LTS

Innovation Version

Disk Encryption

Overview

Disk encryption protects the storage confidentiality of important data. Data is encrypted based on a specified encryption algorithm and then written to disks. This feature mainly involves the user-mode tool cryptsetup and the kernel-mode module dm-crypt. Currently, the disk encryption feature provided by the openEuler OS supports ShangMi (SM) series cryptographic algorithms. Parameters are as follows:

Encryption modes: luks2 and plain;
Key length: 256 bits;
Message digest algorithm: SM3;
Encryption algorithm: sm4-xts-plain64.

Prerequisites

Kernel 5.10.0-106 or later

$ rpm -qa kernel
kernel-5.10.0-106.1.0.55.oe2209.x86_64

cryptsetup 2.4.1-1 or later

$ rpm -qa cryptsetup
cryptsetup-2.4.1-1.oe2209.x86_64

How to Use

A disk is formatted into a disk in a specified encryption mode and mapped to /dev/mapper as a dm device. Subsequent disk read and write operations are performed through the dm device. Data encryption and decryption are performed in kernel mode and are not perceived by users. The procedure is as follows:

Format the disk and map the disk as a dm device.

a. luks2 mode

Set the encryption mode to luks2, encryption algorithm to sm4-xts-plain64, key length to 256 bits, and message digest algorithm to SM3.

# cryptsetup luksFormat /dev/sdd -c sm4-xts-plain64 --key-size 256 --hash sm3

b. plain mode

Set the encryption mode to plain, encryption algorithm to sm4-xts-plain64, key length to 256 bits, and message digest algorithm to SM3.

# cryptsetup plainOpen /dev/sdd crypt1 -c sm4-xts-plain64 --key-size 256 --hash sm3

After the mapping is successful, run the lsblk command to view the device information.

# lsblk
NAME             MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
......
sdd                8:48   0   50G  0 disk
└─crypt1         253:3    0   50G  0 crypt
......

Perform I/O read and write operations on the encrypted device.

Deliver I/Os to raw disks.

# dd if=/dev/random of=/dev/mapper/crypt1 bs=4k count=10240

Deliver I/Os through the file system.

# mkfs.ext4 /dev/mapper/crypt1
# mount /dev/mapper/crypt1 /mnt/crypt/
# dd if=/dev/random of=/mnt/crypt/tmp bs=4k count=10240

Disable device mapping.

If a file system is mounted, unmount it first.

# umount /mnt/crypt

Closes a device.

# cryptsetup luksClose crypt1

Bug Catching

Buggy Content

Bug Description

Submit As Issue

It's a little complicated....

I'd like to ask someone.

Just a small problem.

I can fix it online!

Bug Type

Specifications and Common Mistakes

● Misspellings or punctuation mistakes;

● Incorrect links, empty cells, or wrong formats;

● Chinese characters in English context;

● Minor inconsistencies between the UI and descriptions;

● Low writing fluency that does not affect understanding;

● Incorrect version numbers, including software package names and version numbers on the UI.

Usability

● Incorrect or missing key steps;

● Missing prerequisites or precautions;

● Ambiguous figures, tables, or texts;

● Unclear logic, such as missing classifications, items, and steps.

Correctness

● Technical principles, function descriptions, or specifications inconsistent with those of the software;

● Incorrect schematic or architecture diagrams;

● Incorrect commands or command parameters;

● Incorrect code;

● Commands inconsistent with the functions;

● Wrong screenshots.

Risk Warnings

● Lack of risk warnings for operations that may damage the system or important data.

Content Compliance

● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

● Copyright infringement.

We may contact you through email in regard to the bug fixing solution. You will also be notified through email if you win any prize during the activity.