~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/admin-guide/device-mapper/dm-crypt.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/admin-guide/device-mapper/dm-crypt.rst (Version linux-6.12-rc7) and /Documentation/admin-guide/device-mapper/dm-crypt.rst (Version linux-5.4.285)


  1 ========                                            1 ========
  2 dm-crypt                                            2 dm-crypt
  3 ========                                            3 ========
  4                                                     4 
  5 Device-Mapper's "crypt" target provides transp      5 Device-Mapper's "crypt" target provides transparent encryption of block devices
  6 using the kernel crypto API.                        6 using the kernel crypto API.
  7                                                     7 
  8 For a more detailed description of supported p      8 For a more detailed description of supported parameters see:
  9 https://gitlab.com/cryptsetup/cryptsetup/wikis      9 https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
 10                                                    10 
 11 Parameters::                                       11 Parameters::
 12                                                    12 
 13               <cipher> <key> <iv_offset> <devi     13               <cipher> <key> <iv_offset> <device path> \
 14               <offset> [<#opt_params> <opt_par     14               <offset> [<#opt_params> <opt_params>]
 15                                                    15 
 16 <cipher>                                           16 <cipher>
 17     Encryption cipher, encryption mode and Ini     17     Encryption cipher, encryption mode and Initial Vector (IV) generator.
 18                                                    18 
 19     The cipher specifications format is::          19     The cipher specifications format is::
 20                                                    20 
 21        cipher[:keycount]-chainmode-ivmode[:ivo     21        cipher[:keycount]-chainmode-ivmode[:ivopts]
 22                                                    22 
 23     Examples::                                     23     Examples::
 24                                                    24 
 25        aes-cbc-essiv:sha256                        25        aes-cbc-essiv:sha256
 26        aes-xts-plain64                             26        aes-xts-plain64
 27        serpent-xts-plain64                         27        serpent-xts-plain64
 28                                                    28 
 29     Cipher format also supports direct specifi     29     Cipher format also supports direct specification with kernel crypt API
 30     format (selected by capi: prefix). The IV      30     format (selected by capi: prefix). The IV specification is the same
 31     as for the first format type.                  31     as for the first format type.
 32     This format is mainly used for specificati     32     This format is mainly used for specification of authenticated modes.
 33                                                    33 
 34     The crypto API cipher specifications forma     34     The crypto API cipher specifications format is::
 35                                                    35 
 36         capi:cipher_api_spec-ivmode[:ivopts]       36         capi:cipher_api_spec-ivmode[:ivopts]
 37                                                    37 
 38     Examples::                                     38     Examples::
 39                                                    39 
 40         capi:cbc(aes)-essiv:sha256                 40         capi:cbc(aes)-essiv:sha256
 41         capi:xts(aes)-plain64                      41         capi:xts(aes)-plain64
 42                                                    42 
 43     Examples of authenticated modes::              43     Examples of authenticated modes::
 44                                                    44 
 45         capi:gcm(aes)-random                       45         capi:gcm(aes)-random
 46         capi:authenc(hmac(sha256),xts(aes))-ra     46         capi:authenc(hmac(sha256),xts(aes))-random
 47         capi:rfc7539(chacha20,poly1305)-random     47         capi:rfc7539(chacha20,poly1305)-random
 48                                                    48 
 49     The /proc/crypto contains a list of curren !!  49     The /proc/crypto contains a list of curently loaded crypto modes.
 50                                                    50 
 51 <key>                                              51 <key>
 52     Key used for encryption. It is encoded eit     52     Key used for encryption. It is encoded either as a hexadecimal number
 53     or it can be passed as <key_string> prefix     53     or it can be passed as <key_string> prefixed with single colon
 54     character (':') for keys residing in kerne     54     character (':') for keys residing in kernel keyring service.
 55     You can only use key sizes that are valid      55     You can only use key sizes that are valid for the selected cipher
 56     in combination with the selected iv mode.      56     in combination with the selected iv mode.
 57     Note that for some iv modes the key string     57     Note that for some iv modes the key string can contain additional
 58     keys (for example IV seed) so the key cont     58     keys (for example IV seed) so the key contains more parts concatenated
 59     into a single string.                          59     into a single string.
 60                                                    60 
 61 <key_string>                                       61 <key_string>
 62     The kernel keyring key is identified by st     62     The kernel keyring key is identified by string in following format:
 63     <key_size>:<key_type>:<key_description>.       63     <key_size>:<key_type>:<key_description>.
 64                                                    64 
 65 <key_size>                                         65 <key_size>
 66     The encryption key size in bytes. The kern     66     The encryption key size in bytes. The kernel key payload size must match
 67     the value passed in <key_size>.                67     the value passed in <key_size>.
 68                                                    68 
 69 <key_type>                                         69 <key_type>
 70     Either 'logon', 'user', 'encrypted' or 'tr !!  70     Either 'logon' or 'user' kernel key type.
 71                                                    71 
 72 <key_description>                                  72 <key_description>
 73     The kernel keyring key description crypt t     73     The kernel keyring key description crypt target should look for
 74     when loading key of <key_type>.                74     when loading key of <key_type>.
 75                                                    75 
 76 <keycount>                                         76 <keycount>
 77     Multi-key compatibility mode. You can defi     77     Multi-key compatibility mode. You can define <keycount> keys and
 78     then sectors are encrypted according to th     78     then sectors are encrypted according to their offsets (sector 0 uses key0;
 79     sector 1 uses key1 etc.).  <keycount> must     79     sector 1 uses key1 etc.).  <keycount> must be a power of two.
 80                                                    80 
 81 <iv_offset>                                        81 <iv_offset>
 82     The IV offset is a sector count that is ad     82     The IV offset is a sector count that is added to the sector number
 83     before creating the IV.                        83     before creating the IV.
 84                                                    84 
 85 <device path>                                      85 <device path>
 86     This is the device that is going to be use     86     This is the device that is going to be used as backend and contains the
 87     encrypted data.  You can specify it as a p     87     encrypted data.  You can specify it as a path like /dev/xxx or a device
 88     number <major>:<minor>.                        88     number <major>:<minor>.
 89                                                    89 
 90 <offset>                                           90 <offset>
 91     Starting sector within the device where th     91     Starting sector within the device where the encrypted data begins.
 92                                                    92 
 93 <#opt_params>                                      93 <#opt_params>
 94     Number of optional parameters. If there ar     94     Number of optional parameters. If there are no optional parameters,
 95     the optional parameters section can be ski !!  95     the optional paramaters section can be skipped or #opt_params can be zero.
 96     Otherwise #opt_params is the number of fol     96     Otherwise #opt_params is the number of following arguments.
 97                                                    97 
 98     Example of optional parameters section:        98     Example of optional parameters section:
 99         3 allow_discards same_cpu_crypt submit     99         3 allow_discards same_cpu_crypt submit_from_crypt_cpus
100                                                   100 
101 allow_discards                                    101 allow_discards
102     Block discard requests (a.k.a. TRIM) are p    102     Block discard requests (a.k.a. TRIM) are passed through the crypt device.
103     The default is to ignore discard requests.    103     The default is to ignore discard requests.
104                                                   104 
105     WARNING: Assess the specific security risk    105     WARNING: Assess the specific security risks carefully before enabling this
106     option.  For example, allowing discards on    106     option.  For example, allowing discards on encrypted devices may lead to
107     the leak of information about the cipherte    107     the leak of information about the ciphertext device (filesystem type,
108     used space etc.) if the discarded blocks c    108     used space etc.) if the discarded blocks can be located easily on the
109     device later.                                 109     device later.
110                                                   110 
111 same_cpu_crypt                                    111 same_cpu_crypt
112     Perform encryption using the same cpu that    112     Perform encryption using the same cpu that IO was submitted on.
113     The default is to use an unbound workqueue    113     The default is to use an unbound workqueue so that encryption work
114     is automatically balanced between availabl    114     is automatically balanced between available CPUs.
115                                                   115 
116 high_priority                                  << 
117     Set dm-crypt workqueues and the writer thr << 
118     improves throughput and latency of dm-cryp << 
119     responsiveness of the system.              << 
120                                                << 
121 submit_from_crypt_cpus                            116 submit_from_crypt_cpus
122     Disable offloading writes to a separate th    117     Disable offloading writes to a separate thread after encryption.
123     There are some situations where offloading    118     There are some situations where offloading write bios from the
124     encryption threads to a single thread degr    119     encryption threads to a single thread degrades performance
125     significantly.  The default is to offload     120     significantly.  The default is to offload write bios to the same
126     thread because it benefits CFQ to have wri    121     thread because it benefits CFQ to have writes submitted using the
127     same context.                                 122     same context.
128                                                   123 
129 no_read_workqueue                              << 
130     Bypass dm-crypt internal workqueue and pro << 
131                                                << 
132 no_write_workqueue                             << 
133     Bypass dm-crypt internal workqueue and pro << 
134     This option is automatically enabled for h << 
135     (e.g. host-managed SMR hard-disks).        << 
136                                                << 
137 integrity:<bytes>:<type>                          124 integrity:<bytes>:<type>
138     The device requires additional <bytes> met    125     The device requires additional <bytes> metadata per-sector stored
139     in per-bio integrity structure. This metad    126     in per-bio integrity structure. This metadata must by provided
140     by underlying dm-integrity target.            127     by underlying dm-integrity target.
141                                                   128 
142     The <type> can be "none" if metadata is us    129     The <type> can be "none" if metadata is used only for persistent IV.
143                                                   130 
144     For Authenticated Encryption with Addition    131     For Authenticated Encryption with Additional Data (AEAD)
145     the <type> is "aead". An AEAD mode additio    132     the <type> is "aead". An AEAD mode additionally calculates and verifies
146     integrity for the encrypted device. The ad    133     integrity for the encrypted device. The additional space is then
147     used for storing authentication tag (and p    134     used for storing authentication tag (and persistent IV if needed).
148                                                   135 
149 sector_size:<bytes>                               136 sector_size:<bytes>
150     Use <bytes> as the encryption unit instead    137     Use <bytes> as the encryption unit instead of 512 bytes sectors.
151     This option can be in range 512 - 4096 byt    138     This option can be in range 512 - 4096 bytes and must be power of two.
152     Virtual device will announce this size as     139     Virtual device will announce this size as a minimal IO and logical sector.
153                                                   140 
154 iv_large_sectors                                  141 iv_large_sectors
155    IV generators will use sector number counte    142    IV generators will use sector number counted in <sector_size> units
156    instead of default 512 bytes sectors.          143    instead of default 512 bytes sectors.
157                                                   144 
158    For example, if <sector_size> is 4096 bytes    145    For example, if <sector_size> is 4096 bytes, plain64 IV for the second
159    sector will be 8 (without flag) and 1 if iv    146    sector will be 8 (without flag) and 1 if iv_large_sectors is present.
160    The <iv_offset> must be multiple of <sector    147    The <iv_offset> must be multiple of <sector_size> (in 512 bytes units)
161    if this flag is specified.                     148    if this flag is specified.
162                                                << 
163 integrity_key_size:<bytes>                     << 
164    Use an integrity key of <bytes> size instea << 
165    of the digest size of the used HMAC algorit << 
166                                                << 
167                                                << 
168 Module parameters::                            << 
169    max_read_size                               << 
170       Maximum size of read requests. When a re << 
171       is received, dm-crypt will split the req << 
172       concurrency (the split requests could be << 
173       cores), but it also causes overhead. The << 
174       fit the actual workload.                 << 
175                                                << 
176    max_write_size                              << 
177       Maximum size of write requests. When a r << 
178       is received, dm-crypt will split the req << 
179       concurrency (the split requests could be << 
180       cores), but it also causes overhead. The << 
181       fit the actual workload.                 << 
182                                                << 
183                                                   149 
184 Example scripts                                   150 Example scripts
185 ===============                                   151 ===============
186 LUKS (Linux Unified Key Setup) is now the pref    152 LUKS (Linux Unified Key Setup) is now the preferred way to set up disk
187 encryption with dm-crypt using the 'cryptsetup    153 encryption with dm-crypt using the 'cryptsetup' utility, see
188 https://gitlab.com/cryptsetup/cryptsetup          154 https://gitlab.com/cryptsetup/cryptsetup
189                                                   155 
190 ::                                                156 ::
191                                                   157 
192         #!/bin/sh                                 158         #!/bin/sh
193         # Create a crypt device using dmsetup     159         # Create a crypt device using dmsetup
194         dmsetup create crypt1 --table "0 `bloc    160         dmsetup create crypt1 --table "0 `blockdev --getsz $1` crypt aes-cbc-essiv:sha256 babebabebabebabebabebabebabebabe 0 $1 0"
195                                                   161 
196 ::                                                162 ::
197                                                   163 
198         #!/bin/sh                                 164         #!/bin/sh
199         # Create a crypt device using dmsetup     165         # Create a crypt device using dmsetup when encryption key is stored in keyring service
200         dmsetup create crypt2 --table "0 `bloc    166         dmsetup create crypt2 --table "0 `blockdev --getsize $1` crypt aes-cbc-essiv:sha256 :32:logon:my_prefix:my_key 0 $1 0"
201                                                   167 
202 ::                                                168 ::
203                                                   169 
204         #!/bin/sh                                 170         #!/bin/sh
205         # Create a crypt device using cryptset    171         # Create a crypt device using cryptsetup and LUKS header with default cipher
206         cryptsetup luksFormat $1                  172         cryptsetup luksFormat $1
207         cryptsetup luksOpen $1 crypt1             173         cryptsetup luksOpen $1 crypt1
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php