C.2. Encrypting block devices using dm-crypt/LUKS

⁠C.2. Encrypting block devices using dm-crypt/LUKS

Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.

LUKS uses the kernel device mapper subsystem via the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device's data. User-level operations, such as creating and accessing encrypted devices, are accomplished through the use of the cryptsetup utility.

⁠C.2.1. Overview of LUKS

What LUKS does:
- LUKS encrypts entire block devices
  LUKS is thereby well-suited for protecting the contents of mobile devices such as:
  Removable storage media
  Laptop disk drives
- The underlying contents of the encrypted block device are arbitrary.
  This makes it useful for encrypting swap devices.
  This can also be useful with certain databases that use specially formatted block devices for data storage.
- LUKS uses the existing device mapper kernel subsystem.
  This is the same subsystem used by LVM, so it is well tested.
- LUKS provides passphrase strengthening.
  This protects against dictionary attacks.
- LUKS devices contain multiple key slots.
  This allows users to add backup keys/passphrases.
What LUKS does not do:
- LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
- LUKS is not well-suited for applications requiring file-level encryption.

More detailed information about LUKS is available from the project website at http://code.google.com/p/cryptsetup/.