Actions

Full Disk Encryption

From Whonix


About this Full Disk Encryption Page
Support Status stable
Difficulty easy
Contributor HulaHoop [archive]
Support Support
Fulldeskencryption423423.jpg

Introduction[edit]

Encrypting Whonix ™ VMs[edit]

This is currently unsupported and does not provide any additional protection. The Encrypted Images wiki page provides a detailed explanation, with the conclusion noting:

The host of security considerations suggest that an unrealistic set of operational rules are required to defend the integrity of a purely encrypted guest image. Use of Full Disk Encryption is recommended instead.

Deniable Encryption[edit]

Such software is only effective in jurisdictions that have human rights and follow the rule of law. In scenarios where one might face indefinite detention or worse, it is actually better to avoid using plausibly deniable encryption feature. According to game theory, the adversary incurs a neglible cost by prolonging torture or incarceration for the captive while the reward of finally breaking the victim is much greater, in case there was actually anything to be found.[1] In group scenarios, using deniable encryption is a strong disincentive against the captured member "defecting" to save themselves since they cannot prove to the captor their loyalty.[2]

Measures Against Non-violent Coercion[edit]

Even in relatively civilized states, the laws have been misconstrued to make civil liberties protections at the border weaker. In the case of the US, the Fourth Amendment can be violated at will by customs officers. This section assumes a scenario where one is compelled to divulge passwords without measures involving physical harm or indefinite imprisonment. In such situations it is always recommended to exercise your right to remain silent and to request a lawyer. Your devices will most likely be impounded and therefore backups of important data should be made beforehand.

  • This EFF Guide [archive] provides advice and outlines your rights at the border. Tips like storing key material in the cloud should be ignored.
  • A clever technique [archive] (page 3) proposed by OTR's designer, Ian Goldberg, uses Shamir's Secret Splitting Scheme to split a key-file and distribute it among trusted friends to make producing the key a physical impossibility.
  • Cryptographer Bruce Schneier outlines a simpler variant of the above technique. A new random string is added as a password and then passed along to a trusted person, with the usual password being removed before crossing the border. After arriving, the key to access the drive can be retrieved and the original one re-added. [3]

Physical Access[edit]

Info It is safest to assume that a machine has been compromised after any unauthorized physical access.

If unauthorized access is strongly suspected or confirmed, the hardware should not be trusted or used after it is back in your possession. This scenario is only relevant to a small minority who are already targeted for physical surveillance. A sufficiently skilled adversary can infect it with spyware or sabotage it in a number of ways that are virtually undetectable. For example, malicious firmware could be installed to record all activities, or the machine rendered inoperable by bricking the hardware. In that eventuality, none of the measures outlined in this chapter will help.

Protection Against Powerful Adversaries[edit]

As noted above, advanced attackers have virtually limitless possibilities to infect a computer under their physical control, such as flashing low-level firmware or adding physical implants.

It may be possible to get plausible deniability on Linux hosts using methods other than those listed below, but the topic is a rabbit hole (see footnotes). [4]

Plausible deniability and Full Disk Encryption (FDE) are also useless if subjected to physical abuse by a captor.

A safer option is to have not left any discoverable data traces on a personal machine in the first place. See VM Live Mode, Anti-Forensics Precautions and Host Live Mode.

To protect against theft of personal information or data, FDE should be applied on the host, and the computer turned off when exposed to higher-risk situations like traveling. In the case of laptops, the battery should be temporarily removed after powering off. This ensures that the RAM chips are completely powered down and that any encryption key(s) in memory are erased. [5] See also Cold Boot Attack Defense.

Sleep mode:

  • Hibernation is also a safe alternative because the swap partition is encrypted in the default FDE configuration for various platforms (like Debian), so long as no changes were made.
  • Suspend to RAM is insecure.

Be sure to follow the standard advice for picking strong and unique passphrases, so they cannot be feasibly brute-forced. Also, computers should never be left unattended in untrusted venues.

Debian Hosts[edit]

Configuring FDE during system install is straightforward. The default cipher is AES-256 in XTS mode.

Removable Media[edit]

New Removable Media[edit]

Gnome Disks Utility creates LUKS partitions with AES-128 by default which is insufficient in event of quantum computers materializing. This has been successfully reported and fixed upstream as of February 2019, [6] [7] but until it lands in Debian, an appropriately secure container must be manually created. Afterwards, unlock the device and format the internal filesystem as EXT4 in Gnome Disks.

First enumerate the device. They will usually be called 'sdb1', as sdaX is reserved for the system on default installs. To avoid confusion, only connect one removable device at a time.

# ls /dev/

Create a LUKS container and change the device name as needed, then follow the prompts.

# cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random luksFormat <device>

Legacy Device Encryption Upgrade[edit]

It is safer to re-encrypt the device with a stronger key rather than performing a quick format that will otherwise leave the old/weaker header intact.

1. First enumerate the device.

They will usually be called 'sdb1', as sdaX is reserved for the system on default installs. To avoid confusion, only connect one removable device at a time.

# ls /dev/

2. View the LUKS header data in order to make necessary adjustments.

Run.

# cryptsetup luksDump --debug <device>

LUKS header data legend:

  • 'MK' means 'Master Key'. [8]
  • AES in XTS mode uses a key size double its bit size (512 in this case) since in XTS the key is split in 2, resulting in AES with 256-bit keys. [9]
  • 'Payload offset' is 4096 for 256-bit keys and 2048 for 128-bit keys. [10]

3. Re-encrypt the device with stronger keys. [11]

Fortunately, header resizing is usually unnecessary (otherwise it will abort the process).

# cryptsetup-reencrypt <device> -c aes-xts-plain64 -s 512 --use-directio

Abruptly disconnecting power can cause data loss. To safely pause the process (in case of system sleep/shutdown), cryptsetup can be suspended (e.g. by Ctrl+C) and it will automatically restart from where it left off if temporary header files are present in the home directory. [12]

Encrypted Containers[edit]

Encrypted containers have the twin advantages of flexibility and mobility of folders, allowing more files to be added on the fly without needing re-compression and re-encryption (as in the case of using GPG).

Zulucrypt[edit]

Info As of the next point release in Whonix ™ 15, Zulucrypt is included by default. In the Whonix ™ command line version, containers can be managed from the terminal with zulucrypt-cli.

Zulucrypt is the Linux answer to encrypted containers, making use of the reliable LUKS disk encryption specification. It is compatible with encrypted tomb files [archive] and also capable of reading and creating Truecrypt / VeraCrypt [archive] containers. Note that Veracrypt containers only support a maximum password length of 64 characters, but LUKS has a maximum value of 32,767 (although a recently fixed bug had limited it to only 100 characters). [13] Until it is possible to use 20-word diceware passphrases to lock LUKS containers, it is recommended to use makepasswd to generate 43 character strings. These can then be pasted into a text file that is encrypted with GPG -- which does not have low character limits -- essentially creating a makeshift key file.

Containers grow dynamically as more data is added. Opened containers are mounted under /run/media/private/user. More than one password may be added for access, making use of LUKS' key slots feature behind the scenes. [14]

For further usage instructions please consult the official manual [archive].

Recommended Security Settings[edit]

Important Note: In order to have post-quantum resistance, the aes.xts-plain64.512.sha512 option is recommended for 256-bit encryption (the encryption key-size is split in two with XTS mode).

To view the container header, run.

sudo cryptsetup luksDump --debug /home/user/<file_name>

With LUKS it is possible to nest containers of different encryption ciphers; for example, by placing a Serpent and Twofish container inside each other, wrapped in an outer AES one. Be sure to select the .xts-plain64.512.sha512 variants in all cases. Each inner layer should be 1 MB less than the outer layer to allow space for each container's respective encryption header.

The plausible deniability feature is available with volume types Normal+Hidden Truecrypt/Veracrypt. Veracrypt volumes support crypto-cascades as a feature, so manual nesting is unnecessary. However, be warned that Truecrypt/Veracrypt volume types only support AES-128. Plain dm-crypt containers with a non-zero offset can be used to provide hidden volumes according to Zulucrypt's manual. This is yet to be tested by Whonix ™ developers.

Additional Measures[edit]

Table: Additional Protective Measures

Measure Description
Anti Evil Maid Evil Maid Attack
Erase LUKS Header

This is a much quicker alternative to zeroing data on a HDD with Darik's Boot and Nuke (DBAN) [archive]. [15] [16] This is an effective measure on spinning HDDs where wiped data is confirmed to be destroyed. The OS only needs to read the LUKS header off disk once – not every single second. Wiping the header makes the disk impossible to unlock in the future. [17]

Replace /dev/sdXY with the encrypted partition. Reply YES to the prompt.

sudo cryptsetup luksErase /dev/sdXY

Alternatively, to accomplish the same goal without being prompted, run.

sudo dd if=/dev/zero of=/dev/sdXY bs=1M count=2

This will overwrite the first two megabytes of the partition /dev/sdXY, which should cover the entire LUKS encryption header for version 1. If you are using LUKS2 with cryptsetup version 2.1.0 (Debian Buster default) the default header size is now 16MiB. Previous cryptsetup versions used a 4MiB LUKS2 header. In that case, simply adjust the dd command: dd if=/dev/zero of=/dev/sdXY bs=1M count=16 (or count=4). Determine your header size with the cryptsetup luksDump --debug <device> command.

Killer Killer[18] is a newer project that supports a range of trigger actions to shutdown a system in the case of tampering (disallowed changes) with USB, Bluetooth, AC, Battery, Disk Tray, and Ethernet. In the future, custom commands will be supported besides shutdown. [19] Once the program is packaged, it is intended to provide this software in the Whonix ™ repositories for Debian hosts.
LUKS Suspend Scripts On Linux hosts, there is one interesting solution for the risks posed by a computer in a suspended state; luks-suspend scripts. [20] This approach has some limitations because it is not yet packaged for Debian, and it has only been tested in the Ubuntu and Arch distributions. As of 2018, luks-suspend and keyslot nuking (mentioned below) is being merged upstream. [21] As of 2020 cryptsetup-suspend is now available in Debian Bullseye and Buster Backports, requiring Linux 5.6+. Keep in mind that while it protects LUKS keys by removing them from memory, other sensitive keys (GPG and SSH) and documents opened since last boot will still be present and extractable from RAM. Other daemons need to independently support key sanitization on suspend for enhanced protection.[22]
Magic Key Feature In an emergency, Non-Qubes-Whonix ™ is capable of powering-off the computer immediately via the Magic SysRq key feature. This is invoked by pressing the key combination: Alt + PrintScreen + o (lower-case letter). On bare-metal linux systems, the FDE passphrase is prompted after rebooting.[23] [24] [25] The magic key feature does not work on Qubes hosts because the Xen hypervisor does not recognize these commands. [26]

Nuke Patch for cryptsetup
  • The Kali penetration testing distro team has written a nuke patch for cryptsetup [archive], which adds the option to nuke all keyslots after a certain passphrase is entered; see footnotes. [27] [28]
  • Supplying the dead-man switch as the "real passphrase" to the interceptors of the machine is unlikely to be an effective strategy. It is standard forensics procedure to create multiple images of the drive beforehand.
Separate /boot Partition When FDE is used on the host, it is inadvisable to keep any unencrypted files on that same physical media. Those at high risk should move the /boot partition to a separate USB media and the bootloader (Grub) should also be installed on the separate USB. To read more on this subject, see Pwning Past Whole Disk Encryption [archive]. Article Full disk encryption, including /boot: Unlocking LUKS devices from GRUB [archive] might be helpful.
TRESOR Kernel Patch Another useful protection is the TRESOR [archive] kernel patch [archive], which keeps the disk encryption key outside of RAM by storing it inside the CPU. TRESOR does have several limitations. It is only available for the x86 architecture, and it complicates software debugging by disabling DR registers for security reasons. [29] Moreover, a specialized attacker who can reverse engineer hardware designs is also capable of extracting secrets held in processor caches or specialized chips like TPMs.
USBKill
  • USBKill [archive] is an anti-forensics script written in the aftermath of the SilkRoad trial. Its purpose is to trigger protection events that prevent adversaries from siphoning files, installing malware, or running a mouse jiggler. The script creates a white-list of allowable USB devices. If anything else is plugged into the machine, the RAM is erased and the computer is immediately shutdown.
  • USBKill can also be configured to exclude all devices from being attached. In another high-security configuration, a white-listed flash drive serves as a key, and must be in the USB port at all times. If the flash drive is forcibly removed, the program will initiate the desired routines. [30] [31]
Increase Costs of Brute-Force Attacks

Encryption software uses Password-Based Key Derivation Functions (PBKDF) to slow down access attempts and provide some protection against low-entropy passphrases. Higher wait times, or iterations, can often be used. Iteration values are low by default for impatient users and weak processors, also making systematic attempts to access such protected data much easier for unauthorized users. Choosing how long wait times should be should depend on how long you are willing to wait to access your own data and how long someone else should wait if they try. Computing power gets cheaper with time, so what works today might be weak in the future.

  • LUKS version 1 uses PBKDF2[32] and allows the option --iter-time (or -i) for the LuksFormat, LuksAddKey, and LuksChangeKey commands. Iter-time is measured in milliseconds, so ten seconds would look like:

$ sudo cryptsetup luksChangeKey --iter-time 10000 <device>

  • LUKS 2 (available with Debian Buster) added support for Argon2i/Argon2id [archive]. In addition to processor time, Argon2 iterations use RAM and can be multi-threaded, making it difficult for hash bruteforcing using graphics cards.[33]

Argon2 iterations will vary depending on environment.

$ sudo cryptsetup benchmark

will show you how many iterations could be made in a requested 2000 ms. To customize wait times, specify (with values) --pbkdf --pbkdf-force-iterations --pbkdf-memory[34] --pbkdf-parallel (number of threads) when using the LuksFormat command. Be aware that incorrect values can make wait times extremely long.

  • Veracrypt improved upon TrueCrypt's iterations when performing operations on volumes.

Advice for Solid-state Drives and USB Storage[edit]

Ambox warning pn.svg.png In the case of flash-based storage like solid-state drives (SSDs) and USBs, the only way to protect data is to never store it unencrypted in the first place!

Unlike hard-disk drives (HDDs), overwriting data on SSDs is no longer effective in wiping the disk. [35] [36] For instance, it is insecure to rely upon a fast erase mechanism by overwriting the header and key-slot area. [37]

The most dire potential consequence would that old passwords are not erased, and for a significant period. Consider the following concrete example: someone changes their computer password because they noticed it was exposed to shoulder-surfing or CCTV. On a SSD, the old password may still be retrievable. If so, it could be used to decrypt the master key and all data. Secure overwriting is only guaranteed with magnetic disks that use non-journaling filesystems.[38]

Wear-leveling mechanisms like TRIM also leak information about the filesystem that can aid forensics. [39] [40] [41] [42] [43] [44] It is strongly recommended to keep TRIM disabled (the default) during Linux LUKS-encrypted installations.

Gnome Disks Utility[edit]

Gnome Disks utility provides a convenient way to manipulate LUKS container passphrases (including the host's) and the overlying filesystems. Previously, it could not be relied upon for encryption because it used AES-128 as a hardcoded default [45] [46] (as of Debian stretch). However, this bug was fixed in Debian buster so it now provides adequate post-quantum security. For encrypting removable media refer to this guide.

To install it, run.

sudo apt install gnome-disk-utility

See Also[edit]

Footnotes[edit]

  1. https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm [archive]
  2. https://embeddedsw.net/doc/physical_coercion.txt [archive]
  3. https://www.schneier.com/blog/archives/2009/07/laptop_security.html [archive]
  4. https://evilzone.org/operating-system/plausible-deniability-in-qubes-os/msg86174 [archive]
  5. https://github.com/storaged-project/libblockdev/issues/416 [archive]
  6. https://github.com/vpodzime/libblockdev/commit/9dc4e2463860810cac5a1dbfb7064c47200260f6 [archive]
  7. https://security.stackexchange.com/questions/109981/how-can-i-extract-the-encrypted-master-key-from-luks-header [archive]
  8. https://unix.stackexchange.com/questions/254017/how-to-interpret-cryptsetup-benchmark-results [archive]
  9. https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption#Re-encrypting_an_existing_LUKS_partition [archive]
  10. https://jlk.fjfi.cvut.cz/arch/manpages/man/cryptsetup-reencrypt.8 [archive]
  11. https://asalor.blogspot.com/2012/08/re-encryption-of-luks-device-cryptsetup.html [archive]
  12. https://github.com/mhogomchungu/zuluCrypt/issues/113 [archive]
  13. https://crypto.stackexchange.com/questions/24022/luks-multiple-key-slots-whats-the-intuition [archive]
  14. https://en.wikipedia.org/wiki/Darik's_Boot_and_Nuke [archive]
  15. DBAN also warns:

    While DBAN is free to use, there’s no guarantee your data is completely sanitized across the entire drive. It cannot detect or erase SSDs and does not provide a certificate of data removal for auditing purposes or regulatory compliance. Hardware support (e.g. no RAID dismantling), customer support and software updates are not available using DBAN.

  16. https://superuser.com/questions/1168928/wipe-luks-partition-in-pre-boot/1177362 [archive]
  17. https://github.com/Lvl4Sword/Killer [archive]
  18. https://github.com/Lvl4Sword/Killer/issues/48 [archive]
  19. https://github.com/vianney/arch-luks-suspend/issues/7 [archive]
  20. https://blog.freesources.org/posts/2018/06/debian_cryptsetup_sprint_report/ [archive]
  21. https://blog.freesources.org//posts/2020/08/cryptsetup-suspend/ [archive]
  22. https://en.wikipedia.org/wiki/Magic_SysRq_key [archive]
  23. https://www.thegeekstuff.com/2008/12/safe-reboot-of-linux-using-magic-sysrq-key/ [archive]
  24. https://phabricator.whonix.org/T553 [archive]
  25. https://forums.whonix.org/t/fde-emergency-feature-testing-requested [archive]
  26. https://github.com/offensive-security/cryptsetup-nuke-keys [archive]
  27. In most emergency situations there will not be enough time to reboot the computer and enter the dead-man switch passphrase.
  28. https://security.stackexchange.com/a/119835 [archive]
  29. For example, this can be done quickly if the flash drive is attached to your wrist via a lanyard.
  30. See RFC 2898
  31. Argon2 on LUKS can use up to four threads, but will lower the number and/or memory if the computer being used can't meet requirements.
  32. The pbkdf-memory option is limited to 4194304 kilobytes. Memory is freed after the unlock operation.
  33. http://www.infosecisland.com/blogview/12153-Data-Remains-on-USB-and-SSDs-After-Secure-Erase.html [archive]
  34. https://www.theregister.co.uk/2011/02/21/flash_drive_erasing_peril/ [archive]
  35. cryptsetup FAQ - Section: 5.19 What about SSDs, Flash and Hybrid Drives? [archive]
  36. See 'shred' manual page
  37. https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html [archive]
  38. https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29 [archive]
  39. https://wiki.archlinux.org/index.php/Solid_State_Drives#dm-crypt [archive]
  40. https://www.saout.de/pipermail/dm-crypt/2011-September/002019.html [archive]
  41. https://www.saout.de/pipermail/dm-crypt/2012-April/002420.html [archive]
  42. https://web.archive.org/web/20150122113644/http://forensic.belkasoft.com/en/ssd-2014 [archive]
  43. As tested by Whonix ™ developer HulaHoop.


Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Full Disk Encryption&body=./Full_Disk_Encryption link=https://reddit.com/submit?url=./Full_Disk_Encryption&title=Full Disk Encryption link=https://news.ycombinator.com/submitlink?u=./Full_Disk_Encryption&t=Full Disk Encryption link=https://mastodon.technology/share?message=Full Disk Encryption%20./Full_Disk_Encryption&t=Full Disk Encryption

LIVE MODE: Host operating system or VM can be booted into Live Mode, using Host Live Mode or VM Live Mode.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.