This article focuses on how to set up full system encryption on Arch Linux, using dm-crypt with LUKS.
dm-crypt is the standard device-mapper encryption functionality provided by the Linux kernel. It can be used directly by those who like to have full control over all aspects of partition and key management.
LUKS is an additional convenience layer which stores all of the needed setup information for dm-crypt on the disk itself and abstracts partition and key management in an attempt to improve ease of use.
For more details on how dm-crypt+LUKS compares to other disk encryption solution, see Disk Encryption#Comparison table.
The installation of a LUKS-encrypted system is largely the same as installing an unencrypted system. Routine creation of an encrypted system follows these general steps:
- Preparation of the drive(s) where the system will be installed
- Creation of the needed encryption layers
- Configuration of the system to handle the encryption
- Installation of the system following the Installation Guide or the Beginners' Guide
Note that the Arch installation media comes with all the tools required for system encryption.
Encrypting a non-root filesystem
Main article: Dm-crypt/Encrypting a non-root file system
Encrypting a secondary filesystem usually protects only sensitive data, while leaving the operating system and program files unencrypted. This is useful for encrypting an external medium, such as a USB drive, so that it can be moved to different computers securely. One might also choose to encrypt sets of data separately according to who has access to it. For example, in the case of a computer that has multiple users, each user's home directory may be encrypted separately to ensure that users can not access each others' data, while still having access to the system and public files.
Although encrypting a non-root filesystem is possible with dm-crypt, there are more flexible and user friendly ways to achieve the same result. Because dm-crypt is a block-level encryption layer, it only encrypts partitions and loop devices. To encrypt individual files requires a filesystem-level encryption layer, such as eCryptfs or EncFS. See Disk Encryption for general information about securing private data.
Encrypting an entire system
Main article: Dm-crypt/Encrypting an entire system
Securing a root filesystem, on the other hand, is where dm-crypt excels. When a system's root filesystem is on a dm-crypt device, nearly every file on the system is encrypted. Unlike selectively encrypting non-root filesystems, an encrypted root filesystem can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as mlocate and
/var/log/. Furthermore, an encrypted root filesystem makes tampering with the system far more difficult, as everything except the boot loader and kernel is encrypted.
While an encrypted root filesystem provides much greater protection from outside threats than encrypted secondary filesystems, any user of the system is able to decrypt the entire drive, and therefore can access other users' data. However, it is possible to use a combination of root and non-root filesystem encryption and reap the advantages of both. It is important to balance the benefits with the effort, as an encrypted root filesystem is more difficult to setup than an encrypted secondary filesystem.
Swap device encryption
A swap partition may be added to an encrypted system, if required. The swap partition must be encrypted as well to protect any data swapped out by the system. This part details methods without and with suspend-to-disk support.
This part deals with special operations like securing the unencrypted boot partition, using GPG or OpenSSL encrypted keyfiles, a method to boot and unlock via the network, or setting up discard/TRIM for a SSD.