Dm-crypt: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(29 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Externa=
=External=


* https://wiki.archlinux.org/index.php/Dm-crypt
* https://wiki.archlinux.org/index.php/Dm-crypt
* https://docs.hytrust.com/DataControl/Admin_Guide-4.0/Content/Books/Admin-Guide/Data-Encryption/Example-Adding-and-Encrypting-a-Linux-Disk-with-XFS.htm
* https://www.coveros.com/encrypting-a-rhel-7-disk-with-luks/
* https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions


=Internal=
=Internal=
Line 10: Line 13:
=Overview=
=Overview=


<font color=darkgray>
<tt>dm-crypt</tt> is standard [[Device Mapper Concepts#Encryption|device mapper]] encryption functionality provided by the Linux kernel. The management of dm-crypt is done with [[#cryptsetup|cryptsetup]] userspace utility. <tt>dm-crypt</tt> allows for the following block-device encryption modes: [[#LUKS|LUKS]] and [[#plain|plain]].
 
=How Encryption Works=
 
{{External|https://wiki.archlinux.org/index.php/disk_encryption#How_the_encryption_works}}
 
For the purpose of encryption, each block device is divided into sectors of equal length. The encryption/decryption happens on a per-sector basis - the n<sup>th</sup> sector of the block device on disk will store the encrypted version of the n<sup>th</sup> of the original data. Whenever the operation system or an application requests a certain fragment of data from the encrypted block device, the whole sector or sectors that contain the data will be read from the block device, decrypted on-the-fly and temporarily stored in memory. Similarly, on each write operation, all sectors that are affected must be re-encrypted completely, while the rest of the sector remain untouched.
 
The disk encryption system needs to know a unique secret key, named master key, to encrypt/decrypt the data. The entropy of the key is important for the security of the encryption. A randomly generated 32-byte (256-bit) key is appropriate, but it is not feasible to remember and apply manually during the mount.  There are two techniques to address this limitation:
* <span id= 'Passphrase'></span>Use a shorter, human-friendly '''passphrase''' and an encryption algorithm to protect a master key with appropriate entropy. The passphrase-protected master key can be stored on the encrypted disk itself. This is known as "key stretching", where the passphrase is turned into an enhanced passphrase via a key derivation function; the passphrase is then used to encrypt/decrypt the actual master key.
* <span id='Key_File'></span>Create a '''key file''' with high entropy and store it on a medium separate from the data drive to be encrypted. Such a key file can be place on an USB drive kept in a secure location and only connected to the computer during the mount phase of the encrypted disk.
 
=Block-Device Encryption Types=
 
==LUKS==
 
LUKS <tt>dm-crypt</tt> mode, used by default, is an additional convenience layer that stores all of the needed setup information for <tt>dm-crypt</tt> on the encrypted disk itself and abstracts partition and key management in an attempt to improve ease of use and cryptographic security. With LUKS, encryption is implemented in kernel space.
 
LUKS is the de-facto standard for block device encryption. The corresponding kernel modules are already shipped with the default kernel. It supports the following cyphers: AES, Anubis, CAST5/6, Twofish, Serpent, Camellia, Blowfish.
 
It has support for multiple and independently revokable keys for the same encrypted data.
 
Also see: {{Internal|LUKS|LUKS}}
 
==plain==
 
"plain" <tt>dm-crypt</tt> mode is the original kernel functionality and does not employ the convenience layer.
 
==TrueCrypt==
 
=/dev/mapper=
 
[[Device_Mapper_Concepts#.2Fdev.2Fmapper|/dev/mapper]] contains, among other things, the dm-crypt encrypted volumes.
 
=/etc/crypttab=
 
{{Internal|/etc/crypttab|/etc/crypttab}}
 
=cryptsetup=
 
<tt>cryptsetup</tt> is the userspace utility used to manage the <tt>dm-crypt</tt> encryption functionality. More details:
 
man cryptsetup


TODO:
==cryptsetup Operations==


* https://www.coveros.com/encrypting-a-rhel-7-disk-with-luks/
{{Internal|cryptsetup Operations|cryptsetup Operations}}


* What is LUKS?
=Operations=
* https://docs.hytrust.com/DataControl/Admin_Guide-4.0/Content/Books/Admin-Guide/Data-Encryption/Example-Adding-and-Encrypting-a-Linux-Disk-with-XFS.htm


</font>
{{Internal|cryptsetup Operations|cryptsetup Operations}}

Latest revision as of 17:05, 4 February 2019

External

Internal

Overview

dm-crypt is standard device mapper encryption functionality provided by the Linux kernel. The management of dm-crypt is done with cryptsetup userspace utility. dm-crypt allows for the following block-device encryption modes: LUKS and plain.

How Encryption Works

https://wiki.archlinux.org/index.php/disk_encryption#How_the_encryption_works

For the purpose of encryption, each block device is divided into sectors of equal length. The encryption/decryption happens on a per-sector basis - the nth sector of the block device on disk will store the encrypted version of the nth of the original data. Whenever the operation system or an application requests a certain fragment of data from the encrypted block device, the whole sector or sectors that contain the data will be read from the block device, decrypted on-the-fly and temporarily stored in memory. Similarly, on each write operation, all sectors that are affected must be re-encrypted completely, while the rest of the sector remain untouched.

The disk encryption system needs to know a unique secret key, named master key, to encrypt/decrypt the data. The entropy of the key is important for the security of the encryption. A randomly generated 32-byte (256-bit) key is appropriate, but it is not feasible to remember and apply manually during the mount. There are two techniques to address this limitation:

  • Use a shorter, human-friendly passphrase and an encryption algorithm to protect a master key with appropriate entropy. The passphrase-protected master key can be stored on the encrypted disk itself. This is known as "key stretching", where the passphrase is turned into an enhanced passphrase via a key derivation function; the passphrase is then used to encrypt/decrypt the actual master key.
  • Create a key file with high entropy and store it on a medium separate from the data drive to be encrypted. Such a key file can be place on an USB drive kept in a secure location and only connected to the computer during the mount phase of the encrypted disk.

Block-Device Encryption Types

LUKS

LUKS dm-crypt mode, used by default, is an additional convenience layer that stores all of the needed setup information for dm-crypt on the encrypted disk itself and abstracts partition and key management in an attempt to improve ease of use and cryptographic security. With LUKS, encryption is implemented in kernel space.

LUKS is the de-facto standard for block device encryption. The corresponding kernel modules are already shipped with the default kernel. It supports the following cyphers: AES, Anubis, CAST5/6, Twofish, Serpent, Camellia, Blowfish.

It has support for multiple and independently revokable keys for the same encrypted data.

Also see:

LUKS

plain

"plain" dm-crypt mode is the original kernel functionality and does not employ the convenience layer.

TrueCrypt

/dev/mapper

/dev/mapper contains, among other things, the dm-crypt encrypted volumes.

/etc/crypttab

/etc/crypttab

cryptsetup

cryptsetup is the userspace utility used to manage the dm-crypt encryption functionality. More details:

man cryptsetup

cryptsetup Operations

cryptsetup Operations

Operations

cryptsetup Operations