Disks are usually encrypted under Linux using LUKS, the Linux Unified Key Setup. Although LUKS was created in 2004 and although both attacks and the state of the art have developed significantly in the meantime, it has remained up to date in terms of security thanks to a number of improvements and changes to the standard settings. However, only new LUKS containers benefit from this without further ado. The parameters of existing containers are not automatically adjusted, which is why old containers are often not set optimally from today’s perspective.
Relevant improvements have recently been made in key-derivation functions (KDF). As the name suggests, these functions are used to generate the actual key from a password. They do this with as much computing and storage space as possible in order to make brute force and dictionary attacks more difficult: Trying out masses of passwords becomes unbearably tedious if each key derivation takes a second or two. On the other hand, users who usually only enter one – correct – password are hardly bothered by the short waiting time.
Older LUKS containers use the key derivation function PBKDF2 (password-based key derivation function 2). As with other KDFs, one can tune how much computation the function requires by specifying how many iterations the function must go through internally. However, PBKDF2 requires little RAM, which is why potential attackers can speed up their calculations well with graphics chips or specialized hardware, which reduces the usefulness of the derivation function.
More and more knowledge.
The digital subscription for IT and technology.
All exclusive tests, guides & background information
One subscription for all magazines: Read c’t, iX, MIT Technology Review, Mac & i, Make, c’t photography directly in your browser
No risk: first month free, then monthly from €9.95. Magazine subscribers read even cheaper! Start a FREE month Try it now for FREE & continue reading right away!
already subscribed to heise+?
Register and read Register now and read the article immediately To the start page