Table of Contents
Advertisement
Chapter 29.
Disk Encryption Guide
Note
Red Hat Enterprise Linux 5.3 now contains support during installation for file system
encryption. This is not supported for earlier versions of Red Hat Enterprise Linux.
29.1. What is block device encryption?
Block device encryption protects the data on a block device by encrypting it. To access the device's
decrypted contents, a user must provide a passphrase or key as authentication. This provides
additional security beyond existing OS security mechanisms in that it protects the device's contents
even if it has been physically removed from the system.
29.2. Encrypting block devices using dm-crypt/LUKS
Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk
format for the data, as well as a passphrase/key management policy.
LUKS uses the kernel device mapper subsystem via the dm-crypt module. This arrangement
provides a low-level mapping that handles encryption and decryption of the device's data. User-level
operations, such as creating and accessing encrypted devices, are accomplished through the use of
the cryptsetup utility.
29.2.1. Overview of LUKS
• What LUKS does:
• LUKS encrypts entire block devices
• LUKS is thereby well-suited for protecting the contents of mobile devices such as:
• Removable storage media
• Laptop disk drives
• The underlying contents of the encrypted block device are arbitrary.
• This makes it useful for encrypting swap devices.
• This can also be useful with certain databases that use specially formatted block devices for
data storage.
• LUKS uses the existing device mapper kernel subsystem.
• This is the same subsystem used by LVM, so it is well tested.
• LUKS provides passphrase strengthening.
• This protects against dictionary attacks.
• LUKS devices contain multiple key slots.
• This allows users to add backup keys/passphrases.
• What LUKS does not do:
287
Advertisement
Table of Contents
Troubleshooting
