admin-guide/device-mapper/dm-crypt.rst

2 dm-crypt
5 Device-Mapper's "crypt" target provides transparent encryption of block devices
13 	      <cipher> <key> <iv_offset> <device path> \
21        cipher[:keycount]-chainmode-ivmode[:ivopts]
25        aes-cbc-essiv:sha256
26        aes-xts-plain64
27        serpent-xts-plain64
36         capi:cipher_api_spec-ivmode[:ivopts]
40         capi:cbc(aes)-essiv:sha256
41         capi:xts(aes)-plain64
45         capi:gcm(aes)-random
46         capi:authenc(hmac(sha256),xts(aes))-random
47         capi:rfc7539(chacha20,poly1305)-random
51 <key>
52     Key used for encryption. It is encoded either as a hexadecimal number
55     You can only use key sizes that are valid for the selected cipher
57     Note that for some iv modes the key string can contain additional
58     keys (for example IV seed) so the key contains more parts concatenated
62     The kernel keyring key is identified by string in following format:
66     The encryption key size in bytes. The kernel key payload size must match
70     Either 'logon', 'user', 'encrypted' or 'trusted' kernel key type.
73     The kernel keyring key description crypt target should look for
74     when loading key of <key_type>.
77     Multi-key compatibility mode. You can define <keycount> keys and
79     sector 1 uses key1 etc.).  <keycount> must be a power of two.
117     Set dm-crypt workqueues and the writer thread to high priority. This
118     improves throughput and latency of dm-crypt while degrading general
122     Disable offloading writes to a separate thread after encryption.
130     Bypass dm-crypt internal workqueue and process read requests synchronously.
133     Bypass dm-crypt internal workqueue and process write requests synchronously.
134     This option is automatically enabled for host-managed zoned block devices
135     (e.g. host-managed SMR hard-disks).
138     The device requires additional <bytes> metadata per-sector stored
139     in per-bio integrity structure. This metadata must by provided
140     by underlying dm-integrity target.
151     This option can be in range 512 - 4096 bytes and must be power of two.
164    Use an integrity key of <bytes> size instead of using an integrity key size
171       is received, dm-crypt will split the request. The splitting improves
178       is received, dm-crypt will split the request. The splitting improves
186 LUKS (Linux Unified Key Setup) is now the preferred way to set up disk
187 encryption with dm-crypt using the 'cryptsetup' utility, see
194 …dmsetup create crypt1 --table "0 `blockdev --getsz $1` crypt aes-cbc-essiv:sha256 babebabebabebabe…
199 	# Create a crypt device using dmsetup when encryption key is stored in keyring service
200 …dmsetup create crypt2 --table "0 `blockdev --getsize $1` crypt aes-cbc-essiv:sha256 :32:logon:my_p…