Questions tagged [dm-crypt]

dm-crypt is a disk encryption system included in the Linux kernel.

30 questions
46
votes
10 answers

Is full disk encryption on a server in a secure data center pointless?

I am having a debate with several people regarding how much protection full disk encryption provides. dm-crypt is being used to encrypt data which is required by my company to be encrypted at rest. The Linux servers hosting the data reside in a…
user4755220
  • 619
  • 1
  • 6
  • 5
31
votes
3 answers

Why is plain dm-crypt only recommended for experts?

I am curious about the following claim from the Cryptsetup FAQ: 2.4 What is the difference between "plain" and LUKS format? First, unless you happen to understand the cryptographic background well, you should use LUKS. It does protect the user…
please delete me
  • 1,235
  • 2
  • 10
  • 7
26
votes
5 answers

What does LUKS header contain?

What is contained inside the LUKS header? I know, the header has size of 2MB. Also, cryptsetup supports "detached header", where the header can be stored in a separate file. Thus, for example, I can format luks device and specify detached header in…
Martin Vegter
  • 1,826
  • 4
  • 27
  • 39
22
votes
1 answer

Linux, TRESOR and XTS

I want to switch from using LUKS for full disk encryption to TRESOR. TRESOR tries to prevent cold boot attacks by storing the encryption key in the CPU's registers. It uses the kernel's crypto API for things like getting IVs and using a mode like…
twisted_pear
  • 321
  • 1
  • 3
13
votes
1 answer

XTS vs AES-CBC with ESSIV for file-based filesystem encryption

In a blog post I recently read called "You Don't Want XTS," the author explains some of the pitfalls of using XTS to encrypt filesystems. Specifically, he recommends against ever sharing encrypted file-based filesystems over services like Dropbox…
Naftuli Kay
  • 6,715
  • 9
  • 47
  • 75
9
votes
3 answers

access to mounted luks partition by non-root user

Recently I searched substitute for truecrypt and played a bit with cryptsetup. The steps I did: mkfs -t ext4 /dev/sdb1 sudo cryptsetup open --type luks /dev/sdb1 enc_vol sudo mount /dev/mapper/enc_vol /mnt After that I (non-root user) can chdir…
NIkolay Smirnov
  • 91
  • 1
  • 1
  • 3
5
votes
1 answer

Decryption using GRUB and TPM

I'm trying to plan security routine for my new Linux install and few questions came up during searching for solution which meet my needs. Is it possible to use private key from TPM in GRUB to decrypt /boot partition located on external storage? Is…
Matthew
  • 53
  • 1
  • 3
4
votes
2 answers

Performances of dm-crypt vs. ecryptfs

The only information I found about the difference of performance between dm-crypt (LUKS mode) and ecryptfs is that given that ecryptfs operates at filesystem-level, it may be slower when doing operations on a lot of small files. Given that they both…
Hey
  • 1,905
  • 1
  • 16
  • 23
3
votes
2 answers

Encrypted offsite storage using sshfs and cryptsetup/dm-crypt/LUKS

I'm interested in an encrypted offsite storage scheme, but I don't want to depend on the vendor for encryption. I have an idea for doing so by combining sshfs with cryptsetup/dm-crypt/LUKS, but I'd like to know if there are any obvious problems…
wyer33
  • 203
  • 1
  • 7
3
votes
4 answers

How safe is dm-crypt/LUKS? Would TPM make me more secure in this case?

I’ve been looking to purchase a new laptop and I need to have security in mind. I’ve specifically been looking for laptops with discrete or integrated TPM because it’s been my understanding that TPM would improve disk encryption security, but after…
arrakies
  • 41
  • 4
3
votes
3 answers

EFI: encrypt ESP

I wonder if it possible to encrypt an EFI system partition (ESP)? I would like to set up a virtual machine (VirtualBox) using EFI as boot manager which is supported by the used OS (archlinux). Is there a way to encrypt the boot partition (ESP) using…
maxik
  • 133
  • 2
  • 6
3
votes
3 answers

How can I extract the encrypted master key from LUKS header?

I know that a LUKS partition has a plain-text header that stores many informations like master key (MK) digest, MK iterations of PBKDF2, information about the 8 key-slots etc. I also know that in the header there is the af-splitted and encrypted…
refex
  • 351
  • 3
  • 11
2
votes
1 answer

How to wipe disks before encryption with dm-crypt if CBC or XTS is used internally?

First, please forgive me if I'm posting this question to the wrong community. Feel free to migrate this post to the right community if I was wrong. I'm quite new to whole disk encryption (but not with encryption), especially with dm-crypt. I'm…
wget
  • 123
  • 6
2
votes
2 answers

Server full disk encryption protection from malware

A group of LINUX servers is using dm-crypt to encrypt data. The servers do not store data long-term but are only temporary stopping points for data before it is sent to other systems. The time the data is saved to disk on the server is typically…
user4755220
  • 619
  • 1
  • 6
  • 5
2
votes
0 answers

Best luks setup disk

I want to encrypt my disk but I want to know what is the best configuration, I currently use ths: cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --key-file=- --hash whirlpool --iter-time 10000 --use-random luksFormat --type luks2…
1
2