Dm-crypt
dm-crypt is a transparent disk encryption subsystem. dm-crypt maps a physical block device to a virtual block device and does encryption/decryption transparently between the two block devices.
Modes
There are two common modes when using dm-crypt: Plain-mode and with LUKS.
Plain mode encrypts sector by sector without any headers or metadata. The entire volume contains just the raw encrypted cyphertext and nothing else. LUKS on the other hand has a standardized format facilitating compatibility across different distributions in addition to supporting multi-user passwords.
Disadvantages with plain mode:
- dm-crypt won't know whether your password is correct or not.
- dm-crypt won't know what encryption settings were used and any changes to this from software upgrades will break
- passphrase cannot be changed without re-encrypting the volume
Advantages with using LUKS:
- passphrase is used to decrypt a master key stored in the header and therefore can be changed without re-encrypting a volume
- passphrase can be keystretched to strengthen against brute-forcee attacks
- encryption settings are saved unencrypted in a header making it compatible with different systems
An attacker can easily recognize the type of volume by inspecting the unencrypted header.
Usage
On a Red Hat based system, install the cryptsetup package.
Plain Mode
# cryptsetup --verify-passphrase open --type plain /dev/sdX sdX-plain
## Use /dev/mapper/sdX-plain as any other block device
# cryptsetup close sdX-plain
LUKS
Basic usage:
# cryptsetup luksFormat /dev/sdX
# cryptsetup luksOpen /dev/sdX sdX-luks
## Use /dev/mapper/sdX-luks
# cryptsetup luksClose sdX-luks
The LUKS header can be backed up and restored:
# cryptsetup luksHeaderBackup /dev/sdX --header-backup-file sdX-luks-header
# cryptsetup luksHeaderRestore /dev/sdX --header-backup-file sdX-luks-header
Options
There are some options that can be passed to cryptsetup:
| Option | Defaults | Description |
|---|---|---|
--hash, -h |
sha256 | Hash algorithm used for key derivation. Eg: sha256, sha512, ripemd160 |
--cipher, -c |
aes-xts-plain64 | Cipher to use for encryption. Eg: aes-xts-plain64, aes-cbc-essiv:sha256 |
--key-size, -s |
256 (512 for XTS) | Key size used for encryption |
--verify-passphrase, -y |
yes | Verify passphrase for sanity check |
When using luksFormat or luksAddKey, you may want to specify --iter-time or -i to specify the number of milliseconds to spend with PBKDF2.
Keys
There are in total of 8 key slots that can be use. The first key slot is used by the passphrase in the initial creation step.
To change your passphrase:
# cryptsetup luksChangeKey /dev/sdX
To set up an additional passphrase that can unlock the container.
# cryptsetup luksAddKey /dev/sdX
To remove a passphrase from a key slot:
# cryptsetup luksRemoveKey /dev/sdX
To see which key slots are in use:
# cryptsetup luksDump /dev/sdX