[linux.git] / Documentation / device-mapper / dm-crypt.txt

dm-crypt
=========

Device-Mapper's "crypt" target provides transparent encryption of block devices
using the kernel crypto API.

Parameters: <cipher> <key> <iv_offset> <device path> <offset>

<cipher>
    Encryption cipher and an optional IV generation mode.
    (In format cipher[:keycount]-chainmode-ivopts:ivmode).
    Examples:
       des
       aes-cbc-essiv:sha256
       twofish-ecb

    /proc/crypto contains supported crypto modes

<key>
    Key used for encryption. It is encoded as a hexadecimal number.
    You can only use key sizes that are valid for the selected cipher.

<keycount>
    Multi-key compatibility mode. You can define <keycount> keys and
    then sectors are encrypted according to their offsets (sector 0 uses key0;
    sector 1 uses key1 etc.).  <keycount> must be a power of two.

<iv_offset>
    The IV offset is a sector count that is added to the sector number
    before creating the IV.

<device path>
    This is the device that is going to be used as backend and contains the
    encrypted data.  You can specify it as a path like /dev/xxx or a device
    number <major>:<minor>.

<offset>
    Starting sector within the device where the encrypted data begins.

Example scripts
===============
LUKS (Linux Unified Key Setup) is now the preferred way to set up disk
encryption with dm-crypt using the 'cryptsetup' utility, see
http://code.google.com/p/cryptsetup/

[[
#!/bin/sh
# Create a crypt device using dmsetup
dmsetup create crypt1 --table "0 `blockdev --getsize $1` crypt aes-cbc-essiv:sha256 babebabebabebabebabebabebabebabe 0 $1 0"
]]

[[
#!/bin/sh
# Create a crypt device using cryptsetup and LUKS header with default cipher
cryptsetup luksFormat $1
cryptsetup luksOpen $1 crypt1
]]
Commit	Line	Data
e3dcc5a3 MB	1	dm-crypt
	2	=========
	3
	4	Device-Mapper's "crypt" target provides transparent encryption of block devices
	5	using the kernel crypto API.
	6
	7	Parameters: <cipher> <key> <iv_offset> <device path> <offset>
	8
	9	<cipher>
	10	Encryption cipher and an optional IV generation mode.
d1f96423	11	(In format cipher[:keycount]-chainmode-ivopts:ivmode).
e3dcc5a3 MB	12	Examples:
	13	des
	14	aes-cbc-essiv:sha256
	15	twofish-ecb
	16
	17	/proc/crypto contains supported crypto modes
	18
	19	<key>
	20	Key used for encryption. It is encoded as a hexadecimal number.
	21	You can only use key sizes that are valid for the selected cipher.
	22
d1f96423 MB	23	<keycount>
	24	Multi-key compatibility mode. You can define <keycount> keys and
	25	then sectors are encrypted according to their offsets (sector 0 uses key0;
	26	sector 1 uses key1 etc.). <keycount> must be a power of two.
	27
e3dcc5a3 MB	28	<iv_offset>
	29	The IV offset is a sector count that is added to the sector number
	30	before creating the IV.
	31
	32	<device path>
	33	This is the device that is going to be used as backend and contains the
	34	encrypted data. You can specify it as a path like /dev/xxx or a device
	35	number <major>:<minor>.
	36
	37	<offset>
	38	Starting sector within the device where the encrypted data begins.
	39
	40	Example scripts
	41	===============
	42	LUKS (Linux Unified Key Setup) is now the preferred way to set up disk
	43	encryption with dm-crypt using the 'cryptsetup' utility, see
adc0485b	44	http://code.google.com/p/cryptsetup/
e3dcc5a3 MB	45
	46	[[
	47	#!/bin/sh
	48	# Create a crypt device using dmsetup
	49	dmsetup create crypt1 --table "0 `blockdev --getsize $1` crypt aes-cbc-essiv:sha256 babebabebabebabebabebabebabebabe 0 $1 0"
	50	]]
	51
	52	[[
	53	#!/bin/sh
	54	# Create a crypt device using cryptsetup and LUKS header with default cipher
	55	cryptsetup luksFormat $1
	56	cryptsetup luksOpen $1 crypt1
	57	]]