Product SiteDocumentation Site

C.2. 使​用​dm-crypt/LUKS加​密​块​设​备

LUKS (Linux Unified Key Setup) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.
LUKS uses the kernel device mapper subsystem via the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device's data. User-level operations, such as creating and accessing encrypted devices, are accomplished through the use of the cryptsetup utility.

C.2.1. LUKS概​要

  • LUKS干​什​么​:
    • LUKS加​密​整​个​块​设​备
      • LUKS is thereby well-suited for protecting the contents of mobile devices such as:
        • 可​移​动​存​储​介​质​
        • 笔​记​本​磁​盘​驱​动​器​
    • The underlying contents of the encrypted block device are arbitrary.
      • This makes it useful for encrypting swap devices.
      • This can also be useful with certain databases that use specially formatted block devices for data storage.
    • LUKS uses the existing device mapper kernel subsystem.
      • This is the same subsystem used by LVM, so it is well tested.
    • LUKS提​供​密​码​增​强​。
      • 这​可​以​防​止​字​典​攻​击​。​
    • LUKS devices contain multiple key slots.
      • This allows users to add backup keys/passphrases.
  • LUKS不​做​什​么​:
    • LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
    • LUKS is not well-suited for applications requiring file-level encryption.