Dm-crypt
External
- https://wiki.archlinux.org/index.php/Dm-crypt
- https://docs.hytrust.com/DataControl/Admin_Guide-4.0/Content/Books/Admin-Guide/Data-Encryption/Example-Adding-and-Encrypting-a-Linux-Disk-with-XFS.htm
- https://www.coveros.com/encrypting-a-rhel-7-disk-with-luks/
- https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
Internal
Overview
dm-crypt is standard device mapper encryption functionality provided by the Linux kernel. The management of dm-crypt is done with cryptsetup userspace utility. dm-crypt allows for the following block-device encryption modes: LUKS and plain.
How Encryption Works
For the purpose of encryption, each block device is divided into sectors of equal length. The encryption/decryption happens on a per-sector basis - the nth sector of the block device on disk will store the encrypted version of the nth of the original data. Whenever the operation system or an application requests a certain fragment of data from the encrypted block device, the whole sector or sectors that contain the data will be read from the block device, decrypted on-the-fly and temporarily stored in memory. Similarly, on each write operation, all sectors that are affected must be re-encrypted completely, while the rest of the sector remain untouched.
The disk encryption system needs to know a unique secret key, named master key, to encrypt/decrypt the data. The entropy of the key is important for the security of the encryption. A randomly generated 32-byte (256-bit) key is appropriate, but it is not feasible to remember and apply manually during the mount. There are two techniques to address this limitation:
- Use a shorter, human-friendly passphrase and an encryption algorithm to protect a master key with appropriate entropy. The passphrase-protected master key can be stored on the encrypted disk itself. This is known as "key stretching", where the passphrase is turned into an enhanced passphrase via a key derivation function; the passphrase is then used to encrypt/decrypt the actual master key.
- Create a key file with high entropy and store it on a medium separate from the data drive to be encrypted. Such a key file can be place on an USB drive kept in a secure location and only connected to the computer during the mount phase of the encrypted disk.
Block-Device Encryption Types
LUKS
LUKS dm-crypt mode, used by default, is an additional convenience layer that stores all of the needed setup information for dm-crypt on the encrypted disk itself and abstracts partition and key management in an attempt to improve ease of use and cryptographic security. With LUKS, encryption is implemented in kernel space.
LUKS is the de-facto standard for block device encryption. The corresponding kernel modules are already shipped with the default kernel. It supports the following cyphers: AES, Anubis, CAST5/6, Twofish, Serpent, Camellia, Blowfish.
It has support for multiple and independently revokable keys for the same encrypted data.
Also see:
plain
"plain" dm-crypt mode is the original kernel functionality and does not employ the convenience layer.
TrueCrypt
/dev/mapper
/dev/mapper contains, among other things, the dm-crypt encrypted volumes.
/etc/crypttab
cryptsetup
cryptsetup is the userspace utility used to manage the dm-crypt encryption functionality. More details:
man cryptsetup