On Sun, Mar 27, 2022 at 4:13 PM Dale <rdalek1...@gmail.com> wrote: > > What is the advantage of dm-crypt over cryptsetup? I've learned how to > use cryptsetup with my external drive so was hoping to stick with what I > already know. Unless there is a advantage to dm-crypt.
So, I suspect that terms are being used loosely here, but dm-crypt is a kernel block device encryption layer, and cryptsetup is just a userspace wrapper that sets up dm-crypt. I don't think cryptsetup works without dm-crypt, but you could of course use dm-crypt without cryptsetup. There is an on-disk standard called LUKS that cryptsetup typically uses. This stores metadata about the layout, fields to store session keys encrypted with a passphrase, space to store info like rekeying progress, and so on. The kernel dm-crypt will just want a cipher/key to use and a range of disk blocks to apply it to. With LUKS / cryptsetup you can do handy things like have a passphrase that goes through many rounds to yield the session key, or the ability to have multiple passphrases that work, or the ability to change the session key, or temporarily store the session key in the clear so that the drive can be used without a passphrase, and so on. 99% of the time linux distros are using cryptsetup/LUKS to manage encryption. If you wanted to use dm-crypt directly you'd basically have to either re-implement your own version of LUKS, or memorize a 128 bit AES key. Even if you intend to use a key file I'd still consider using LUKS just for the standardization and options. I'm guessing that 99% of the time if somebody is talking about dm-crypt, they really mean cryptsetup/LUKS+dm-crypt. (I think LUKS is the on-disk standard, and cryptsetup is an implementation of it all.) -- Rich
