Due to its volume all content related to Linux Unified Key Setup (LUKS) has been moved to a separate project website.

This work investigates the state of the art in hard disk cryptography. As the choice of the cipher mode is essential for the security of hard disk data, we discuss the recent cipher mode developments at two standardisation bodies, NIST and IEEE. It is a necessity to consider new developments, as the most common cipher mode -- namely CBC -- has many security problems. This work devotes a chapter to the analysis of CBC weaknesses.

Next to others, the main contributions of this work are (1) efficient algorithms for series of multiplications in a finite field (Galois Field), (2) analysis of the security of password-based cryptography with respect to low entropy attacks and (3) a design template for secure key management, namely TKS1. For the latter, it is assumed that key management has to be done on regular user hardware in the absence of any special security hardware like key tokens. We solve the problems arising from magnetic storage by introducing a method called anti-forensic information splitter.

This work is complemented by the presentation of a system implementing a variant of TKS1. It is called LUKS and it was developed and implemented by the author of this work.

• [A4 twoside version]
• [A4 oneside version]
• [US Letter twoside version]
• [US Letter oneside version]

This paper sketches the problems connected with usual hard disk encryption setups. It introduces the reader to PBKDF2, a password based key derive function, which provides better resistance against brute force attacks based on entropy weak user passwords. It proposes to use a two level hierarchy of cryptographic keys to provide the ability to change passwords and drafts solutions to the key storage problem arising when using two levels of cryptography due to the fact, that given the abilities of recent forensic data recovery methods, data can't be destroyed on magnetic storage media reli,ably.

• Paper

This document was moved to the LUKS website.

Guide for migration old cryptoloop setups to Linux 2.6.

The AFsplitter supports secure data destruction crucial for secure on-disk key management. The key idea is to bloat information and therefor improving the chance of destroying a single bit of it. The information is bloated in such a way, that a single missing bit causes the original information become unrecoverable. The theory behind AFsplitter is presented in TKS1.

• Code

Encrypted Sector Salt Initialization Vector, short ESSIV derives from the equation E(Sector|Salt) = IV. To get an idea what ESSIV is about see my brief ESSIV description. Update: this patch has been merged in 2.6.10, in a little bit different form. Just upgrade to 2.6.10 to get ESSIV.

• obsolet patch

an ioctl call tracker to extract key and key size from weird patched losetup binaries.

• Code