Dm-crypt: Difference between revisions
| Line 51: | Line 51: | ||
The first field contains the name the encrypted device will be exposed under /dev/mapper. The second field contains the path to the underlying block device of file, or a specification of a block device with "UUID=...". The third field contains the encryption password. If the field is not present or the password is set to "none" or "-", the password has to be manually entered during system boot. Otherwise, the field is interpreted as an absolute path to a file containing the encryption password. The fourth field, if present, is a comma-delimited list of options. More details about options can be obtained with: | The first field contains the name the encrypted device will be exposed under /dev/mapper. The second field contains the path to the underlying block device of file, or a specification of a block device with "UUID=...". The third field contains the encryption password. If the field is not present or the password is set to "none" or "-", the password has to be manually entered during system boot. Otherwise, the field is interpreted as an absolute path to a file containing the encryption password. The fourth field, if present, is a comma-delimited list of options. More details about options can be obtained with: | ||
man crypttab | man crypttab | ||
Example: | |||
<syntaxhighlight lang='text'> | |||
# | |||
# /etc/crypttab example | |||
# | |||
rackstationb /dev/sdb - | |||
</syntaxhighlight> | |||
=cryptsetup= | =cryptsetup= | ||
Revision as of 09:29, 24 December 2018
External
- https://wiki.archlinux.org/index.php/Dm-crypt
- https://docs.hytrust.com/DataControl/Admin_Guide-4.0/Content/Books/Admin-Guide/Data-Encryption/Example-Adding-and-Encrypting-a-Linux-Disk-with-XFS.htm
- https://www.coveros.com/encrypting-a-rhel-7-disk-with-luks/
- https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
Internal
Overview
dm-crypt is standard device mapper encryption functionality provided by the Linux kernel. The management of dm-crypt is done with cryptsetup userspace utility. dm-crypt allows for the following block-device encryption modes: LUKS and plain.
How Encryption Works
For the purpose of encryption, each block device is divided into sectors of equal length. The encryption/decryption happens on a per-sector basis - the nth sector of the block device on disk will store the encrypted version of the nth of the original data. Whenever the operation system or an application requests a certain fragment of data from the encrypted block device, the whole sector or sectors that contain the data will be read from the block device, decrypted on-the-fly and temporarily stored in memory. Similarly, on each write operation, all sectors that are affected must be re-encrypted completely, while the rest of the sector remain untouched.
The disk encryption system needs to know a unique secret key, named master key, to encrypt/decrypt the data. The entropy of the key is important for the security of the encryption. A randomly generated 32-byte (256-bit) key is appropriate, but it is not feasible to remember and apply manually during the mount. There are two techniques to address this limitation:
- Use a shorter, human-friendly passphrase and an encryption algorithm to protect a master key with appropriate entropy. The passphrase-protected master key can be stored on the encrypted disk itself. This is known as "key stretching", where the passphrase is turned into an enhanced passphrase via a key derivation function; the passphrase is then used to encrypt/decrypt the actual master key.
- Create a key file with high entropy and store it on a medium separate from the data drive to be encrypted. Such a key file can be place on an USB drive kept in a secure location and only connected to the computer during the mount phase of the encrypted disk.
Block-Device Encryption Types
LUKS
LUKS dm-crypt mode, used by default, is an additional convenience layer that stores all of the needed setup information for dm-crypt on the encrypted disk itself and abstracts partition and key management in an attempt to improve ease of use and cryptographic security. With LUKS, encryption is implemented in kernel space.
LUKS is the de-facto standard for block device encryption. The corresponding kernel modules are already shipped with the default kernel. It supports the following cyphers: AES, Anubis, CAST5/6, Twofish, Serpent, Camellia, Blowfish.
It has support for multiple and independently revokable keys for the same encrypted data.
plain
"plain" dm-crypt mode is the original kernel functionality and does not employ the convenience layer.
TrueCrypt
/dev/mapper
/dev/mapper contains, among other things, the dm-crypt encrypted volumes.
/etc/crypttab
/etc/crypttab describes encrypted block devices that are setup during system boot. Empty lines and lines starting with the "#" character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two are optional.
The first field contains the name the encrypted device will be exposed under /dev/mapper. The second field contains the path to the underlying block device of file, or a specification of a block device with "UUID=...". The third field contains the encryption password. If the field is not present or the password is set to "none" or "-", the password has to be manually entered during system boot. Otherwise, the field is interpreted as an absolute path to a file containing the encryption password. The fourth field, if present, is a comma-delimited list of options. More details about options can be obtained with:
man crypttab
Example:
#
# /etc/crypttab example
#
rackstationb /dev/sdb -
cryptsetup
cryptsetup is the userspace utility used to manage the dm-crypt encryption functionality. More details:
man cryptsetup