How to determine what ciphers & cipher modes I can use in dm-crypt/LUKS

disk-encryptiondm-cryptencryptionluks

I'm using an Ubuntu-based system, and I'm having difficulty determining what ciphers and cipher modes are available to me.

The cryptsetup man page says:

"See /proc/crypto for a list of available options. You might need to load additional kernel crypto modules in order to get more options."

My /proc/crypto has very little in it. How do I find out which extra kernel crypto modules are available for me to load?

Best Answer

There are many, many documents and man pages to read through, but one document that might particularly interest you is the LUKS On-Disk Format Specification (PDF).

Appendix B (which is, naturally, near the end) says,

Cipher and Hash specification registry

Even if the cipher-name and cipher-mode strings are not interpreted by any LUKS operation, they must have the same meaning for all implementations to achieve compatibility among different LUKS-based implementations. LUKS has to ensure that the underlaying cipher system can utilise the cipher name and cipher mode strings, and as these strings might not always be native to the cipher system, LUKS might need to map them into something appropriate.

Valid cipher names are listed in Table 1.

Valid cipher modes are listed in Table 2. By contract, cipher modes using IVs and tweaks must start from the all-zero IV / tweak. This applies for all calls to the encrypt / decrypt primitives especially when handling key material. Further, these IVs / tweaks cipher modes usually cut the cipher stream into independent blocks by reseeding tweaks / IVs at sector boundaries. The all-zero IV / tweak requirement for the first encrypted / decrypted block is equivalent to the requirement that the first block is defined to rest at sector 0.

Table 3 lists valid hash specs for hash-spec field. A compliant implementation does not have to support all cipher, cipher mode or hash specifications.

Table 1: Valid cipher names

  • aes - Advanced Encryption Standard - FIPS PUB 197
  • twofish - Twofish: A 128-Bit Block Cipher - http://www.schneier.com/paper-twofish-paper.html    (See below)
  • serpent - http://www.cl.cam.ac.uk/~rja14/serpent.html
  • cast5 - RFC 2144
  • cast6 - RFC 2612

Table 2: Valid cipher modes

  • ecb - The cipher output is used directly
  • cbc-plain - The cipher is operated in CBC mode. The CBC chaining is cut every sector, and reinitialised with the sector number as initial vector (converted to 32-bit and to little-endian). This mode is specified in [Fru05b], Chapter 4.
  • cbc-essiv:hash - The cipher is operated in ESSIV mode using hash for generating the IV key for the original key. For instance, when using sha256 as hash, the cipher mode spec is “cbcessiv:sha256”. ESSIV is specified in [Fru05b], Chapter 4.
  • xts-plain64 - http://grouper.ieee.org/groups/1619/email/pdf00086.pdf, plain64 is 64-bit version of plain initial vector

Table 3: Valid hash specifications

  • sha1 - RFC 3174 - US Secure Hash Algorithm 1 (SHA1)
  • sha256 - SHA variant according to FIPS 180-2
  • sha512 - SHA variant according to FIPS 180-2
  • ripemd160 - http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html   (See below)

Editor’s Note: The above is copied from the specification.  Subsequent to its writing, these documents’ URLs have changed:

Related Question