Die kryptographischen Parameter von LUKS ab Tails 5.12 oder früher sind schwach gegenüber einem staatlich unterstützten Angreifer mit physischem Zugriff auf Ihr Gerät.

Wir empfehlen Ihnen, die Passphrase Ihres persistenten Speichers und anderer LUKS-verschlüsselten Volumes zu ändern, es sei denn, Sie verwenden eine lange Passphrase von 5 zufälligen Wörtern oder mehr.

Verstehen der Schwäche und ihrer Lösung

Der Wettlauf um den Schutz vor Brute-Force-Angriffen

Bei allen Verschlüsselungstechnologien, die Daten auf einer Festplatte oder einem USB-Stick mit einem Passwort oder einer Passphrase schützen, kann ein Angreifer alle möglichen Kombinationen ausprobieren, bis er Ihre Passphrase errät und die Verschlüsselung entsperrt. Diese Art von Angriff wird als brute-force attack bezeichnet.

Ein starkes Passwort macht Brute-Force-Angriffe langsamer und teurer. Je länger die Passphrase ist, desto teurer wird der Brute-Force-Angriff.

Einige kryptografische Parameter können auch jede Vermutung eines Brute-Force-Angriffs langsamer und teurer machen, indem beispielsweise komplizierte Berechnungen für jede Passphrase durchgeführt werden müssen, bevor versucht werden kann, die Verschlüsselung mit dem Ergebnis dieser Berechnung zu entsperren.

Im Laufe der Jahre werden Computer schneller und günstiger. Verschlüsselungstechnologien aktualisieren regelmäßig ihre Parameter, um ein Gleichgewicht zwischen schneller und benutzerfreundlicher Verschlüsselung für die Benutzer und gleichzeitig möglichst hohen Kosten für Angreifer bei Brute-Force-Angriffen zu finden.

Starke Verschlüsselungsparameter in Kombination mit einem starken Passwort machen Brute-Force-Angriffe so langsam und kostspielig, dass sie in der Praxis unmöglich sind. Zum Beispiel ist ein Brute-Force-Angriff in der Praxis unmöglich, wenn es selbst mit den leistungsstärksten Supercomputern Tausende von Jahren dauern würde.

Strength of Argon2id compared to PBKDF2

Bis Tails 5.12 (19. April 2023) erstellte Tails LUKS-Geräte der Version 1 (LUKS1) mit PBKDF2 als Schlüsselableitungsfunktion, einer Berechnung, die auf der Passphrase ausgeführt wird, bevor versucht wird, die Verschlüsselung mit dem Ergebnis zu entsperren.

PBKDF2 wird inzwischen als zu schwach im Vergleich zur verfügbaren Rechenleistung angesehen.

Einige Kryptographen glauben, dass diese Schwäche möglicherweise bereits gegen einen Aktivisten in Frankreich eingesetzt wurde, aber die tatsächlichen Operationen der französischen Polizei bleiben geheim.

Since Tails 5.13 (16 May 2023), Tails creates LUKS devices version 2 (LUKS2) with Argon2id as key derivation function.

Wir haben geschätzt, wie viel Strom es kosten würde, Passwörter unterschiedlicher Stärke zu erraten. Wie wir für den persistenten Speicher empfehlen, haben wir Passwörter bewertet, die aus mehreren zufälligen Wörtern bestehen.

Diese Zahlen sind sehr grobe Schätzungen, geben jedoch eine Vorstellung davon, welche Länge der Passwortphrase ein sehr mächtiger Gegner wie ein staatlich geförderter Angreifer erraten könnte.

Selbst wenn das Erraten einer Passwortphrase aus 3 zufälligen Wörtern mit LUKS1 sehr wenig Energie kostet, erfordert ein solcher Angriff auch:

• Physical access to the device - Very expensive computer equipment - Professional hacking skills

You can see the details of our calculations in #19615 and this spreadsheet.

Other password schemes give too little guarantee

We recommend using passphrases made of several random words because using randomness is the only way to really guarantee the strength of a password.

Using other password schemes give little guarantee over the strength of a password, even if it follows complicated password policies and validates on password strength meters.

For example, a Dutch hacker logged into Donald Trump's Twitter account twice by guessing his passwords, despite that these passwords included several words, were more than 8 characters, and even had special characters. They were definitely not random enough: "maga2020!" and "yourefired".

To understand the maths behind password strength, watch An information theoretic model of privacy and security metrics. Bill Budington from the EFF explains the concept of entropy and its implication on browser fingerprinting and password safety in accessible terms.

Keeping your encryption secure

All users are recommended to upgrade to LUKS2 on all their encrypted devices: Persistent Storage, backup Tails, and other external encrypted volumes.

Depending on the strength of your passphrase, we might also recommend choosing a different passphrase and migrating to another Tails USB stick:

• If your passphrase has 4 random words or fewer - If your passphrase has 5 random words - If your passphrase has 6 random words or more

Wenn Ihre Passphrase 4 zufällige Wörter oder weniger enthält

Wenn Ihre aktuelle Passphrase 4 zufällige Wörter oder weniger enthält:

• Ihre Verschlüsselung ist unsicher mit LUKS1.

  Sie müssen auf LUKS2 aktualisieren.

• Ihre Verschlüsselung ist mit LUKS2 sicherer.

  Wir empfehlen weiterhin, Ihr Passwort auf 5 zufällige Wörter oder mehr zu ändern.

Persistent Storage (4 words or fewer)

Um Ihren beständigen Datenspeicher zu sichern:

1. Aktualisieren Sie auf Tails 5.14.

   Beim ersten Start von Tails 5.14 wird Ihr beständiger Datenspeicher automatisch in LUKS2 konvertiert.

2. Wählen Sie ein neues Passwort aus 5 bis 7 zufälligen Wörtern.

   Display the instructions to generate a passphrase using KeePassXC.

   1. Choose Applications ▸ KeePassXC.

   2. Choose Tools ▸ Password Generator.

   3. Switch to the Passphrase tab.

      A very strong passphrase of 7 random words is automatically generated.

      It is impossible to recover your passphrase if you forget it!

      To help you remember your passphrase, you can write it on a piece of paper, store it in your wallet for a few days, and destroy it once you know it well.

3. Change your passphrase.

   Anleitungen zur Änderung des Passworts für Ihren beständigen Datenspeicher anzeigen.

   1. Choose Applications ▸ Persistent Storage.

   2. Click on the Change Passphrase button on the left of the title bar.

   3. Enter the current passphrase in the Current Passphrase text box.

   4. Enter your new passphrase in the New Passphrase text box.

   5. Enter your new passphrase again in the Confirm New Passphrase text box.

   6. Click Change.

   7. Close the Persistent Storage settings.

4. If you created your Persistent Storage with Tails 5.12 or earlier, we recommend you migrate your entire Tails to a different USB stick and destroy your old Tails USB stick (or at least securely delete the entire device).

   If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

   Display the instructions to migrate your Tails to a new USB stick.

   1. Plug in the new USB stick.

   2. Choose Applications ▸ Tails Cloner.

   3. Turn on the option Clone the current Persistent Storage below the option Clone the current Tails.

   4. Make sure that the new USB stick is selected in the Target USB stick menu.

   5. To start the cloning, click on the Install button.

   6. Enter a passphrase for the Persistent Storage on the new USB stick in the Passphrase text box.

   7. Enter the same passphrase again in the Confirm text box.

   8. Click Continue.

   9. Read the warning message in the confirmation dialog.

   10. Click Delete All Data and Install to confirm.

       Cloning takes a few minutes.

       The progress bar usually freezes for some time while synchronizing data on disk.

Backup Tails (4 words or fewer)

Um Ihr Sicherungs-Tails zu sichern, falls Sie eins haben:

1. Starten Sie von Ihrem Haupt-Tails-USB-Stick.

2. Aktualisieren Sie Ihren Haupt-Tails-USB-Stick auf Tails 5.14.

3. Erstellen Sie ein neues Backup-Tails mit Tails Cloner

   Wenn Sie Ihren beständigen Datenspeicher mit Tails 5.12 oder früher erstellt haben, empfehlen wir Ihnen, Ihr neues Backup-Tails auf einem anderen USB-Stick zu erstellen und Ihr altes Backup-Tails zu zerstören (oder zumindest das gesamte Gerät sicher zu löschen).

   If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

   Display the instructions to create a new backup.

   1. Plug in the new USB stick.

   2. Choose Applications ▸ Tails Cloner.

   3. Turn on the option Clone the current Persistent Storage below the option Clone the current Tails.

   4. Make sure that the new USB stick is selected in the Target USB stick menu.

   5. To start the cloning, click on the Install button.

   6. Enter a passphrase for the Persistent Storage on the new USB stick in the Passphrase text box.

   7. Enter the same passphrase again in the Confirm text box.

   8. Click Continue.

   9. Read the warning message in the confirmation dialog.

   10. Click Delete All Data and Install to confirm.

       Cloning takes a few minutes.

       The progress bar usually freezes for some time while synchronizing data on disk.

Other encrypted volumes (4 words or fewer)

Um Ihre anderen verschlüsselten Volumes, sofern vorhanden, abzusichern:

1. Aktualisieren Sie auf Tails 5.14.

2. Wählen Sie ein neues Passwort aus 5 bis 7 zufälligen Wörtern.

   Anleitungen zur Generierung eines Passworts mit KeePassXC anzeigen.

   1. Choose Applications ▸ KeePassXC.

   2. Choose Tools ▸ Password Generator.

   3. Switch to the Passphrase tab.

      A very strong passphrase of 7 random words is automatically generated.

      It is impossible to recover your passphrase if you forget it!

      To help you remember your passphrase, you can write it on a piece of paper, store it in your wallet for a few days, and destroy it once you know it well.

Wenn sich Ihr verschlüsseltes Volume auf einer herkömmlichen Festplatte (nicht auf einer SSD) befindet und Sie die Befehlszeile verwenden können:

1. Bestimmen Sie den Partitionnamen Ihres verschlüsselten Volumes.

   Anleitung zum Bestimmen des Partitionnamens mithilfe der Befehlszeile anzeigen.

   1. When starting Tails, set up an administration password.

   2. Choose Applications ▸ System Tools ▸ Root Terminal.

   3. Execute the following command:

      lsblk
      

      The output is a list of the storage devices and partitions on the system. For example:

      NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
      loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
      sda                      8:0    1    7G  0 disk
      ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
      └─sda2                   8:2    1    3G  0 part
        └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
      zram0                  254:0    0  2.8G  0 disk  [SWAP]
      

   4. Plug in your encrypted volume. Keep the encryption locked.

   5. Execute the same command again:

      lsblk
      

      Your encrypted volume appears as a new device with a list of partitions. Check that the partition size corresponds to your encrypted volume.

      NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
      loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
      sda                      8:0    1    7G  0 disk
      ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
      └─sda2                   8:2    1    3G  0 part
        └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
      sdb                      8:0    1    7G  0 disk
      └─sdb1                   8:2    1    7G  0 part
      zram0                  254:0    0  2.8G  0 disk  [SWAP]
      

   6. Take note of the partition name of your encrypted volume. In this example, the new device in the list is sdb and the encrypted volume is in the partition sdb1. Yours might be different.

2. If you created your encrypted volume with Tails 5.12 or earlier, upgrade to LUKS2.

   Display the instructions to upgrade to LUKS2 using the command line.

   1. To verify whether your encrypted volume uses PBKDF2 or Argon2id, execute the following command.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksDump /dev/[partition]

      In the output:

      • Version indicates the version of LUKS, either 1 or 2.

      • PBKDF indicates the key derivation function, either pbkdf2 or argon2id.

      If your encrypted volume already uses LUKS2 and Argon2id, you can stop here.

   2. Execute the following command to do a backup of your LUKS1 header.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksHeaderBackup /dev/[partition] --header-backup-file /home/amnesia/luks1header

      If something goes wrong, you will be able to restore your LUKS1 header from this backup with:

      cryptsetup luksHeaderRestore /dev/[partition] --header-backup-file /home/amnesia/luks1header

   3. To update your LUKS header to LUKS2, execute the following command.

      Replace [partition] with the device name found in step 1.6.

      cryptsetup convert /dev/[partition] --type luks2

   4. To verify that Argon2id is the new key derivation function, execute the following command again.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksDump /dev/[partition]

      In the output, verify that:

      • The Version is 2 and not 1.

      • The PBKDF is argon2id and not pbkdf2.

   5. Try to unlock your encrypted volume.

3. Change your passphrase.

   Display the instructions to change your passphrase using the command line.

   1. To change your passphrase, execute the following command.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksChangeKey /dev/[partition]

Otherwise, if your encrypted volume is on a USB stick (or an SSD) or you are not comfortable with the command line:

• If you created your encrypted volume with Tails 5.13 or later, we recommend you change your passphrase.

  Follow our instructions on changing the passphrase of an existing encrypted partition.

• If you created your encrypted volume with Tails 5.12 or earlier, we recommend you migrate all your encrypted data to a new encrypted device.

  Follow our instructions on creating and using LUKS encrypted volumes.

  We also recommend you destroy your old device (or at least securely delete the entire device).

  If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

If your passphrase has 5 random words

If your current passphrase has 5 random words:

• Your encryption is secure with LUKS1, except against a very powerful adversary, like a state-sponsored attacker with a huge budget to spend on guessing your passphrase.

  We still recommend you upgrade to LUKS2.

• Your encryption is even more secure with LUKS2.

Herzlichen Glückwunsch, dass Sie unseren Empfehlungen gefolgt sind!

Persistent Storage (5 words)

Um Ihren beständigen Datenspeicher zu sichern:

1. Aktualisieren Sie auf Tails 5.14.

   Beim ersten Start von Tails 5.14 wird Ihr beständiger Datenspeicher automatisch in LUKS2 konvertiert.

2. Consider adding another random word to your passphrase.

   Display the instructions to change the passphrase of your Persistent Storage.

   1. Choose Applications ▸ Persistent Storage.

   2. Click on the Change Passphrase button on the left of the title bar.

   3. Enter the current passphrase in the Current Passphrase text box.

   4. Enter your new passphrase in the New Passphrase text box.

   5. Enter your new passphrase again in the Confirm New Passphrase text box.

   6. Click Change.

   7. Close the Persistent Storage settings.

3. If you created your encrypted volume with Tails 5.12 or earlier and are worried about a very powerful adversary, consider migrating your entire Tails to a different USB stick and destroying your old Tails USB stick (or at least securely deleting the entire device).

   If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

   Display the instructions to migrate your entire Tails to a new USB stick.

   1. Plug in the new USB stick.

   2. Choose Applications ▸ Tails Cloner.

   3. Turn on the option Clone the current Persistent Storage below the option Clone the current Tails.

   4. Make sure that the new USB stick is selected in the Target USB stick menu.

   5. To start the cloning, click on the Install button.

   6. Enter a passphrase for the Persistent Storage on the new USB stick in the Passphrase text box.

   7. Enter the same passphrase again in the Confirm text box.

   8. Click Continue.

   9. Read the warning message in the confirmation dialog.

   10. Click Delete All Data and Install to confirm.

       Cloning takes a few minutes.

       The progress bar usually freezes for some time while synchronizing data on disk.

Backup Tails (5 words)

Um Ihr Sicherungs-Tails zu sichern, falls Sie eins haben:

1. Starten Sie von Ihrem Haupt-Tails-USB-Stick.

2. Aktualisieren Sie Ihren Haupt-Tails-USB-Stick auf Tails 5.14.

3. Update your backup or create a new backup Tails using Tails Cloner.

   If you created your backup Tails with Tails 5.12 or earlier and are worried about a very powerful adversary, consider creating your new backup Tails on a different USB stick and destroying your old backup Tails (or at least securely deleting the entire device).

   If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

   Display the instructions to update your backup or create a new backup.

   1. Plug in the new USB stick.

   2. Choose Applications ▸ Tails Cloner.

   3. Turn on the option Clone the current Persistent Storage below the option Clone the current Tails.

   4. Make sure that the new USB stick is selected in the Target USB stick menu.

   5. To start the cloning, click on the Install button.

   6. Enter a passphrase for the Persistent Storage on the new USB stick in the Passphrase text box.

   7. Enter the same passphrase again in the Confirm text box.

   8. Click Continue.

   9. Read the warning message in the confirmation dialog.

   10. Click Delete All Data and Install to confirm.

       Cloning takes a few minutes.

       The progress bar usually freezes for some time while synchronizing data on disk.

Other encrypted volumes (5 words)

Um Ihre anderen verschlüsselten Volumes, sofern vorhanden, abzusichern:

1. Aktualisieren Sie auf Tails 5.14.

2. Consider adding another random word to your passphrase.

If you created your encrypted volume with Tails 5.12 or earlier and your encrypted volume is on a traditional hard disk (not an SSD) and you can use the command line:

1. Bestimmen Sie den Partitionnamen Ihres verschlüsselten Volumes.

   Display the instructions to identify the partition name using the command line.

   1. When starting Tails, set up an administration password.

   2. Choose Applications ▸ System Tools ▸ Root Terminal.

   3. Execute the following command:

      lsblk
      

      The output is a list of the storage devices and partitions on the system. For example:

      NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
      loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
      sda                      8:0    1    7G  0 disk
      ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
      └─sda2                   8:2    1    3G  0 part
        └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
      zram0                  254:0    0  2.8G  0 disk  [SWAP]
      

   4. Plug in your encrypted volume. Keep the encryption locked.

   5. Execute the same command again:

      lsblk
      

      Your encrypted volume appears as a new device with a list of partitions. Check that the partition size corresponds to your encrypted volume.

      NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
      loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
      sda                      8:0    1    7G  0 disk
      ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
      └─sda2                   8:2    1    3G  0 part
        └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
      sdb                      8:0    1    7G  0 disk
      └─sdb1                   8:2    1    7G  0 part
      zram0                  254:0    0  2.8G  0 disk  [SWAP]
      

   6. Take note of the partition name of your encrypted volume. In this example, the new device in the list is sdb and the encrypted volume is in the partition sdb1. Yours might be different.

2. If you created your encrypted volume with Tails 5.12 or earlier, upgrade to LUKS2.

   Display the instructions to upgrade to LUKS2 using the command line.

   1. To verify whether your encrypted volume uses PBKDF2 or Argon2id, execute the following command.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksDump /dev/[partition]

      In the output:

      • Version indicates the version of LUKS, either 1 or 2.

      • PBKDF indicates the key derivation function, either pbkdf2 or argon2id.

      If your encrypted volume already uses LUKS2 and Argon2id, you can stop here.

   2. Execute the following command to do a backup of your LUKS1 header.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksHeaderBackup /dev/[partition] --header-backup-file /home/amnesia/luks1header

      If something goes wrong, you will be able to restore your LUKS1 header from this backup with:

      cryptsetup luksHeaderRestore /dev/[partition] --header-backup-file /home/amnesia/luks1header

   3. To update your LUKS header to LUKS2, execute the following command.

      Replace [partition] with the device name found in step 1.6.

      cryptsetup convert /dev/[partition] --type luks2

   4. To verify that Argon2id is the new key derivation function, execute the following command again.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksDump /dev/[partition]

      In the output, verify that:

      • The Version is 2 and not 1.

      • The PBKDF is argon2id and not pbkdf2.

   5. Try to unlock your encrypted volume.

3. Change your passphrase.

   Display the instructions to change your passphrase using the command line.

   1. To change your passphrase, execute the following command.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksChangeKey /dev/[partition]

If you create your encrypted volume with Tails 5.12 or earlier and your encrypted volume is on a USB stick (or an SSD) or if you are not comfortable with the command line:

1. Migrate all your encrypted data to a new encrypted device.

   Follow our instructions on creating and using LUKS encrypted volumes.

2. If you are worried about a very powerful adversary, consider destroying your old device (or at least securely deleting the entire device).

   If you don't, the previous LUKS1 data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.

If your passphrase has 6 random words or more

If your current passphrase has 6 random words or more:

• Your encryption is secure with LUKS1, even against a very powerful adversary.

  We still recommend you upgrade to LUKS2.

• Your encryption is even more secure with LUKS2.

Congratulations on following our most secure recommendations!

Persistent Storage (6 words or more)

Your Persistent Storage is already secure, even with LUKS1.

After you upgrade to Tails 5.14 or later, Tails will automatically convert your Persistent Storage to LUKS2 and make your Persistent Storage even more secure.

Backup Tails (6 words or more)

Your backup Tails is already secure, even with LUKS1.

If you want to upgrade your backup Tails to LUKS2 anyway:

1. Starten Sie von Ihrem Haupt-Tails-USB-Stick.

2. Aktualisieren Sie Ihren Haupt-Tails-USB-Stick auf Tails 5.14.

3. Update your backup using Tails Cloner.

   Display the instructions to update your backup.

   1. Plug in the new USB stick.

   2. Choose Applications ▸ Tails Cloner.

   3. Turn on the option Clone the current Persistent Storage below the option Clone the current Tails.

   4. Make sure that the new USB stick is selected in the Target USB stick menu.

   5. To start the cloning, click on the Install button.

   6. Enter a passphrase for the Persistent Storage on the new USB stick in the Passphrase text box.

   7. Enter the same passphrase again in the Confirm text box.

   8. Click Continue.

   9. Read the warning message in the confirmation dialog.

   10. Click Delete All Data and Install to confirm.

       Cloning takes a few minutes.

       The progress bar usually freezes for some time while synchronizing data on disk.

Other encrypted volumes (6 words or more)

Your other encrypted volumes are already secure, even with LUKS1.

If you want to upgrade your other encrypted volumes to LUKS2 anyway and you know how to use the command line:

1. Bestimmen Sie den Partitionnamen Ihres verschlüsselten Volumes.

   Display the instructions to identify the partition name using the command line.

   1. When starting Tails, set up an administration password.

   2. Choose Applications ▸ System Tools ▸ Root Terminal.

   3. Execute the following command:

      lsblk
      

      The output is a list of the storage devices and partitions on the system. For example:

      NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
      loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
      sda                      8:0    1    7G  0 disk
      ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
      └─sda2                   8:2    1    3G  0 part
        └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
      zram0                  254:0    0  2.8G  0 disk  [SWAP]
      

   4. Plug in your encrypted volume. Keep the encryption locked.

   5. Execute the same command again:

      lsblk
      

      Your encrypted volume appears as a new device with a list of partitions. Check that the partition size corresponds to your encrypted volume.

      NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
      loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
      sda                      8:0    1    7G  0 disk
      ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
      └─sda2                   8:2    1    3G  0 part
        └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
      sdb                      8:0    1    7G  0 disk
      └─sdb1                   8:2    1    7G  0 part
      zram0                  254:0    0  2.8G  0 disk  [SWAP]
      

   6. Take note of the partition name of your encrypted volume. In this example, the new device in the list is sdb and the encrypted volume is in the partition sdb1. Yours might be different.

2. Upgrade to LUKS2.

   Display the instructions to upgrade to LUKS2 using the command line.

   1. To verify whether your encrypted volume uses PBKDF2 or Argon2id, execute the following command.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksDump /dev/[partition]

      In the output:

      • Version indicates the version of LUKS, either 1 or 2.

      • PBKDF indicates the key derivation function, either pbkdf2 or argon2id.

      If your encrypted volume already uses LUKS2 and Argon2id, you can stop here.

   2. Execute the following command to do a backup of your LUKS1 header.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksHeaderBackup /dev/[partition] --header-backup-file /home/amnesia/luks1header

      If something goes wrong, you will be able to restore your LUKS1 header from this backup with:

      cryptsetup luksHeaderRestore /dev/[partition] --header-backup-file /home/amnesia/luks1header

   3. To update your LUKS header to LUKS2, execute the following command.

      Replace [partition] with the device name found in step 1.6.

      cryptsetup convert /dev/[partition] --type luks2

   4. To verify that Argon2id is the new key derivation function, execute the following command again.

      Replace [partition] with the partition name found in step 1.6.

      cryptsetup luksDump /dev/[partition]

      In the output, verify that:

      • The Version is 2 and not 1.

      • The PBKDF is argon2id and not pbkdf2.

   5. Try to unlock your encrypted volume.

Knowing which version of LUKS is used in your devices

If you know how to use the command line, you can verify whether your encryption uses PBKDF2 or Argon2id.

Beständiger Datenspeicher

1. Beim Starten von Tails, richten Sie ein Administrationspasswort ein.

2. Wählen Sie Anwendungen ▸ Systemprogramme ▸ Root Terminal.

3. Führen Sie den folgenden Befehl aus:

   lsblk
   

   Die Ausgabe ist eine Liste der Speichergeräte und Partitionen auf dem System. Zum Beispiel:

     NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
     loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
     sda                      8:0    1    7G  0 disk
     ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
     └─sda2                   8:2    1    3G  0 part
       └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
     zram0                  254:0    0  2.8G  0 disk  [SWAP]
   

   Your Persistent Storage appears as TailsData_unlocked.

4. Take note of the partition name of your Persistent Storage, which appears above TailsData_unlocked. In this example, the Persistent Storage is in the partition sda2. Yours might be different.

5. Um zu überprüfen, ob Ihr verschlüsseltes Volume PBKDF2 oder Argon2id verwendet, führen Sie den folgenden Befehl aus.

   Replace [partition] with the partition name found in step 4.

   sudo cryptsetup luksDump /dev/[partition]

   In der Ausgabe:

   • Version gibt die Version von LUKS an, entweder 1 oder 2.

   • PBKDF gibt die Schlüsselableitungsfunktion an, entweder pbkdf2 oder argon2id.

Other encrypted volumes

1. When starting Tails, set up an administration password.

2. Choose Applications ▸ System Tools ▸ Root Terminal.

3. Execute the following command:

   lsblk
   

   The output is a list of the storage devices and partitions on the system. For example:

     NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
     loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
     sda                      8:0    1    7G  0 disk
     ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
     └─sda2                   8:2    1    3G  0 part
       └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
     zram0                  254:0    0  2.8G  0 disk  [SWAP]
   

4. Plug in your encrypted volume. Keep the encryption locked.

5. Execute the same command again:

   lsblk
   

   Your encrypted volume appears as a new device with a list of partitions. Check that the partition size corresponds to your encrypted volume.

     NAME                   MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
     loop0                    7:0    0  1.2G  1 loop  /lib/live/mount/rootfs/filesystem.squashfs
     sda                      8:0    1    7G  0 disk
     ├─sda1                   8:1    1    4G  0 part  /lib/live/mount/medium
     └─sda2                   8:2    1    3G  0 part
       └─TailsData_unlocked 253:0    0    3G  0 crypt /run/nosymfollow/live/persistence/TailsData_un...
     sdb                      8:0    1    7G  0 disk
     └─sdb1                   8:2    1    7G  0 part
     zram0                  254:0    0  2.8G  0 disk  [SWAP]
   

6. Take note of the partition name of your encrypted volume. In this example, the new device in the list is sdb and the encrypted volume is in the partition sdb1. Yours might be different.

7. Um zu überprüfen, ob Ihr verschlüsseltes Volume PBKDF2 oder Argon2id verwendet, führen Sie den folgenden Befehl aus.

   Replace [partition] with the partition name found in step 6.

   sudo cryptsetup luksDump /dev/[partition]

   In der Ausgabe:

   • Version gibt die Version von LUKS an, entweder 1 oder 2.

   • PBKDF gibt die Schlüsselableitungsfunktion an, entweder pbkdf2 oder argon2id.