dm-crypt

From the cryptsetup project's wiki:

Device-mapper is infrastructure in the Linux 2.6 and 3.x kernel that provides a generic way to create virtual layers of block devices. Device-mapper crypt target provides transparent encryption of block devices using the kernel crypto API. The user can basically specify one of the symmetric ciphers, an encryption mode, a key (of any allowed size), an iv generation mode and then the user can create a new block device in /dev. Writes to this device will be encrypted and reads decrypted. You can mount your filesystem on it as usual or stack dm-crypt device with another device like RAID or LVM volume. Basic documentation of dm-crypt mapping table comes with kernel source and the latest version is available in git repository.

Common scenarios

This section introduces common scenarios to employ dm-crypt to encrypt a system or individual filesystem mount points. The scenarios cross-link to the other subpages where needed. It is meant as starting point to familiarize with different practical encryption procedures.

See Dm-crypt/Encrypting a non-root file system if you need to encrypt a device that is not used for booting a system, like a partition or a loop device.

See Dm-crypt/Encrypting an entire system if you want to encrypt an entire system, in particular a root partition. Several scenarios are covered, including the use of dm-crypt with the LUKS extension, plain mode encryption and encryption and LVM.

Drive preparation

This step will deal with operations like securely erasing the drive and dm-crypt specific points for partitioning it.

See Dm-crypt/Drive preparation.

Device encryption

This section covers how to manually utilize dm-crypt to encrypt a system through the cryptsetup command. It covers examples of the Encryption options with dm-crypt, deals with the creation of keyfiles, LUKS specific commands for key management as well as for Backup and restore.

See Dm-crypt/Device encryption.

System configuration

This page illustrates how to configure mkinitcpio, the boot loader and the crypttab file when encrypting a system.

See Dm-crypt/System configuration.

Swap device encryption

A swap partition may be added to an encrypted system, if required. The swap partition must be encrypted as well to protect any data swapped out by the system. This part details methods without and with suspend-to-disk support.

See Dm-crypt/Swap encryption.

Specialties

This part deals with special operations like securing the unencrypted boot partition, using GPG or OpenSSL encrypted keyfiles, a method to boot and unlock via the network, another for setting up discard/TRIM for a SSD, and sections dealing with the encrypt hook and multiple disks.

See Dm-crypt/Specialties.

See also