| Milan Broz | e3dcc5a | 2008-04-24 22:11:03 +0100 | [diff] [blame] | 1 | dm-crypt |
| 2 | ========= |
| 3 | |
| 4 | Device-Mapper's "crypt" target provides transparent encryption of block devices |
| 5 | using the kernel crypto API. |
| 6 | |
| Milan Broz | 772ae5f | 2011-08-02 12:32:08 +0100 | [diff] [blame] | 7 | Parameters: <cipher> <key> <iv_offset> <device path> \ |
| 8 | <offset> [<#opt_params> <opt_params>] |
| Milan Broz | e3dcc5a | 2008-04-24 22:11:03 +0100 | [diff] [blame] | 9 | |
| 10 | <cipher> |
| 11 | Encryption cipher and an optional IV generation mode. |
| Milan Broz | d1f9642 | 2011-01-13 19:59:54 +0000 | [diff] [blame] | 12 | (In format cipher[:keycount]-chainmode-ivopts:ivmode). |
| Milan Broz | e3dcc5a | 2008-04-24 22:11:03 +0100 | [diff] [blame] | 13 | Examples: |
| 14 | des |
| 15 | aes-cbc-essiv:sha256 |
| 16 | twofish-ecb |
| 17 | |
| 18 | /proc/crypto contains supported crypto modes |
| 19 | |
| 20 | <key> |
| 21 | Key used for encryption. It is encoded as a hexadecimal number. |
| 22 | You can only use key sizes that are valid for the selected cipher. |
| 23 | |
| Milan Broz | d1f9642 | 2011-01-13 19:59:54 +0000 | [diff] [blame] | 24 | <keycount> |
| 25 | Multi-key compatibility mode. You can define <keycount> keys and |
| 26 | then sectors are encrypted according to their offsets (sector 0 uses key0; |
| 27 | sector 1 uses key1 etc.). <keycount> must be a power of two. |
| 28 | |
| Milan Broz | e3dcc5a | 2008-04-24 22:11:03 +0100 | [diff] [blame] | 29 | <iv_offset> |
| 30 | The IV offset is a sector count that is added to the sector number |
| 31 | before creating the IV. |
| 32 | |
| 33 | <device path> |
| 34 | This is the device that is going to be used as backend and contains the |
| 35 | encrypted data. You can specify it as a path like /dev/xxx or a device |
| 36 | number <major>:<minor>. |
| 37 | |
| 38 | <offset> |
| 39 | Starting sector within the device where the encrypted data begins. |
| 40 | |
| Milan Broz | 772ae5f | 2011-08-02 12:32:08 +0100 | [diff] [blame] | 41 | <#opt_params> |
| 42 | Number of optional parameters. If there are no optional parameters, |
| 43 | the optional paramaters section can be skipped or #opt_params can be zero. |
| 44 | Otherwise #opt_params is the number of following arguments. |
| 45 | |
| 46 | Example of optional parameters section: |
| 47 | 1 allow_discards |
| 48 | |
| 49 | allow_discards |
| 50 | Block discard requests (a.k.a. TRIM) are passed through the crypt device. |
| 51 | The default is to ignore discard requests. |
| 52 | |
| 53 | WARNING: Assess the specific security risks carefully before enabling this |
| 54 | option. For example, allowing discards on encrypted devices may lead to |
| 55 | the leak of information about the ciphertext device (filesystem type, |
| 56 | used space etc.) if the discarded blocks can be located easily on the |
| 57 | device later. |
| 58 | |
| Milan Broz | e3dcc5a | 2008-04-24 22:11:03 +0100 | [diff] [blame] | 59 | Example scripts |
| 60 | =============== |
| 61 | LUKS (Linux Unified Key Setup) is now the preferred way to set up disk |
| 62 | encryption with dm-crypt using the 'cryptsetup' utility, see |
| Andrea Gelmini | adc0485 | 2011-01-13 23:01:53 +0100 | [diff] [blame] | 63 | http://code.google.com/p/cryptsetup/ |
| Milan Broz | e3dcc5a | 2008-04-24 22:11:03 +0100 | [diff] [blame] | 64 | |
| 65 | [[ |
| 66 | #!/bin/sh |
| 67 | # Create a crypt device using dmsetup |
| 68 | dmsetup create crypt1 --table "0 `blockdev --getsize $1` crypt aes-cbc-essiv:sha256 babebabebabebabebabebabebabebabe 0 $1 0" |
| 69 | ]] |
| 70 | |
| 71 | [[ |
| 72 | #!/bin/sh |
| 73 | # Create a crypt device using cryptsetup and LUKS header with default cipher |
| 74 | cryptsetup luksFormat $1 |
| 75 | cryptsetup luksOpen $1 crypt1 |
| 76 | ]] |