Introduction to cryptsetup
cryptsetup is used to set up transparent encryption of block
devices using the kernel crypto API.
Note
Development versions of BLFS may not build or run some packages
properly if LFS or dependencies have been updated since the most
recent stable versions of the books.
Package Information
cryptsetup Dependencies
Required
JSON-C-0.18, LVM2-2.03.29, and popt-1.19
Optional
asciidoctor-2.0.23, libpwquality-1.4.5, argon2, libssh, and passwdqc
Kernel
Configuration
Encrypted block devices require kernel support. To use it, the
appropriate kernel configuration parameters need to be set:
Device Drivers --->
[*] Multiple devices driver support (RAID and LVM) ---> [MD]
<*/M> Device mapper support [BLK_DEV_DM]
<*/M> Crypt target support [DM_CRYPT]
-*- Cryptographic API ---> [CRYPTO]
Block ciphers --->
<*/M> AES (Advanced Encryption Standard) [CRYPTO_AES]
# For tests:
<*/M> Twofish [CRYPTO_TWOFISH]
Length-preserving ciphers and modes --->
<*/M> XTS (XOR Encrypt XOR with ciphertext stealing) [CRYPTO_XTS]
Hashes, digests, and MACs --->
<*/M> SHA-224 and SHA-256 [CRYPTO_SHA256]
Userspace interface --->
<*/M> Symmetric key cipher algorithms [CRYPTO_USER_API_SKCIPHER]
Installation of cryptsetup
Install cryptsetup by running the
following commands:
./configure --prefix=/usr \
--disable-ssh-token \
--disable-asciidoc &&
make
To test the result, issue as the root
user: make
check. Some tests will fail if appropriate kernel
configuration options are not set. Some additional options that may
be needed for tests are:
CONFIG_SCSI_LOWLEVEL,
CONFIG_SCSI_DEBUG,
CONFIG_BLK_DEV_DM_BUILTIN,
CONFIG_CRYPTO_USER,
CONFIG_CRYPTO_CRYPTD,
CONFIG_CRYPTO_LRW,
CONFIG_CRYPTO_XTS,
CONFIG_CRYPTO_ESSIV,
CONFIG_CRYPTO_CRCT10DIF,
CONFIG_CRYPTO_AES_TI,
CONFIG_CRYPTO_AES_NI_INTEL,
CONFIG_CRYPTO_BLOWFISH,
CONFIG_CRYPTO_CAST5,
CONFIG_CRYPTO_SERPENT,
CONFIG_CRYPTO_SERPENT_SSE2_X86_64,
CONFIG_CRYPTO_SERPENT_AVX_X86_64,
CONFIG_CRYPTO_SERPENT_AVX2_X86_64, and
CONFIG_CRYPTO_TWOFISH_X86_64
Now, as the root
user:
make install
Command Explanations
--disable-ssh-token
: This
switch is required if the optional libssh dependency is not
installed.
--disable-asciidoc
: This
switch disables regeneration of the man pages. Remove this switch
if you have asciidoctor-2.0.23 installed and
wish to regenerate the man pages. Note that even if this switch is
used, the pre-generated man pages are shipped in the tarball and
they'll still be installed.
Configuring cryptsetup
Because of the number of possible configurations, setup of
encrypted volumes is beyond the scope of the BLFS book. Please see
the configuration guide in the cryptsetup
FAQ.
Contents
Installed Programs:
cryptsetup, cryptsetup-reencrypt,
integritysetup, and veritysetup
Installed Libraries:
libcryptsetup.so
Installed Directories:
None
Short Descriptions
cryptsetup
|
is used to setup dm-crypt managed device-mapper mappings
|
cryptsetup-reencrypt
|
is a tool for offline LUKS device re-encryption
|
integritysetup
|
is a tool to manage dm-integrity (block level integrity)
volumes
|
veritysetup
|
is used to configure dm-verity managed device-mapper
mappings. The Device-mapper verity target provides
read-only transparent integrity checking of block devices
using the kernel crypto API
|