From ArchWiki
Revision as of 04:19, 10 December 2013 by EscapedNull (talk | contribs) (Added introductions to common scenarios, with links to more specific topics, as per the expansion tag.)
Jump to navigation Jump to search

zh-CN:System Encryption with LUKS

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: The introduction has to be rewritten after merging Plain dm-crypt without LUKS.
Before publishing the new article, double check all the link#fragments among the subpages. (Discuss in Talk:Dm-crypt#)

This article focuses on how to set up full system encryption on Arch Linux, using dm-crypt with LUKS.

dm-crypt is the standard device-mapper encryption functionality provided by the Linux kernel. It can be used directly by those who like to have full control over all aspects of partition and key management.

LUKS is an additional convenience layer which stores all of the needed setup information for dm-crypt on the disk itself and abstracts partition and key management in an attempt to improve ease of use.

For more details on how dm-crypt+LUKS compares to other disk encryption solution, see Disk Encryption#Comparison table.


Warning: Encrypting a disk or partition will erase everything currently on that disk or partition, make appropriate data backups prior to starting.

Also be aware that encrypting a system might not only make the life of laptop thieves more miserable, but also yours if you don't plan ahead on:

  • how to make secure backups of the encrypted system/-setup/data and
  • how to access the encrypted system manually for maintenance.
Keeping those points in mind while deciding on how to use encryption may help to decide on method and tools as well.

The installation of a LUKS-encrypted system is largely the same as installing an unencrypted system. Routine creation of an encrypted system follows these general steps:

Note that the Arch installation media comes with all the tools required for system encryption.

Tip: You may want to practise encrypting a virtual hard drive in a virtual machine when learning.

Common scenarios

Encrypting a non-root filesystem

Main article: Dm-crypt/Encrypting a non-root file system

Encrypting a secondary filesystem usually protects only sensitive data, while leaving the operating system and program files unencrypted. This is useful for encrypting an external medium, such as a USB drive, so that it can be moved to different computers securely. One might also choose to encrypt sets of data separately according to who has access to it. For example, in the case of a computer that has multiple users, each user's home directory may be encrypted separately to ensure that users can not access each others' data, while still having access to the system and public files.

Although encrypting a non-root filesystem is possible with dm-crypt, there are more flexible and user friendly ways to achieve the same result. Because dm-crypt is a block-level encryption layer, it only encrypts partitions and loop devices. To encrypt individual files requires a filesystem-level encryption layer, such as eCryptfs or EncFS. See Disk Encryption for general information about securing private data.

Encrypting an entire system

Main article: Dm-crypt/Encrypting an entire system

Securing a root filesystem, on the other hand, is where dm-crypt excels. When a system's root filesystem is on a dm-crypt device, nearly every file on the system is encrypted. Unlike selectively encrypting non-root filesystems, an encrypted root filesystem can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as mlocate and /var/log/. Furthermore, an encrypted root filesystem makes tampering with the system far more difficult, as everything except the boot loader and kernel is encrypted.

In encrypted root filesystem scenarios, dm-crypt is often combined with other disk abstraction technologies such as LVM and RAID, although it is by no means necessary.

While an encrypted root filesystem provides much greater protection from outside threats than encrypted secondary filesystems, any user of the system is able to decrypt the entire drive, and therefore can access other users' data. However, it is possible to use a combination of root and non-root filesystem encryption and reap the advantages of both. It is important to balance the benefits with the effort, as an encrypted root filesystem is more difficult to setup than an encrypted secondary filesystem.

Drive preparation

This step will deal with operations like securely erasing the drive and partitioning it.

See Dm-crypt/Drive Preparation.

Device encryption

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Add some introductory text with links to the most important subsections of Dm-crypt/Device Encryption. (Discuss in Talk:Dm-crypt#)

See Dm-crypt/Device Encryption.

System configuration

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Add some introductory text with links to the most important subsections of Dm-crypt/System Configuration. (Discuss in Talk:Dm-crypt#)

See Dm-crypt/System Configuration.

Swap device encryption

A swap partition may be added to an encrypted system, if required. The swap partition must be encrypted as well to protect any data swapped out by the system. This part details methods without and with suspend-to-disk support.

See Dm-crypt/Swap Encryption.


This part deals with special operations like securing the unencrypted boot partition, using GPG or OpenSSL encrypted keyfiles, a method to boot and unlock via the network, or setting up discard/TRIM for a SSD.

See Dm-crypt/Specialties.

See also

  • cryptsetup FAQ - The main and foremost help resource, directly from the developers.
  • FreeOTFE - Supports unlocking LUKS encrypted volumes in Microsoft Windows.