Cryptsetup 2.7.0 Unveils Advanced OPAL Hardware Encryption Support

Cryptsetup's new update brings hardware encryption, merging software and OPAL layers for more robust protection with trust considerations.

Cryptsetup is a utility for configuring and managing the Linux Unified Key Setup (LUKS), a standard for hard disk encryption. Using it, users can encrypt entire disk partitions or even individual files, enhancing the security of the stored data.

It’s typically used with the dm-crypt kernel module, which provides the actual encryption capabilities. The tool offers a command-line interface, allowing users to easily create, access, and manage encrypted volumes.

The just-released new version, Cryptsetup 2.7.0, brings some exciting new features, so let’s take a look at them.

Cryptsetup 2.7.0 Highlights

This release highlights the introduction of support for hardware OPAL disk encryption. This feature caters to both SATA and NVMe devices that are self-encrypting drives (SEDs) using the OPAL2 TCG interface.

Cryptsetup’s integration with this technology offers users a controversial yet powerful option: relying on hardware encryption, which requires trust in proprietary hardware, or enhancing security by layering hardware and software encryption.

The implementation in LUKS2 is particularly noteworthy. It enables hardware encryption through the Linux kernel SED OPAL interface, with a requirement to enable the CONFIG_BLK_SED_OPAL Linux kernel option. Notably, OPAL encryption is not enabled by default and requires specific luksFormat parameters for activation.

The release also tackles the practical aspects of implementing OPAL encryption. For instance, if an OPAL device is factory-reset, Cryptsetup configures the OPAL admin user and password. Interestingly, the LUKS passphrase and OPAL password are distinct, with the former unlocking the LUKS key slot and configuring the OPAL locking range.

Apart from OPAL support, Cryptsetup 2.7.0 introduces several other enhancements and fixes. These include setting the default cipher in plain mode to aes-xts-plain64 and updating the password hashing to sha256, improvements in handling volume keys, performance optimizations, and expanded support for various encryption technologies such as Argon2 and Aria cipher.

Compatibility notes caution users about potential issues with older drives and highlight limitations such as incompatibility with USB external adapters and the lack of support for other TCG security subsystems like Ruby or Pyrite. Notably, the update advises against hardware-only encryption without full trust in the hardware vendor.

Check out the announcement for more information about all novelties in the Cryptsetup 2.7.0.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 68%