dm-crypt
Dm -crypt is a cryptographic module of the device mapper in the Linux kernel. One can use dm-crypt data with various algorithms to encrypt and decrypt, this can be to any device files (English: Devices) are used, in most cases, partitions, hard drives or logical drives ( LVM). It thus an additional layer between ( encrypted ) is set up (raw) data and the file system here. For the user, this is done completely transparent. dm -crypt is so disk encryption (partitions, entire disks, as well as all other block devices such as logical drives ( LVM) or loop devices). dm -crypt supports a variety of encryption algorithms because it uses the Crypto API of the Linux kernel.
A different approach, the ( transparent ) file encryption, in which the file system is responsible for the encryption and decryption.
- 4.1 Data throughput
- 4.2 Cryptographic vulnerability
Application
- Disk encryption to protect sensitive information against the (offline) theft (especially mobile devices such as notebooks ).
- Protection against data recovery after the sale or destruction of data carriers. Here some burdensome procedures would otherwise be necessary to delete the data securely, such as overwriting or physical destruction of the disk.
Encryption parameters
Dmcrypt supports various encryption algorithms and modes of operation. They are shown in a special format ( optional parts are enclosed in square brackets):
The individual fields mean:
Examples:
Extension with LUKS
A common extension is LUKS ( "Linux Unified Key Setup "), which extends the encrypted data to a header in the metadata as well as up to eight keys are stored. Advantages over " pure " dm -crypt are: a standardized format, information about the type of encryption in the header, award up to eight keys as well as the modification and deletion of keys without re-writing the encrypted data.
Since the header, the LUKS writes in the container, a plaintext identifier, the encryption and hash algorithm used and the size of the master key contains, an automatic detection and easy management of LUKS containers are possible. It makes the encryption but also recognizable to third parties and attack programs. This is a plausible deniability difficult to impossible. The LUKS header including key data also reduces the usable space on the media to 1028 KiB (default). In contrast to the central metadata various file systems, such as the super block ext2, this is important for the operation of the media data is stored replicated distributed on the medium. If they are overwritten or due to a hardware defect can not be read, the user data on the medium without a backup of the header are ( the management program allows you to cryptsetup ) could not be decrypted.
On-disk format
A message encrypted with LUKS disk partition has the following header ( Mehrbytewerte are in big- endian format stored in clear text, identifiers are filled with zero bytes when they are shorter than the intended space):
Each of the eight Keyslots has the following format:
Comparison LUKS over simple dm -crypt
The following list does not claim to be complete. Depending on the application, also the relevance of each property varies, so that this list does not allow general rating LUKS.
Disadvantages
Data throughput
Due to the additional computational complexity of encryption algorithms arise as with any software running in disk encryption, loss of performance: the data throughput decreases compared to unencrypted media. An improvement can be achieved with faster processors, multi-core processors, the optimization of the algorithms to the particular architecture, or an implementation of a hardware encryption.
Cryptographic vulnerability
On encrypted data with dm-crypt partially cryptographic attacks are possible:
- Watermark attack if not configured with ESSIV
- Attack on a content leak
- Attack on a data modification leak
- General attacks on disk encryption method
Alternatives and Ports
With FreeOTFE exists to maintain compatibility with LUKS implementation for Microsoft Windows.
An approximately similar from a functional alternative product for Windows and Linux TrueCrypt. DiskCryptor (for Microsoft Windows) uses a different format, but it is free software.