~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/admin-guide/device-mapper/dm-crypt.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/admin-guide/device-mapper/dm-crypt.rst (Version linux-6.12-rc7) and /Documentation/admin-guide/device-mapper/dm-crypt.rst (Version linux-2.6.32.71)


  1 ========                                          
  2 dm-crypt                                          
  3 ========                                          
  4                                                   
  5 Device-Mapper's "crypt" target provides transp    
  6 using the kernel crypto API.                      
  7                                                   
  8 For a more detailed description of supported p    
  9 https://gitlab.com/cryptsetup/cryptsetup/wikis    
 10                                                   
 11 Parameters::                                      
 12                                                   
 13               <cipher> <key> <iv_offset> <devi    
 14               <offset> [<#opt_params> <opt_par    
 15                                                   
 16 <cipher>                                          
 17     Encryption cipher, encryption mode and Ini    
 18                                                   
 19     The cipher specifications format is::         
 20                                                   
 21        cipher[:keycount]-chainmode-ivmode[:ivo    
 22                                                   
 23     Examples::                                    
 24                                                   
 25        aes-cbc-essiv:sha256                       
 26        aes-xts-plain64                            
 27        serpent-xts-plain64                        
 28                                                   
 29     Cipher format also supports direct specifi    
 30     format (selected by capi: prefix). The IV     
 31     as for the first format type.                 
 32     This format is mainly used for specificati    
 33                                                   
 34     The crypto API cipher specifications forma    
 35                                                   
 36         capi:cipher_api_spec-ivmode[:ivopts]      
 37                                                   
 38     Examples::                                    
 39                                                   
 40         capi:cbc(aes)-essiv:sha256                
 41         capi:xts(aes)-plain64                     
 42                                                   
 43     Examples of authenticated modes::             
 44                                                   
 45         capi:gcm(aes)-random                      
 46         capi:authenc(hmac(sha256),xts(aes))-ra    
 47         capi:rfc7539(chacha20,poly1305)-random    
 48                                                   
 49     The /proc/crypto contains a list of curren    
 50                                                   
 51 <key>                                             
 52     Key used for encryption. It is encoded eit    
 53     or it can be passed as <key_string> prefix    
 54     character (':') for keys residing in kerne    
 55     You can only use key sizes that are valid     
 56     in combination with the selected iv mode.     
 57     Note that for some iv modes the key string    
 58     keys (for example IV seed) so the key cont    
 59     into a single string.                         
 60                                                   
 61 <key_string>                                      
 62     The kernel keyring key is identified by st    
 63     <key_size>:<key_type>:<key_description>.      
 64                                                   
 65 <key_size>                                        
 66     The encryption key size in bytes. The kern    
 67     the value passed in <key_size>.               
 68                                                   
 69 <key_type>                                        
 70     Either 'logon', 'user', 'encrypted' or 'tr    
 71                                                   
 72 <key_description>                                 
 73     The kernel keyring key description crypt t    
 74     when loading key of <key_type>.               
 75                                                   
 76 <keycount>                                        
 77     Multi-key compatibility mode. You can defi    
 78     then sectors are encrypted according to th    
 79     sector 1 uses key1 etc.).  <keycount> must    
 80                                                   
 81 <iv_offset>                                       
 82     The IV offset is a sector count that is ad    
 83     before creating the IV.                       
 84                                                   
 85 <device path>                                     
 86     This is the device that is going to be use    
 87     encrypted data.  You can specify it as a p    
 88     number <major>:<minor>.                       
 89                                                   
 90 <offset>                                          
 91     Starting sector within the device where th    
 92                                                   
 93 <#opt_params>                                     
 94     Number of optional parameters. If there ar    
 95     the optional parameters section can be ski    
 96     Otherwise #opt_params is the number of fol    
 97                                                   
 98     Example of optional parameters section:       
 99         3 allow_discards same_cpu_crypt submit    
100                                                   
101 allow_discards                                    
102     Block discard requests (a.k.a. TRIM) are p    
103     The default is to ignore discard requests.    
104                                                   
105     WARNING: Assess the specific security risk    
106     option.  For example, allowing discards on    
107     the leak of information about the cipherte    
108     used space etc.) if the discarded blocks c    
109     device later.                                 
110                                                   
111 same_cpu_crypt                                    
112     Perform encryption using the same cpu that    
113     The default is to use an unbound workqueue    
114     is automatically balanced between availabl    
115                                                   
116 high_priority                                     
117     Set dm-crypt workqueues and the writer thr    
118     improves throughput and latency of dm-cryp    
119     responsiveness of the system.                 
120                                                   
121 submit_from_crypt_cpus                            
122     Disable offloading writes to a separate th    
123     There are some situations where offloading    
124     encryption threads to a single thread degr    
125     significantly.  The default is to offload     
126     thread because it benefits CFQ to have wri    
127     same context.                                 
128                                                   
129 no_read_workqueue                                 
130     Bypass dm-crypt internal workqueue and pro    
131                                                   
132 no_write_workqueue                                
133     Bypass dm-crypt internal workqueue and pro    
134     This option is automatically enabled for h    
135     (e.g. host-managed SMR hard-disks).           
136                                                   
137 integrity:<bytes>:<type>                          
138     The device requires additional <bytes> met    
139     in per-bio integrity structure. This metad    
140     by underlying dm-integrity target.            
141                                                   
142     The <type> can be "none" if metadata is us    
143                                                   
144     For Authenticated Encryption with Addition    
145     the <type> is "aead". An AEAD mode additio    
146     integrity for the encrypted device. The ad    
147     used for storing authentication tag (and p    
148                                                   
149 sector_size:<bytes>                               
150     Use <bytes> as the encryption unit instead    
151     This option can be in range 512 - 4096 byt    
152     Virtual device will announce this size as     
153                                                   
154 iv_large_sectors                                  
155    IV generators will use sector number counte    
156    instead of default 512 bytes sectors.          
157                                                   
158    For example, if <sector_size> is 4096 bytes    
159    sector will be 8 (without flag) and 1 if iv    
160    The <iv_offset> must be multiple of <sector    
161    if this flag is specified.                     
162                                                   
163 integrity_key_size:<bytes>                        
164    Use an integrity key of <bytes> size instea    
165    of the digest size of the used HMAC algorit    
166                                                   
167                                                   
168 Module parameters::                               
169    max_read_size                                  
170       Maximum size of read requests. When a re    
171       is received, dm-crypt will split the req    
172       concurrency (the split requests could be    
173       cores), but it also causes overhead. The    
174       fit the actual workload.                    
175                                                   
176    max_write_size                                 
177       Maximum size of write requests. When a r    
178       is received, dm-crypt will split the req    
179       concurrency (the split requests could be    
180       cores), but it also causes overhead. The    
181       fit the actual workload.                    
182                                                   
183                                                   
184 Example scripts                                   
185 ===============                                   
186 LUKS (Linux Unified Key Setup) is now the pref    
187 encryption with dm-crypt using the 'cryptsetup    
188 https://gitlab.com/cryptsetup/cryptsetup          
189                                                   
190 ::                                                
191                                                   
192         #!/bin/sh                                 
193         # Create a crypt device using dmsetup     
194         dmsetup create crypt1 --table "0 `bloc    
195                                                   
196 ::                                                
197                                                   
198         #!/bin/sh                                 
199         # Create a crypt device using dmsetup     
200         dmsetup create crypt2 --table "0 `bloc    
201                                                   
202 ::                                                
203                                                   
204         #!/bin/sh                                 
205         # Create a crypt device using cryptset    
206         cryptsetup luksFormat $1                  
207         cryptsetup luksOpen $1 crypt1             
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php