Buscar

29.2. Encrypting block devices using dm-crypt/LUKS

download PDF
Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.
LUKS uses the kernel device mapper subsystem via the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device's data. User-level operations, such as creating and accessing encrypted devices, are accomplished through the use of the cryptsetup utility.

29.2.1. Overview of LUKS

  • What LUKS does:
    • LUKS encrypts entire block devices
      • LUKS is thereby well-suited for protecting the contents of mobile devices such as:
        • Removable storage media
        • Laptop disk drives
    • The underlying contents of the encrypted block device are arbitrary.
      • This makes it useful for encrypting swap devices.
      • This can also be useful with certain databases that use specially formatted block devices for data storage.
    • LUKS uses the existing device mapper kernel subsystem.
      • This is the same subsystem used by LVM, so it is well tested.
    • LUKS provides passphrase strengthening.
      • This protects against dictionary attacks.
    • LUKS devices contain multiple key slots.
      • This allows users to add backup keys/passphrases.
  • What LUKS does not do:
    • LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
    • LUKS is not well-suited for applications requiring file-level encryption.
For more information on LUKS, refer to http://code.google.com/p/cryptsetup/

29.2.2. How will I access the encrypted devices after installation? (System Startup)

During system startup you will be presented with a passphrase prompt. After the correct passphrase has been provided the system will continue to boot normally. If you used different passphrases for multiple encrypted devices you may need to enter more than one passphrase during the startup.

Note

Consider using the same passphrase for all encrypted block devices in a given system. This will simplify system startup and you will have fewer passphrases to remember. Just make sure you choose a good passphrase!

29.2.3. Choosing a Good Passphrase

While dm-crypt/LUKS supports both keys and passphrases, the anaconda installer only supports the use of passphrases for creating and accessing encrypted block devices during installation.
LUKS does provide passphrase strengthening but it is still a good idea to choose a good (meaning "difficult to guess") passphrase. Note the use of the term "passphrase", as opposed to the term "password". This is intentional. Providing a phrase containing multiple words to increase the security of your data is important.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.