Talk:Dm-crypt/Encrypting an entire system

From ArchWiki
< Talk:Dm-crypt
Revision as of 21:18, 10 December 2013 by EscapedNull (talk | contribs) (→‎Merging plain dm-crypt instructions with LUKS instructions: new section)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Merging plain dm-crypt instructions with LUKS instructions

I just noticed that the instructions are fairly similar for encrypting a system with LUKS and without. LUKS is just a header at the beginning of the device or partition that dm-crypt is created on; it doesn't change the device mapper configuration or partition layout in any way. Encryption on LVM and LVM on encryption definitely need separate instructions because they are very different setups, but whether or not LUKS is involved really only affects one command in the entire tutorial:

Without LUKS:

# cryptsetup --hash=sha512 --cipher=twofish-xts-plain64 --offset=0 --key-file=/dev/sdZ --key-size=512 open --type=plain /dev/sdX enc

With LUKS:

# cryptsetup luksFormat /dev/sdx3

Other than that, the procedure is the same, is it not? We would still need to discuss what LUKS is and whether or not to use it (Dm-crypt/Encrypting_an_entire_system#Setup_encryption should remain, and could be moved to the top of the article, for example), but I don't think we need completely separate instructions for LUKS and plain dm-crypt. In the few cases where the setup procedure does differ, we could make a small note about what to do if using plain dm-crypt). For example, we could add this to the "Preparing the disk" sections:

Note: If you are using plain dm-crypt, it is recommended that you fill the mapped device before continuing. See Dm-crypt/Drive_Preparation#dm-crypt_specific_methods for instructions.

Nearly all the other steps -- including dedicated /boot partition preparation, LVM setup, mkinitcpio hooks, and bootloader installation -- are identical whether LUKS is used or not. In fact, the current layout seems more cumbersome, as Dm-crypt/Encrypting_an_entire_system#Plain_dm-crypt currently forks its instructions at certain points based on the decision of LVM on encryption vs encryption on LVM. It seems that it should be the other way around (LVM on encryption / Encryption on LVM sections should fork based on LUKS vs plain, as the latter pair are far more similar to each other.

Notice I imply changing the word "LUKS" to "encryption", as it could imply LUKS or plain dm-crypt interchangeably. Of course, LUKS is still the much more common use case of the two (in fact, the [FAQ] doesn't really recommend plain dm-crypt at all.)

Without looking at the edit history, I would guess the reason they are currently separate is a relic of merging Dm-crypt with LUKS and Plain dm-crypt without LUKS into this page. I don't really have any experience with plain dm-crypt, to be honest, so I could be wrong about this, and I wanted to ask for some other opinions before I go making drastic changes.