Linux

1806 readers

1 users here now

Everything about Linux

RULES

Be nice to each other.
No memes or pictures of Linux in the wild.

founded 1 year ago

MODERATORS

[email protected]

PSA: Upgrade your LUKS PBKDF to Argon2id! (tails.boum.org)

submitted 1 year ago by [email protected] to c/[email protected]

6 comments fedilink hide all child comments

TIL the French government may have broken encryption on a LUKS-encrypted laptop with a "greater than 20 character" password in April 2023.

https://nantes.indymedia.org/posts/87395/une-lettre-divan-enferme-a-la-prison-de-villepinte-perquisitions-et-disques-durs-dechiffres/

When upgrading TAILS today, I saw their announcement changing LUKS from PBKDF2 to Argon2id.

https://tails.boum.org/security/argon2id/index.en.html

The release announcement above has some interesting back-of-the-envelope calculations for the wall-time required to crack a master key from a LUKS keyslot with PBKDF2 vs Argon2id.

And they also link to Matthew Garrett's article, which describes how to manually upgrade your (non-TAILS) LUKS header to Argon2id.

https://mjg59.dreamwidth.org/66429.html

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 3 points 1 year ago (1 children)

I don't use LUKS because I found it to be too much trouble, but if they broke the crypto on LUKS doesn't that mean a lot of shit out there is vulnerable and not just LUKS encrypted hard drives?

[–] [email protected] 1 points 1 year ago (1 children)

LUKS is not broken. An old KDF option in LUKS for encrypting the master encryption key in a keyslot is just old and less safe than newer, better KDF options.

[–] [email protected] 5 points 1 year ago (2 children)

The article is almost 70 days old, and Clemens Fruhwirth, one of the creators of LUKS, has responded:

A random keyboard typable character gives you around 6 bits of entropy. 20 of those give you 120 bits of entropy. Even without a KDF, brute-forcing this key space is infeasible with today's hardware. Even with PBKDF2, a 13-character password should be enough to keep your data secure for your lifetime.[1]

It is much more likely that there was some security failure in the linked case other than PBKDF2. That said, I support the upgrade to Argon2.

[1] In my thesis on LUKS, Chapter 5.3 Passwords from entropy weak sources anticipates the creation of specialized hardware for breaking PBKDF2. The "13 characters should be enough" advice is found on Page 86, Table 5.4, top left cell. It gives a 78-bit recommendation (=13 characters) in the worst-case scenario, which is Moore's law continues to double the attacker speed every 2 years.

It doesn't seem like it's such a big deal.

[–] [email protected] 1 points 1 year ago

Yep, a 10 Diceware word passphrase is just as secure as a 128-bit encryption key, even if only HKDF were used instead of a password-based KDF. Key stretching matters when you have weak passphrases, and even Argon2 only adds a few bits of effective entropy with reasonable difficulty factors.

[–] [email protected] 1 points 1 year ago (1 children)

can you please link to the source with Fruhwirth's response?

[–] [email protected] 4 points 1 year ago

https://www.reddit.com/r/linux/comments/12q51ce/comment/jgpvsqc/?utm_source=share&utm_medium=web2x&context=3