1 |
On Sun, Mar 27, 2022 at 4:13 PM Dale <rdalek1967@×××××.com> wrote: |
2 |
> |
3 |
> What is the advantage of dm-crypt over cryptsetup? I've learned how to |
4 |
> use cryptsetup with my external drive so was hoping to stick with what I |
5 |
> already know. Unless there is a advantage to dm-crypt. |
6 |
|
7 |
So, I suspect that terms are being used loosely here, but dm-crypt is |
8 |
a kernel block device encryption layer, and cryptsetup is just a |
9 |
userspace wrapper that sets up dm-crypt. I don't think cryptsetup |
10 |
works without dm-crypt, but you could of course use dm-crypt without |
11 |
cryptsetup. |
12 |
|
13 |
There is an on-disk standard called LUKS that cryptsetup typically |
14 |
uses. This stores metadata about the layout, fields to store session |
15 |
keys encrypted with a passphrase, space to store info like rekeying |
16 |
progress, and so on. The kernel dm-crypt will just want a cipher/key |
17 |
to use and a range of disk blocks to apply it to. With LUKS / |
18 |
cryptsetup you can do handy things like have a passphrase that goes |
19 |
through many rounds to yield the session key, or the ability to have |
20 |
multiple passphrases that work, or the ability to change the session |
21 |
key, or temporarily store the session key in the clear so that the |
22 |
drive can be used without a passphrase, and so on. |
23 |
|
24 |
99% of the time linux distros are using cryptsetup/LUKS to manage |
25 |
encryption. If you wanted to use dm-crypt directly you'd basically |
26 |
have to either re-implement your own version of LUKS, or memorize a |
27 |
128 bit AES key. Even if you intend to use a key file I'd still |
28 |
consider using LUKS just for the standardization and options. |
29 |
|
30 |
I'm guessing that 99% of the time if somebody is talking about |
31 |
dm-crypt, they really mean cryptsetup/LUKS+dm-crypt. (I think LUKS is |
32 |
the on-disk standard, and cryptsetup is an implementation of it all.) |
33 |
|
34 |
-- |
35 |
Rich |