C.2. Encrypting Block Devices Using dm-crypt/LUKS6tit

Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.
LUKS uses the kernel device mapper subsystem via the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device's data. User-level operations, such as creating and accessing encrypted devices, are accomplished through the use of the cryptsetup utility.

C.2.1. Overview of LUKS

  • What LUKS does:
    • LUKS encrypts entire block devices
      • LUKS is thereby well-suited for protecting the contents of mobile devices such as:
        • Removable storage media
        • Laptop disk drives
    • The underlying contents of the encrypted block device are arbitrary.
      • This makes it useful for encrypting swap devices.
      • This can also be useful with certain databases that use specially formatted block devices for data storage.
    • LUKS uses the existing device mapper kernel subsystem.
      • This is the same subsystem used by LVM, so it is well tested.
    • LUKS provides passphrase strengthening.
      • This protects against dictionary attacks.
    • LUKS devices contain multiple key slots.
      • This allows users to add backup keys/passphrases.
  • What LUKS does not do:
    • LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
    • LUKS is not well-suited for applications requiring file-level encryption.
More detailed information about LUKS is available from the project website at http://code.google.com/p/cryptsetup/.