously. If I use LUKS for encryption, will the keys be encrypted in RAM? Is it possible to extract them by dumping the memory? Also, is it feasible to set up a dual-boot system where entering one password grants access to one partition, while entering another password grants access to a different partition, similar to how VeraCrypt works?
If LUKS cannot provide this functionality, what can I do to make it possible?
Last edited by 8Zephyr (2024-08-21 23:02:22)
Offline
#2 2024-08-23 07:49:47
- Awebb
- Member
- Registered: 2010-05-06
- Posts: 6,634
Re: Is LUKS as secure as VeraCrypt on Windows?
I'm sorry if I come across like some sort of huge dick, but are you sure you could use the information provided here effectively? What if one said "yes"? Would that really help?
The thing with the two passwords is called "plausible deniability". You should research "LUKS plausible deniability".
Online
#3 2024-08-23 08:04:33
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,737
Re: Is LUKS as secure as VeraCrypt on Windows?
Veracrypt ist in the repos.
Not Sure about encrypted master Keys (are you concerned about cold boot attacks?), the approach seems to be to ensure the Container gets closed on shutdowns, but that's Not gonna Help with HW Access.
Offline
#4 2024-09-07 21:24:25
- lrdoftheblings
- Member
- Registered: 2024-08-26
- Posts: 7
Re: Is LUKS as secure as VeraCrypt on Windows?
If I use LUKS for encryption, will the keys be encrypted in RAM?
The volume key has to be loaded into memory in order to access your data. There's not really a way around this.
Is it possible to extract them by dumping the memory?
Yes, if your system is powered on and the container unlocked then an attacker with physical access to your device could extract the keys from memory with the right equipment. If your threat model includes attackers with these kinds of resources then you are asking for help in the wrong place.
Also, is it feasible to set up a dual-boot system where entering one password grants access to one partition, while entering another password grants access to a different partition, similar to how VeraCrypt works?
Yes, you can create multiple LUKS containers and they will use different volume keys and you can install OSes on them.
Offline
#5 2024-09-07 22:01:53
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,737
Re: Is LUKS as secure as VeraCrypt on Windows?
The volume key has to be loaded into memory in order to access your data. There's not really a way around this.
The OP is referring to https://veracrypt.eu/en/VeraCrypt%20RAM … ption.html
For everything but cold boot attacks this is security-by-obfuscaturity (VeraCrypt acknowledges that) and I agree that
If your threat model includes attackers with these kinds of resources then you are asking for help in the wrong place.
Since I was posting the last time from my phone, let me add the obligatory https://m.xkcd.com/538/
Offline
#6 2024-09-10 17:47:11
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,487
Re: Is LUKS as secure as VeraCrypt on Windows?
LUKS is a tool for data-at-rest encryption, i.e. when the system/device is turned off. It was never intended for more. A user/process with matching privileges can obtain the master key of an unlocked (not-at-rest) device. An encryption of keys in RAM would qualify as a data-in-use encryption. There were some early academic attempts to add such to the kernel, but it's nothing supported by standard tools and even 'pro' approaches like Intel SGX features have been pwned.
8Zephyr wrote:Also, is it feasible to set up a dual-boot system where entering one password grants access to one partition, while entering another password grants access to a different partition, similar to how VeraCrypt works?
Yes, you can create multiple LUKS containers and they will use different volume keys and you can install OSes on them.
Albeit, you cannot automagically address the different LUKS containers depending on which password is entered (this would be a plausible deniability feature), at least with standard tools. In the simplest case you need to create and pick different boot entries for each system to boot. Besides the LUKS headers for each are transparent, so it's not comparable to how veracrypt works.
Offline
#7 2024-09-10 19:40:26
- lrdoftheblings
- Member
- Registered: 2024-08-26
- Posts: 7
Re: Is LUKS as secure as VeraCrypt on Windows?
OP never said anything about plausible deniability. It read to me like they want to have work and personal data separate and compartmentalized or something similar.
Offline
#8 2024-09-10 19:45:12
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,737
Re: Is LUKS as secure as VeraCrypt on Windows?
is it feasible to set up a dual-boot system where entering one password grants access to one partition, while entering another password grants access to a different partition, similar to how VeraCrypt works?
If the password alone determines the target container, that typically targets plausible deniability.
You've two volumes, one full of porn, the other one only contains cat videos. Your mom forces you to unlock the container because she what's to know what filth you're keeping there. You're entering the "wrong" password, it works, the volume gets decrypted and hear "Awwww, pussies" instead of "Eeeww, pussies".
It's relevant because of https://m.xkcd.com/538/
Offline
#9 2024-09-16 04:11:05
- johnspack
- Member
- Registered: 2024-09-16
- Posts: 3
Re: Is LUKS as secure as VeraCrypt on Windows?
Just a note... Veracrypt allows you to create a hidden volume within a volume, with a different password.
Offline
Pages: 1