91

How secure is the encryption offered by ubuntu (using the disk utility)? What algorithm is used underneath it?

If someone could at least provide a link to some documentation or article regarding that I would be very grateful.

Reference:

enter image description here

Martin Schröder
  • 259
  • 1
  • 2
  • 16
Jonnathan Soares
  • 1,021
  • 1
  • 8
  • 7
  • 6
    Like @BradChamberlin said in his answer below, it uses AES-256 (when XTS mode is in use, the key size might be 512-bit, and later split into two 256-bit keys). But depending on your kernel build, sector sizes, encrypted volume size,... advanced modes of operation supported by Ubuntu ([ESSIV, XTS, and LRW](https://en.wikipedia.org/wiki/Disk_encryption_theory)) can vary, and with it the actual security of such full-disk encryption. If you could run this command: `# cryptsetup luksDump /dev/sda5` and include your results, you might get more to your exact case relevant answers. Thanks! – TildalWave Jul 22 '13 at 05:15
  • @TildalWave probably too late now but I'll ask. the output of the command you mentioned is below. is it AES256? `LUKS header information for /dev/nvme0n1p3 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 512 MK salt: c5 9d 4c 49 a9 ae aa b8 07 18 d3 37 2b 90 4f c1 36 64 02 f0 8e 4e 34 49 70 a9 be ab f5 aa 41 32 MK iterations: 145473 UUID: 377c50cd-b0a1-41bb-93cc-570a7ae99756 Key Slot 0: DISABLED Key Slot 1: ENABLED Iterations: 2016492` – asgs Mar 17 '22 at 10:49

2 Answers2

107

In a word: sufficient.

This is block-level encryption, so it is filesystem-independent.

Ubuntu's transparent encryption is done through dm-crypt using LUKS as the key setup. The built-in default for cryptsetup versions before 1.6.0 is aes-cbc-essiv:sha256 with 256-bit keys. The default for 1.6.0 and after (released 14-Jan-2013) is aes-xts-plain64:sha256 with 512-bit keys.

For older versions of cryptsetup:

  • AES you certainly know; it's about as good a cipher as you could want.
  • CBC is the chaining mode; not horrible but certainly not what I would pick for new projects: it has several issues but it can be used securely.
  • ESSIV ("Encrypted salt-sector initialization vector") allows the system to create IVs based on a hash including the sector number and encryption key. This allows you to jump straight to to the sector you want without resorting to predictable IVs, and therefore protects you from watermarking attacks.
  • SHA-256 is the hashing algorithm used for key derivation. LUKS uses PBKDF2 to strengthen the key for (by default) a minimum of 1000 iterations or 1/8 second, whichever is more. On a fast computer, expect around 200,000 iterations. With respect to security, you couldn't ask for a better arrangement.

And with newer versions of cryptsetup:

  • XTS is counter-oriented chaining mode. It's an evolution of XEX (actually: "XEX-based tweaked-codebook mode with ciphertext stealing"), while XEX ("xor-encrypt-xor") is a non-trivial counter-based chaining mode; neither of which I can claim to completely understand. XTS is already very widely supported and looks promising, but may have issues. The primary important details are these: No fancy IVs are necessary (plain or plain64 is fine), and half of your key is used by XTS, meaning your original key must be twice as long (hence 512-bit instead of 256-bit).
  • PLAIN64 is an IV generation mechanism that simply passes the 64-bit sector index directly to the chaining algorithm as the IV. plain truncates that to 32-bit. Certain chaining modes such as XTS don't need the IV to be unpredictable, while modes like CBC would be vulnerable to fingerprinting/watermarking attacks if used with plain IVs.

Other options not used by default

  • LRW has been largely replaced by XTS because of some security concerns, and is not even an option for most disk encryption products.
  • benbi calculates a narrow-width block count using a shift register. It was built with LRW mode in mind.

Altogether, this makes for a pretty tight system. It isn't the absolute best system theoretically possible, but it's pretty close. You should be able to trust it in any reasonable circumstances as long as your password is sufficient. Your attacker will almost certainly choose brute-forcing the password as his preferred attack method.

tylerl
  • 82,665
  • 26
  • 149
  • 230
  • 7
    +1 but to be fair, this is explaining probably the most common setup with `aes-cbc-essiv:sha256`, but then there are also other possible [advanced encryption modes](https://help.ubuntu.com/community/EncryptedFilesystemLVMHowto#Advanced_Encryption_Modes) (`XTS`, `LRW`), key sizes (256, 384, 512) and IV generation algorithms (`plain`, `plain64`, `benbi` - the 64-bit "big-endian 'narrow block'-count", starting at 1, `ESSIV`), thus my comment to OP asking for clarification which specific mode he has in mind. If you know about advantages and disadvantages of these too, I'd appreciate it. Cheers! ;) – TildalWave Jul 22 '13 at 06:10
  • 1
    @TildalWave the common setup was picked because it's the *default* on recent Ubuntu machines; it's what you get when you click the little checkbox without making any customization. Unless you really know what you're doing, you **will** end up with `aes-cbc-essiv:sha256`. – tylerl Jul 22 '13 at 06:25
  • 1
    @TildalWave I added some more info about the other chaining modes and IV selection methods you mentioned. Though my knowledge is somewhat limited. I would rather hear it from someone like Thomas Pornin. – tylerl Jul 22 '13 at 06:50
  • Oh great, thanks! It's a nice canonical answer now, that you might wanna link to in those [Ubuntu.se] answers, too. I wish I could upvote again! :) – TildalWave Jul 22 '13 at 07:31
  • 2
    *"The built-in default is to use AES-CBC-ESSIV with SHA256."* <-- for 12.04 and below this is. Ubuntu 12.10 and up uses AES-XTS with a 512 bit key. See also http://askubuntu.com/a/228451/88802 – gertvdijk Jul 22 '13 at 11:12
  • @gertvdijk - Technically, you enter 512-bit value that is later split into two 256-bit keys. And the XTS mode comes with [certain security issues](https://en.wikipedia.org/wiki/Disk_encryption_theory#Issues_with_XTS) of its own, on top of sector size constraints. Just wanted to point this out so there's no confusion over "bigger is better". ;) – TildalWave Jul 22 '13 at 12:10
  • Added a bit more detail for additional clarity. – tylerl Jul 22 '13 at 18:05
  • Beyond ‘features list’, it would be nice to know, if there are through code reviews of the actual thing (as TrueCrypt and VeraCrypt habe seen)... –  Nov 21 '16 at 08:39
  • The default (at least nowadays) is aes-xts-plain64, not aes-xts-plain64:sha256, although the difference is moot, as the hash is ignored for aes-xts-plain64 – Remember Monica Nov 24 '18 at 19:01
  • "Your attacker will almost certainly choose brute-forcing the password as his preferred attack method." Or more probably hitting you with a 5$ wrench until you give the password https://xkcd.com/538/ – Pierre.Sassoulas Feb 25 '20 at 09:02
4

According to the following link, and other sources I have read elsewhere, the default encryption used by Ubuntu for full disk encryption is AES-256: How secure is an encrypted LUKS filesystem?

  • AES-256 is only one aspect, and it's the one that most people do get right thanks to the ubiquity of AES. Far more important bits are what mode is used and how the key is derived from the password. – Gilles 'SO- stop being evil' Feb 03 '18 at 21:14