There are quite a few blogs and wiki articles about how to set up encrypted disks with DM-Crypt and how to configure kernel to support for device mapper and cryptographic API support. Also the homepage of cryptsetup tool contains a lot of information, so I would focus on topics which are not that well covered.
Cryptography algorithms in Linux
The question which algorithm to choose to protect your precious is always difficult, so I'll try to summarize what is available (tested on kernel 3.10 and cryptsetup 1.60) and you can select the combination based
You can find out what is available on your system by using cat /proc/crypto.
If you want to see what performance each has, there is a way to test them with cryptsetup benchmark.
In order to use them in connection with cryptsetup command, it is necessary to combine them into a crypt target string:
cipher[:keycount]-chainmode-ivmode
example:
- aes:256-xts-plain
- serpent-cbc-plain
- aes-cbc-essiv
If there is no crypt target option (-c) specified, the default values that are compiled in can be displayed with cryptsetup --help command.
As for choosing the possible crypt target string here are some of the options (they depend on the kernel settings compiled in):
Encryption algorithms
As the number of supported ciphers is growing, here's the list of those available in recent linux kernels:
Choosing one is highly dependent on what security risk is to be covered by it and what is the usability expectancy of the system that would utilize that encryption.
Block chaining algorithms
- ECB (Electronic CodeBook)
- CBC (Cipher Block Chaining)
- PCBC (Propagating CBC)
- CTR (Counter)
- XTS (XEX-based Tweaked Codebook)
Initialization vector generators
- plain (initial vector is the 32-bit version of the sector number, padded with zeros if needed)
- plain64 (as above, but 64-bit version, so large disks can be used)
- ESSIV ( "encrypted sector|salt initial vector", the sector number is encrypted with the bulk cipher using a salt as key.The salt is derived from the bulk cipher's key via hashing.)
- BENBI (64-bit "big-endian 'narrow block'-count", starting at 1)
- null (IV is always zero)
- LMK (Compatible implementation of the block chaining mode used by the Loop-AES block device encryption system)
- TCW (Compatible implementation of the key seeded IV with additional whitening (to CBC mode))
Digest algorithms
DM-Crypt with LUKS
The most common linux disk encryption is linux unified key setup (LUKS), where the encryption key is password or key encrypted and stored in one of the slots on the disk.
This way of operation offers flexibility of having several ways to decrypt the disk, so several people can have their private passwords used without the need of sharing it with others as well as offers revocation possibility without re-encrypting the disk again.
Create the disk
This command initializes the LUKS partition on the disk.
cryptsetup luksFormat [disk device] [device-mapper name]
Use the disk
cryptsetup luksOpen [disk device] [device-mapper name]
Remove the disk
cryptsetup luksClose [device-mapper name]Other commands
There are also various key management commands like luksAddKey, luksRemoveKey, luksChangeKey or luksKillSlot, which modify the LUKS partition.
For troubleshooting there are other commands, which might be useful like isLuks and luksDump which show the content of the LUKS partition.
To do backups of luksSuspend or luksResume to pause writing to the disk (to perform a backup) or luksHeaderBackup and luksHeaderRestore to back-up the LUKS partition.
Plain DM-Crypt
For those who don't like to have key (although encrypted) stored on the same device, there is a possibility to use the plain DM-crypt.
Plain format has no metadata on disk, reads all parameters from the commandline, derives a master-key from the passphrase and then uses that to de-/encrypt the sectors of the device, with a direct 1:1 mapping between encrypted and decrypted sectors.Open the disk
This command specifies the key with which disk is to be decoded with (no formatting or initialization needed)
cryptsetup open [disk device][device-mapper name]
Remove the disk
In order to gracefully remove the disk, the cryptsetup remove [device-mapper name] can be used.
Troubleshooting
Although plain mode doesn't have as powerful command set as LUKS mode, with cryptsetup status [device-mapper name], it displays some basic information about the opened disk.Full disk encryption
Now the "full" disk encryption is a bit more complicated, as this requires to build a /boot partition with all the tools required to decrypt and mount the root partition.Gentoo provides a documentation on their wiki page, but there is a much easier way than generating initramfs with scripts:
- Install system with stage3 (as well as emerge genkernel; grub)
- Configure kernel and store configuration in file other than /usr/src/linux/.config
- execute genkernel --luks --kernel-config [path to config file] --install all
- generate grub config with grub2-mkconfig -o /boot/grub/grub.cfg
- ensure that /boot/grub/grub.cfg contains appropriate options for loading the kernel (e.g. crypt_root=[encrypted disk] and real_root=[DM partition to mount])
There is also a possibility to do it with key being stored on USB device, in which case the grub config has to also contain options like root_keydev=[USB mount point] and root_key=[file containing the key].
Conclusion
When considering disk encryption you have to consider the following security requirements:
- threat agent (partner/co-worker; thief; corporation; government) and value of the data stored on the disk
- other security controls protecting the disk (physical security; access control; operational security; etc.)
- loss mitigation or recovery options ( data recovery from other sources or off-site backup; re-installation of the system)
- How often decryption code has to be entered
- Encryption overhead on system performance
- Overhead when doing system upgrade (e.g. new kernel installation or OS upgrade)
- Overhead for system maintenance (disk replacement or backups)