Cryptsetup is a utility for configuring and managing the Linux Unified Key Setup (LUKS), a standard for hard disk encryption. Using it, users can encrypt entire disk partitions or even individual files, enhancing the security of the stored data.
It’s typically used with the dm-crypt kernel module, which provides the actual encryption capabilities. The tool offers a command-line interface, allowing users to easily create, access, and manage encrypted volumes.
The just-released new version, Cryptsetup 2.7.0, brings some exciting new features, so let’s take a look at them.
Cryptsetup 2.7.0 Highlights
This release highlights the introduction of support for hardware OPAL disk encryption. This feature caters to both SATA and NVMe devices that are self-encrypting drives (SEDs) using the OPAL2 TCG interface.
Cryptsetup’s integration with this technology offers users a controversial yet powerful option: relying on hardware encryption, which requires trust in proprietary hardware, or enhancing security by layering hardware and software encryption.
The implementation in LUKS2 is particularly noteworthy. It enables hardware encryption through the Linux kernel SED OPAL interface, with a requirement to enable the CONFIG_BLK_SED_OPAL Linux kernel option. Notably, OPAL encryption is not enabled by default and requires specific luksFormat parameters for activation.
The release also tackles the practical aspects of implementing OPAL encryption. For instance, if an OPAL device is factory-reset, Cryptsetup configures the OPAL admin user and password. Interestingly, the LUKS passphrase and OPAL password are distinct, with the former unlocking the LUKS key slot and configuring the OPAL locking range.
Apart from OPAL support, Cryptsetup 2.7.0 introduces several other enhancements and fixes. These include setting the default cipher in plain mode to aes-xts-plain64 and updating the password hashing to sha256, improvements in handling volume keys, performance optimizations, and expanded support for various encryption technologies such as Argon2 and Aria cipher.
Compatibility notes caution users about potential issues with older drives and highlight limitations such as incompatibility with USB external adapters and the lack of support for other TCG security subsystems like Ruby or Pyrite. Notably, the update advises against hardware-only encryption without full trust in the hardware vendor.
Check out the announcement for more information about all novelties in the Cryptsetup 2.7.0.