5

It is clear that when a LUKS disk is mounted and the password/key has been provided, the contents are decrypted. I am wondering if unmounting the disk is sufficient to encrypt the contents again, or if the disk needs to be unmounted and powered off/unplugged for this to happen. Further, would the host computer need to be powered off to purge the key from memory?

I can’t think of any reason a simple unmount wouldn’t work, but I’m not able to find a clear answer. Much of the available literature deals with LUKS encrypted internal drives, where the obvious answer is to turn the computer off to render the contents encrypted again. However, this would unmount the disk, power it off, and power off the host computer, so I’m wondering which of those three steps is the point at which the contents is again encrypted.

Improve this question
New contributor
baseboard49 is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
1
  • 5
    "It is clear" - it might be helpful for the question (and any in future with the same question) if you could clarify that statement to say where this belief might have come from, or how it might be arrived at as a conclusion. Commented yesterday

4 Answers 4

Reset to default
26

The data on disk in a LUKS volume using encryption is always stored encrypted; there is never a time when the data is stored in decrypted form on-disk. Decryption happens on the fly as data is read from the volume, and encryption happens on the fly as data is written to the volume.

This ensures that data is safe on disk even if the disk is extracted while the system is running.

Improve this answer
1
  • As a note: this is called OTFE (On-The-Fly Encryption). Truecrypt and Veracrypt use this technique. Commented yesterday
18

The contents of the disk are always encrypted.

When you supply LUKS with the encryption key what happens is that when the OS tries to read from the mounted volume the LUKS driver will read the encrypted data, unencrypt it in memory, then provide the results to the OS. Similarly when the OS tries to write to the disk the LUKS driver will encrypt the data and write that to the disk.

So at all times the data on disk is encrypted.

So what we need to concern ourselves with is the persistence of the key in memory.

Because the LUKS encryption is done at a lower layer than, typically a umount won't remove the key.

So, for example if you do

# cryptsetup luksOpen /dev/xvdc mydisk # mount /dev/mapper/mydisk /mnt ... do stuff # umount /mnt

Now the luks volume is still open and the key is still in memory. So you can do the mount command again.

For example:

# cryptsetup luksOpen testfile test Enter passphrase for testfile: # mount /dev/mapper/test /mnt # touch /mnt/afile # ls /mnt afile lost+found/ # umount /mnt # mount /dev/mapper/test /mnt # ls /mnt afile lost+found/ # umount /mnt

However if you do a luksClose then the key is removed and you have to do a luksOpen again and resupply they key.

# cryptsetup luksClose test # mount /dev/mapper/test /mnt mount: /mnt: fsconfig() failed: /dev/mapper/test: Can't lookup blockdev. dmesg(1) may have more information after failed mount system call. # cryptsetup luksOpen testfile test Enter passphrase for testfile:

A reboot is not needed, just a luksClose.

Improve this answer
9

The contents of the disk is always encrypted. Data from the disk is decrypted only when read from the mapped LUKS device -- if you look at the devices on your system, you'll see a new crypt device (by default named luks-<UUID>) "on top" of your encrypted device:

└─nvme0n1p3 259:3 0 892,7G 0 part └─luks-dfcda59b-1322-4705-bb04-e09a72b2d678 252:0 0 892,7G 0 crypt

when data is read from this device, system reads the encrypted data from the underlying partition and decrypts it before returning.

When the system is running, to fully disable the access to the data, unmounting is not enough, you need to close the LUKS mapping using cryptsetup close <device>. This happens automatically during shutdown. If you select the eject option in your GUI file manager it also first closes the mapping.

Improve this answer
8

The data on the disk remains encrypted. Have a look at the first paragraph of this Fedora guide to LUKS encryption:

Block device encryption encrypts/decrypts the data transparently as it is written/read from block devices, the underlying block device sees only encrypted data.

The "underlying block device" is what your question and this answer call "the disk".

Re-phrasing the statement in the guide: the data on the disks stay encrypted. Decryption happens when the Linux kernel reads a block of data from the disk into a buffer area in RAM, and the decrypted contents are passed to the running program which asked for the contents. Writes happen the other way around - a running program makes a write() call with a buffer of contents it wants to put on the disk, and the Linux kernel encrypts the contents of the buffer and writes the encrypted data onto the disk.

The transformation from encrypted data to decrypted data (and vice versa) happens in RAM, mediated by the Linux kernel.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.