Talk:Dm-crypt full disk encryption

I removed the warning at the beginning of the article, as we can't rely on external resources that might be unavailable. — yngwin 08:44, 2 July 2012 (UTC)

Outdated information
This article has a number of issues. I will go ahead an fix the following two points. — Tamiko (talk) 03:36, 24 August 2016 (UTC)

GnuPG encrypted keyfile
A GnuPG encrypted keyfile does not make any sense in combination with LUKS.

The idea to use GnuPG to encrypt a keyfile dates back to the time well before LUKS. The only password setup by plain cryptsetup (without LUKS) is to hash the key once. Therefore, using GnuPG as an intermediate step added a password strengthening via PBKDF2. But, this is natively supported by LUKS. Further, LUKS also supports detached headers nowadays.

Choice of cipher:hash
The default choice for LUKS is aes-xts-plain64. There is almost no reason to change that. This cipher and mode of operation is (a) the best choice performance wise due to AES_NI, (b) nowadays considered a reasonably conservative choice with a large security margin.

To set the ":hash" value has no effect for plain64.

Wrong command parameter?
Is that seek supposed to be count there? dd if=/dev/zero of=key.lbd bs=512 seek=2050 Otherwise it will create a file until out of space. --EmanueLczirai (talk) 04:42, 4 February 2015 (UTC)


 * Indeed... it should be a count instead. There are a few minor typos, but this one is... a gem. Tclover (talk) 08:41, 4 February 2015 (UTC)


 * Nice. Thanks! --EmanueLczirai (talk) 18:04, 4 February 2015 (UTC)


 * 2050 is probably too small. Requested offset is beyond real size of device /dev/loop0. The same thing is also done here: Custom Initramfs Frostschutz (talk) 18:12, 4 February 2015 (UTC)


 * Also if you check the history, the seek= was correct once, except someone else changed /dev/null to /dev/zero. A clearer way to create sparse files is `truncate -s size file` instead of `dd`, or just `dd` without any `if=` and no stdin provider or `count=0`. Frostschutz (talk) 18:18, 4 February 2015 (UTC)

This:

Requested offset is beyond real size of device /dev/loop0.

is still the case for count=2050 (or 4096, only greater than somewhere 8192 doesn't get me that message).MiroR

Early Userspace without Initramfs
I am requesting permission to add a new section to this page with a link to a guide I've published on how to set up an early userspace environment (with support for opening and mounting a LUKS-encrypted root file system) without using initramfs. I believe this method is a superior alternative to initramfs, especially since Gentoo users often build their own kernels with storage device drivers built-in and so really have no need of an initramfs. My guide also details how this early userspace environment can be used as an interactive rescue environment and how to enable the ability to input the decryption passphrase remotely over SSH, which is valuable when the administrator may not have physical access to the machine following a reboot. Whitslack (talk) 20:56, 16 February 2016 (UTC)

The:

early userspace environment (with support for opening and mounting a LUKS-encrypted root file system) without using initramfs

is exactly what I would need. Pls. write for us hat guide, if you read here! Teach us to use a screwdriver where we don't need the initramfs sledgehammer! MiroR

Nope! That page by Whitslack ( a guide ) may work if you have to use MBR and extlinux. I spent two days with it, errors there that need correcting, and esp. if you are with grub and need gdisk, then it's not a screwdriver from that comparison of his anymore. I found the screwdriver that I needed in this old page (written at the time of Linux 2.6.9) which is amazingly still relevant today (at least if you only need to encrypt your root parition, and you use grub:

Cach0rr0's guide

which only took me hours to successfully complete what I needed.MiroR