Red Hat Enterprise Linux 9 Essentials Book now available.
Purchase a copy of Red Hat Enterprise Linux 9 (RHEL 9) Essentials
Red Hat Enterprise Linux 9 Essentials Print and eBook (PDF) editions contain 34 chapters and 298 pages
C.2. Encrypting block devices using dm-crypt/LUKS
Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.
LUKS uses the kernel device mapper subsystem via the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device's data. User-level operations, such as creating and accessing encrypted devices, are accomplished through the use of the cryptsetup utility.
C.2.1. Overview of LUKS
What LUKS does:
LUKS encrypts entire block devices
LUKS is thereby well-suited for protecting the contents of mobile devices such as:
Removable storage media
Laptop disk drives
The underlying contents of the encrypted block device are arbitrary.
This makes it useful for encrypting swap devices.
This can also be useful with certain databases that use specially formatted block devices for data storage.
LUKS uses the existing device mapper kernel subsystem.
This is the same subsystem used by LVM, so it is well tested.
LUKS provides passphrase strengthening.
This protects against dictionary attacks.
LUKS devices contain multiple key slots.
This allows users to add backup keys/passphrases.
What LUKS does not do:
LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
LUKS is not well-suited for applications requiring file-level encryption.
