- Dm-crypt
dm-crypt is a transparent
disk encryption subsystem inLinux kernel versions 2.6 and later. It is part of thedevice mapper infrastructure, and uses cryptographic routines from the kernel's Crypto API. Unlike its predecessorcryptoloop , dm-crypt was designed to support advanced modes of operation, such as XTS, LRW and ESSIV (seedisk encryption theory ), in order to avoidwatermarking attack s.cite paper |author=Clemens Fruhwirth |date=2005-07-18 |title=New Methods in Hard Disk Encryption |publisher=Vienna University of Technology |url=http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf |format=PDF |accessdate=2007-04-20] In addition to that, dm-crypt also addresses some reliability problems of cryptoloop. [cite journal |author=Mike Peters |date=2004-06-08 |title=Encrypting partitions using dm-crypt and the 2.6 series kernel |url=http://www.linux.com/articles/36596 |accessdate=2008-05-06 ]Since dm-crypt deals with encrypting raw
block device s transparently, it supports encrypting whole disks, partitions,logical volume s, as well as files, and can be used with any supportedfile system . Pre-boot authentication can be used with aninitrd .Frontends
The dm-crypt device mapper target resides entirely in kernel space, and is only concerned with encryption of the
block device — it does not interpret any data itself. It relies onuser space front-end s to create and activate encrypted volumes, and manage authentication. Three frontends are currently available: cryptsetup, cryptsetup-luks andcryptmount .cryptsetup
The "cryptsetup" command-line interface does not write any headers to the encrypted volume, and hence only provides the bare essentials: Encryption settings have to be provided every time the disk is mounted (although usually employed with automated scripts), and only one key can be used per volume; the symmetric encryption key directly derived from the supplied
passphrase . For these reasons, the use of cryptsetup is discouraged with plain passphrases. [cite web |author=Markus Reichelt |date=2004-06-20 |title=Why Mainline Cryptoloop Should Not Be Used |url=http://mareichelt.de/pub/texts.cryptoloop.php?alt_styles=2 |accessdate=2007-04-20 ] However, the simplicity of cryptsetup makes it useful when combined with third party software, for example, withsmart card authentication.cryptsetup-luks
The "cryptsetup-luks" interface is based on the original cryptsetup utility and retains full compatibility, but adds extra commands to deal with the
Linux Unified Key Setup (LUKS) on-disk format. This format provides additional features such askey management andkey strengthening , and remembers encrypted volume configuration across reboots.cite paper |author=Clemens Fruhwirth |title=TKS1 – An anti-forensic, two level, and iterated key setup scheme |work=draft |url=http://clemens.endorphin.org/TKS1-draft.pdf |format=PDF |date=2004-07-15 |accessdate=2006-12-12 ]As of May 2007, the codebases of cryptsetup-luks and cryptsetup have been merged, supporting both the old as well as the LUKS interface.
cryptmount
The "cryptmount" interface is an alternative to the "cryptsetup" tool that allows any user to mount/unmount a dm-crypt file system when needed, without needing
superuser privileges after the device has been configured by a superuser.Features
The fact that disk encryption (volume encryption) software like dm-crypt only deals with transparent encryption of abstract
block device s gives it a lot of flexibility. This means that it can be used for encrypting any disk-backedfile system s supported by theoperating system , as well asswap space . Encrypted volumes can be stored ondisk partition s,logical volume s, whole disks as well as file-backeddisk image s (through the use ofloop device s with the losetup utility). It can also be configured to encryptRAID volumes andLVM physical volumes.It can also be configured to use provide pre-boot authentication through an
initrd , thus encrypting all data on the computer (except the bootloader and initrd itself).cite web |author=W. Michael Petullo |date=2007-01-18 |title=Disk encryption in Fedora: Past, present and future |publisher=Red Hat Magazine |url=http://www.redhatmagazine.com/2007/01/18/disk-encryption-in-fedora-past-present-and-future/ |accessdate=2007-04-20 ]When using the cipher block chaining mode of operation with predictable
initialization vector s as other disk encryption software, the disk is vulnerable towatermarking attack s. This means that an attacker is able to detect the presence of specially crafted data on the disk. To address this problem in its predecessors, dm-crypt included provisions for more elaborate, disk encryption-specific modes of operation. Support forESSIV (encrypted salt-sector initialization vector) was introduced in Linux kernel version 2.6.10, LRW in 2.6.20 and XTS in 2.6.24. However, the CBC mode is still the default for compatibility with older volumes.The Linux Crypto API includes support for most popular
block cipher s andhash function s, which are all usable with dm-crypt.Compatibility
dm-crypt and LUKS encrypted disks can be accessed and used under MS Windows using
FreeOTFE , provided that the filesystem used is supported by Windows (e.g. FAT/FAT32/NTFS). ext3 and ext2 filesystems can also be mounted using the ext2 Installable File System driver for Windows.ee also
*
Linux Unified Key Setup
*Comparison of disk encryption software
*Device mapper
*FreeOTFE
*cryptmount References
External links
* [http://www.saout.de/misc/dm-crypt/ dm-crypt website]
* [http://www.saout.de/tikiwiki/tiki-index.php dm-crypt wiki]
* [http://luks.endorphin.org/dm-crypt cryptsetup-luks website]
* [http://cryptmount.sourceforge.net cryptmount website]
Wikimedia Foundation. 2010.
