| 1 |
On Sun, Mar 27, 2022 at 4:13 PM Dale <rdalek1967@×××××.com> wrote: |
| 2 |
> |
| 3 |
> What is the advantage of dm-crypt over cryptsetup? I've learned how to |
| 4 |
> use cryptsetup with my external drive so was hoping to stick with what I |
| 5 |
> already know. Unless there is a advantage to dm-crypt. |
| 6 |
|
| 7 |
So, I suspect that terms are being used loosely here, but dm-crypt is |
| 8 |
a kernel block device encryption layer, and cryptsetup is just a |
| 9 |
userspace wrapper that sets up dm-crypt. I don't think cryptsetup |
| 10 |
works without dm-crypt, but you could of course use dm-crypt without |
| 11 |
cryptsetup. |
| 12 |
|
| 13 |
There is an on-disk standard called LUKS that cryptsetup typically |
| 14 |
uses. This stores metadata about the layout, fields to store session |
| 15 |
keys encrypted with a passphrase, space to store info like rekeying |
| 16 |
progress, and so on. The kernel dm-crypt will just want a cipher/key |
| 17 |
to use and a range of disk blocks to apply it to. With LUKS / |
| 18 |
cryptsetup you can do handy things like have a passphrase that goes |
| 19 |
through many rounds to yield the session key, or the ability to have |
| 20 |
multiple passphrases that work, or the ability to change the session |
| 21 |
key, or temporarily store the session key in the clear so that the |
| 22 |
drive can be used without a passphrase, and so on. |
| 23 |
|
| 24 |
99% of the time linux distros are using cryptsetup/LUKS to manage |
| 25 |
encryption. If you wanted to use dm-crypt directly you'd basically |
| 26 |
have to either re-implement your own version of LUKS, or memorize a |
| 27 |
128 bit AES key. Even if you intend to use a key file I'd still |
| 28 |
consider using LUKS just for the standardization and options. |
| 29 |
|
| 30 |
I'm guessing that 99% of the time if somebody is talking about |
| 31 |
dm-crypt, they really mean cryptsetup/LUKS+dm-crypt. (I think LUKS is |
| 32 |
the on-disk standard, and cryptsetup is an implementation of it all.) |
| 33 |
|
| 34 |
-- |
| 35 |
Rich |
Archives