C.2. Encrypting Block Devices Using dm-crypt/LUKS6tit
Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.
LUKS uses the kernel device mapper subsystem via the
dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device's data. User-level operations, such as creating and accessing encrypted devices, are accomplished through the use of the cryptsetup utility.
C.2.1. Overview of LUKS
- What LUKS does:
- LUKS encrypts entire block devices
- LUKS is thereby well-suited for protecting the contents of mobile devices such as:
- Removable storage media
- Laptop disk drives
- The underlying contents of the encrypted block device are arbitrary.
- This makes it useful for encrypting
swapdevices. - This can also be useful with certain databases that use specially formatted block devices for data storage.
- LUKS uses the existing device mapper kernel subsystem.
- This is the same subsystem used by LVM, so it is well tested.
- LUKS provides passphrase strengthening.
- This protects against dictionary attacks.
- LUKS devices contain multiple key slots.
- This allows users to add backup keys/passphrases.
- What LUKS does not do:
- LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
- LUKS is not well-suited for applications requiring file-level encryption.
More detailed information about LUKS is available from the project website at http://code.google.com/p/cryptsetup/.
