29.2. Encrypting block devices using dm-crypt/LUKS
Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.
LUKS uses the kernel device mapper subsystem via the
dm-cryptmodule. This arrangement provides a low-level mapping that handles encryption and decryption of the device's data. User-level operations, such as creating and accessing encrypted devices, are accomplished through the use of the
29.2.1. Overview of LUKS
- What LUKS does:
- LUKS encrypts entire block devices
- LUKS is thereby well-suited for protecting the contents of mobile devices such as:
- Removable storage media
- Laptop disk drives
- The underlying contents of the encrypted block device are arbitrary.
- This makes it useful for encrypting
- This can also be useful with certain databases that use specially formatted block devices for data storage.
- LUKS uses the existing device mapper kernel subsystem.
- This is the same subsystem used by LVM, so it is well tested.
- LUKS provides passphrase strengthening.
- This protects against dictionary attacks.
- LUKS devices contain multiple key slots.
- This allows users to add backup keys/passphrases.
- What LUKS does not do:
- LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
- LUKS is not well-suited for applications requiring file-level encryption.
For more information on LUKS, refer to http://code.google.com/p/cryptsetup/
29.2.2. How will I access the encrypted devices after installation? (System Startup)
During system startup you will be presented with a passphrase prompt. After the correct passphrase has been provided the system will continue to boot normally. If you used different passphrases for multiple encrypted devices you may need to enter more than one passphrase during the startup.
Consider using the same passphrase for all encrypted block devices in a given system. This will simplify system startup and you will have fewer passphrases to remember. Just make sure you choose a good passphrase!
29.2.3. Choosing a Good Passphrase
While dm-crypt/LUKS supports both keys and passphrases, the anaconda installer only supports the use of passphrases for creating and accessing encrypted block devices during installation.
LUKS does provide passphrase strengthening but it is still a good idea to choose a good (meaning "difficult to guess") passphrase. Note the use of the term "passphrase", as opposed to the term "password". This is intentional. Providing a phrase containing multiple words to increase the security of your data is important.