A set of Cryptsetup 2.7 utilities has been published for configuring encryption of disk partitions in Linux using the dm-crypt module. Work with dm-crypt, LUKS, LUKS2, BITLK, loop-AES and TrueCrypt/VeraCrypt partitions is supported. It also includes the veritysetup and integritysetup utilities to configure data integrity controls based on the dm-verity and dm-integrity modules.
Key improvements:
- It is possible to use the OPAL hardware disk encryption mechanism, supported on SED (Self-Encrypting Drives) SATA and NVMe drives with the OPAL2 TCG interface, in which the hardware encryption device is built directly into the controller. On the one hand, OPAL encryption is tied to proprietary hardware and is not available for public audit, but, on the other hand, it can be used as an additional level of protection over software encryption, which does not lead to a decrease in performance and does not create a load on the CPU.
Using OPAL in LUKS2 requires building the Linux kernel with the CONFIG_BLK_SED_OPAL option and enabling it in Cryptsetup (OPAL support is disabled by default). Setting up LUKS2 OPAL is carried out in a similar way to software encryption - metadata is stored in the LUKS2 header. The key is split into a partition key for software encryption (dm-crypt) and an unlock key for OPAL. OPAL can be used together with software encryption (cryptsetup luksFormat --hw-opal ), and separately (cryptsetup luksFormat βhw-opal-only ). OPAL is activated and deactivated in the same way (open, close, luksSuspend, luksResume) as for LUKS2 devices.
- In plain mode, in which the master key and header are not stored on disk, the default cipher is aes-xts-plain64 and the hashing algorithm sha256 (XTS is used instead of the CBC mode, which has performance problems, and sha160 is used instead of the outdated ripemd256 hash ).
- The open and luksResume commands allow the partition key to be stored in a user-selected kernel keyring (keyring). To access the keyring, the β--volume-key-keyringβ option has been added to many cryptsetup commands (for example 'cryptsetup open --link-vk-to-keyring "@s::%user:testkey" tst').
- On systems without a swap partition, performing a format or creating a key slot for PBKDF Argon2 now only uses half of the free memory, which solves the problem of running out of available memory on systems with a small amount of RAM.
- Added "--external-tokens-path" option to specify the directory for external LUKS2 token handlers (plugins).
- tcrypt has added support for the Blake2 hashing algorithm for VeraCrypt.
- Added support for the Aria block cipher.
- Added support for Argon2 in OpenSSL 3.2 and libgcrypt implementations, eliminating the need for libargon.
Source: opennet.ru