LUKS Brute Force Time Estimate

TL;DR

Brute forcing a LUKS encrypted drive is extremely time-consuming and generally impractical with modern key lengths. The time required scales exponentially with the passphrase length and complexity. This guide explains how to estimate that time.

Understanding the Problem

LUKS (Linux Unified Key Setup) uses strong encryption algorithms. A brute force attack tries every possible passphrase until it finds the correct one. The longer and more complex your passphrase, the more combinations need to be tested. Even with powerful hardware, this can take years, decades, or even centuries.

Estimating Brute Force Time

1. Passphrase Length: Determine the length of your passphrase (e.g., 8 characters, 12 characters).
2. Character Set: Identify the character set used in your passphrase. Common sets include:
   • Lowercase letters only (26 characters)
   • Uppercase letters only (26 characters)
   • Numbers only (10 characters)
   • Lowercase and uppercase letters (52 characters)
   • Letters, numbers, and symbols (e.g., 62-94 characters depending on the symbol set). Assume around 78 for a reasonable estimate.
3. Calculate Total Possible Passphrases: Use the following formula:

   Total Passphrases = Character SetPassphrase Length

   For example, an 8-character passphrase using letters, numbers and symbols (78 characters) has:

   788 = 19,452,630,436 possible combinations.

4. Hashing Speed: LUKS uses a key derivation function (KDF), typically PBKDF2 or Argon2. The hashing speed determines how many passphrase attempts can be tested per second.
   • Identify the KDF: Use cryptsetup luksDump /dev/sdX to find the KDF used in your LUKS header (look for ‘Key derivation function’).
   • Estimate Hashing Speed: This depends on your CPU and the specific KDF settings. You can estimate this by running a test with a known passphrase:

     cryptsetup luksOpen /dev/sdX dummy_passphrase

     Measure how long it takes to attempt one incorrect passphrase. The inverse of that time is your approximate hashing speed.

5. Calculate Estimated Time: Use the following formula:

   Estimated Time (seconds) = Total Passphrases / Hashing Speed

   Convert seconds to more useful units (minutes, hours, days, years).

Example Calculation

Let’s assume:

• Passphrase Length: 10 characters
• Character Set: Letters, numbers and symbols (78 characters)
• Hashing Speed: 10 million attempts per second (a powerful CPU with optimised settings).

1. Total Passphrases = 78¹⁰ = 3.65 x 10¹⁴
2. Estimated Time = (3.65 x 10¹⁴) / (10 x 10⁶) = 36,500 seconds ≈ 10 hours

However, this is a simplified example. Real-world hashing speeds are often lower, and modern KDFs like Argon2 are designed to be slow for security reasons.

Factors Affecting Brute Force Time

• KDF Algorithm: Argon2 is significantly slower (and more secure) than PBKDF2.
• KDF Parameters: The salt length, iteration count, and memory usage of the KDF all affect hashing speed.
• Hardware: A faster CPU and GPU can increase hashing speed, but the exponential nature of the problem still makes it very difficult.
• Parallelism: Using multiple cores or GPUs can speed up the process, but with diminishing returns.

Practical Considerations

Brute forcing LUKS is rarely successful in a reasonable timeframe unless:

• The passphrase is very short (less than 6 characters).
• The passphrase uses a limited character set.
• The KDF settings are weak.

Focus on using strong passphrases and keeping your system secure to prevent the need for brute-force attacks in the first place.