r9e.de - Blog - multi-luks
RDF | HTML | Text | RSS


The Problem

If you have multiple partitions or discs you want to encrypt using LUKS, you basically have two possibilities: You can encrypt every device using a different passphrase, or you can use the decrypt_derived script provided by LUKS. Both solutions have several drawbacks.

When you use a different passphrase for each device, you have to type each password everytime you want to open the devices, which will be very inconvenient when you have five or even more devices.

In LUKS you have two different keys. On the one hand you have the passphrases, on the other hand the master key. The master key is used to encrypt the actual data. It is generated randomly when creating a LUKS partition. The master is encrypted using the passphrase and stored in the LUKS header at the beginning of the device. When you enter your passphrase LUKS decrypts the master key and uses this key to decrypt the actual data. This design makes it possible to have multiple passphrases for the same partition and to change the passphrase without reencrypting the whole data.

When you use decrypt_derived you have to encrypt your first device simply using a passphrase. The second device uses the master key of the first device as passphrase, so you only have to enter the passphrase of the first device and all other devices are decrypted in a chain using the master key of the previous device. This approach has several drawbacks. You have two possible keys you can attack when you want to break a LUKS encrypted device. First you can attack the passphrase. If you want to decrypt multiple devices using only one passphrase this will of course break all discs at once. Second you can attack the master key used to encrypt the actual data. When decrypt_derived is used, all devices following the breaked device in the decryption chain, will be broken, because an attacker simply needs to decrypt the following devices using the cracked key. Another drawback of decrypt_derived is, that you need the master key of all preceding devices to decrypt one device. If your first hard disc fails you can't access the data of all other discs, because you can't decrypt them any longer. This is not acceptable for my usecase. You could use an additional key slot on every partition to encrypt the master key using a real passphrase, but than you have much more passphrases you have to remember and more passphrases a potentional attacker could try to break.

All in all, neither encrypting every device using a different passphrase, nor using decrypt_derived, is an optimal solution.

The Design Of multi-luks

I talked to Jakob Westhoff about this and both of us wanted a better solution for the problem. If I remember correctly Jakob came up with the idea for the final design of multi-luks. The principle of multi-luks is very simple. After you entered your passwored, it is hashed multiple times, using different algorithms and salts, before the resulting hash is used as the passphrase for the first device. Then the passphrase for the first device is hashed multiple times again and the resulting hash is the passphrase for the second device and so forth.

This approach has several advantages over decrypt_derived. If you break the master key of one device you only have access to the data on this device and can not use the key to decrypt other devices.

In addition you can decrypt every dics without needing access to the other discs. So if one disc is broken you can still decrypt the data of all other discs.

multi-luks is a BASH-script, which you can find on github. You will also find there instructions, how to install, configure and use multi-luks.

You need some sort of config file to define how often multi-luks should hash your passphrase and which algorithms and salts it should use. This config file is very important, because you can no longer access your data if you loose this config file, so you should make good backups of this file. But this makes it also much harder to attack your encryption, if the attacker has no access to this config file. If your configuration is sufficiently complex it will be very hard to break other discs if you have the passphrase of one disc.


When you want to hash your password more than a dozen times using the same algorithm and salt, the script is rather slow, because it calls the openssl executable in each iteration to calculate the actual hash. This caused me to write multi-hash, a small C++ application which calculates multiple iterations using the same hashing algorithm. It also uses openssl to calculate the actual hashes.

While the shell implementation took nearly 3 minutes on my notebook to hash a passphrase 10 000 times using sha1 and a salt, multi-hash can even hash it 1 000 000 times in less than a second. If you compile multi-hash and place it in your PATH, it will automatically be used by multi-luks, otherwise the pure BASH implementation is used..



Add new comment

Fields with bold names are mandatory.