Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   cryptsetup    ( 8 )

управлять обычными dm-crypt и зашифрованными томами LUKS (manage plain dm-crypt and LUKS encrypted volumes)
  Name  |  Synopsis  |  Description  |  Plain dm-crypt or luks?  |  Warning  |  Basic actions  |  Plain mode  |  Luks extension  |  Loop-aes extension  |  Tcrypt (truecrypt-compatible and veracrypt) extension  |  Bitlk (windows bitlocker-compatible) extension (experimental)  |  Miscellaneous  |  Options  |  Examples  |  Return value  |  Notes on passphrase processing for plain mode  |    Notes on passphrase processing for luks    |  Incoherent behavior for invalid passphrases/keys  |  Notes on supported ciphers, modes, hashes and key sizes  |  Notes on passphrases  |  Notes on random number generators  |  Authenticated disk encryption (experimental)  |  Notes on loopback device use  |  Luks2 header locking  |  Deprecated actions  |  Reporting bugs  |

NOTES ON PASSPHRASE PROCESSING FOR LUKS

LUKS uses PBKDF2 to protect against dictionary attacks and to give some protection to low-entropy passphrases (see RFC 2898 and the cryptsetup FAQ).

From a terminal: The passphrase is read until the first newline and then processed by PBKDF2 without the newline character.

From stdin: LUKS will read passphrases from stdin up to the first newline character or the compiled-in maximum key file length. If --keyfile-size is given, it is ignored.

From key file: The complete keyfile is read up to the compiled-in maximum size. Newline characters do not terminate the input. The --keyfile-size option can be used to limit what is read.

Passphrase processing: Whenever a passphrase is added to a LUKS header (luksAddKey, luksFormat), the user may specify how much the time the passphrase processing should consume. The time is used to determine the iteration count for PBKDF2 and higher times will offer better protection for low-entropy passphrases, but open will take longer to complete. For passphrases that have entropy higher than the used key length, higher iteration times will not increase security.

The default setting of one or two seconds is sufficient for most practical cases. The only exception is a low-entropy passphrase used on a device with a slow CPU, as this will result in a low iteration count. On a slow device, it may be advisable to increase the iteration time using the --iter-time option in order to obtain a higher iteration count. This does slow down all later luksOpen operations accordingly.