Here’s how secure and safe LUKS encryption is:
LUKS is very secure as far as encryption options go.
It can encrypt an entire disk, protecting all of your data on a device, if you set it up that way.
The biggest risk associated with LUKS is that it uses a password to secure the encryption, so an easily-guessed password undermines the encryption security.
So if you want to learn all about how secure and safe LUKS is exactly, then this article is for you.
What Is LUKS Encryption? (In Plain English)
This is a full disk encryption (FDE) specification.
It was created in 2004, and as you might have guessed, it was originally designed for Linux.
It’s designed to secure the information on a disk so that even if the physical device was stolen, the contents would be unreadable.
I’ll take you through what all of this means, but first, I should probably explain disks a little bit.
This is a term in computing that defines data storage.
Disks can be physical or virtual, and they are where you store information that you want to be able to access later.
So, if you download a movie on your phone, the raw movie data is stored on a disk in your phone.
If you write a paper for school, it’s stored on a disk on your computer. You get the idea.
So, full disk encryption is where the entire space that stores data is encrypted all together.
It means you can’t read any information on the disk unless you have the encryption key.
With that in mind, let’s get into what encryption really is and how it works so that all of this will be clearer.
How Does Encryption Work? (Step-by-Step)
So, how does encryption protect data?
It does so by encoding information to make it unreadable unless you have a key.
Encryption employs ciphertext so that the words or data that would be readable is translated into something unreadable.
The cipher can then translate everything back to something readable when you want to.
What does all of that mean?
Let’s break it down term by term.
Encoding information into a ciphertext really means using software to change how information reads.
So, if we used the example line “How are you today,” then a ciphertext of that line would look completely different:
That random-looking line of letters and numbers is a piece of ciphertext.
There’s no real way to know what it really means unless you have the key that can turn it back to our example text, “How are you today?”
Keep in mind that this is just an example.
The ciphertext for any data will look unique depending on many factors.
So, encryption makes your data unreadable, and you need the specific encryption key to ever make the data readable again.
The encryption system handles all of this, but if someone tries to steal or hack your data, if they can’t get the unique key for decoding everything, they can only steal gibberish.
That’s the essence of how encryption works, but there are many different ways to go about encrypting things.
That’s a big topic, so let’s focus on the few that will matter for LUKS.
First, encryption can be symmetric or asymmetric.
Symmetric encryption uses one key.
So, if you send files to another device with symmetric encryption, that other device needs the exact same key.
This is actually pretty normal for secure connections online.
Asymmetric encryption actually uses two keys.
This makes the encryption/decryption process a bit slower since everything is paired with two keys.
But, the idea is that it makes things more secure because everything is encrypted with two keys instead of one.
The process is quite complicated, but the two-system key is more complicated, and thus harder to penetrate.
The other important measure of encryption has to do with bits.
The key for your encryption will be a certain size in terms of data.
A larger key is more secure.
So, a 128-bit key is not as secure as a 256-bit key.
Currently, 256-bit encryption is considered standard for commercial encryption. It’s pretty darn tough to crack.
How Does Encryption Make Things Secure? (Simply Explained)
Now you have an idea of how encryption works, but how does it actually impact security?
Can’t a computer just crack the code?
Or, couldn’t someone steal the key?
Is it even that important to encrypt data?
Let’s tackle that third question first.
Encryption is important whenever sensitive data is on the line.
The easiest example is credit card information.
If you order something from Amazon, you have to supply credit card information.
You would probably appreciate Amazon keeping that information from people who might try to steal your card info.
Encryption is how Amazon (and any other online retailer) goes about the process.
They use a strong encryption method, so if anyone does steal transaction data from your device or Amazon servers, they only see that ciphertext.
Without the key, they have no idea what your card number actually is.
As for stealing the key, encryption methodologies make that pretty difficult.
The keys are usually generated randomly for each encryption.
So, using the Amazon example, every purchase gets a unique, one-time encryption key.
For online purchases, the keys themselves are then encrypted for transfer, creating nested security that is very difficult to penetrate.
On top of that, the temporary nature of the keys means that stealing them isn’t really worth much.
By the time you could sort through stolen keys, they would no longer be relevant.
New keys would be protecting any sensitive data.
And as for cracking encryption codes, it’s not a major threat.
Encryption uses codes that are so mathematically complicated that trying to crack them with brute force isn’t feasible with modern computers.
In order for a computer to break down encryption, it would have to guess at the encryption key until it randomly gets the right sequence.
For a 256-bit key, there are 2^256 possible combinations (2 to the power of 256).
These are ridiculous numbers, and it’s tough to put them into context.
If you have a powerful desktop computer, it would not be able to guess a single encryption key before the entire universe ends.
That’s how mathematically complicated these keys are, and it’s why cracking encryption isn’t really a threat.
How Is LUKS Special as an Encryption Specification? (Pros & Cons)
I’ve taken you through some big concepts, but we need to get back to the original question.
How secure is LUKS? What makes it special?
Well, to start with, LUKS uses 256-bit symmetric encryption.
So, based on everything above, it’s quite secure as far as encryptions go.
I also mentioned earlier that LUKS is a full disk encryption specification.
So, it encrypts everything on your personal device, and it does so with good, strong methods.
But, a lot of encryption specifications use 256-bit symmetric encryption.
What else is special about LUKS?
As the name suggests, it was originally designed for use with Linux.
Because of this, LUKS emphasizes compatibility and universality.
Basically, it allows you to use one encryption specification with complicated or variable setups.
This will make more sense when I explain the specific pros of using LUKS.
Pros of LUKS
The biggest pro of LUKS is that it allows every program on a disk to implement a single, unified password management system with your encryption.
So, even if you’re using different bits of software that usually can’t communicate well or use the same formats, LUKS works across all of it.
Even while unifying encryption across a disk, it still allows individual programs to implement password protection.
That’s because it encrypts the entire disk, and it works with different file formats.
To put this in the simplest terms, if you have a setup where other encryption methods can’t work because of compatibility problems, LUKS will probably be just fine.
Cons of LUKS
The cons of LUKS are the same as any full disk encryption.
Everything on the disk is tied to a single encryption key, and that comes with two drawbacks.
First, the encryption is only as secure as the key.
When we went through the Amazon example earlier, you saw that temporary keys were part of what makes everything so secure.
LUKS, and any other full disk encryption specification, can’t do this.
Instead, when the disk is encrypted, a unique key is generated, but that key is not changed unless you decrypt and re-encrypt the whole disk all over again. So, if the key ever is stolen, the disk is compromised.
More importantly, an FDE key is usually tied to a password or passcode.
Like anything you use online, your security is limited by the strength of your password.
If you put a weak, easily-guessed password into your LUKS encryption, it’s not going to be able to protect you.
Anyone who steals the computer can just guess the password, and then the encryption is worthless.
But, if you have a strong, secure password, then it’s very difficult to crack through LUKS encryption.
The other con to understand is that encrypting a disk means protecting the information from anyone who doesn’t have the key.
So, if you forget your password at any point, you lose all of the encrypted data. That’s the risk that comes with full disk encryption.