Drive Encryption
Overview
Drive encryption protects the storage confidentiality of important data. Data is encrypted based on a specified encryption algorithm and then written to drives. This feature mainly involves the user-mode tool cryptsetup and the kernel-mode module dm-crypt. Currently, the drive encryption feature provided by the openEuler OS supports ShangMi (SM) series cryptographic algorithms. Parameters are as follows:
- Encryption modes: luks2 and plain;
- Key length: 256 bits;
- Message digest algorithm: SM3;
- Encryption algorithm: sm4-xts-plain64.
Prerequisites
Kernel 5.10.0-106 or later
shell$ rpm -qa kernel kernel-5.10.0-106.1.0.55.oe2209.x86_64
cryptsetup 2.4.1-1 or later
shell$ rpm -qa cryptsetup cryptsetup-2.4.1-1.oe2209.x86_64
How to Use
A drive is formatted in a specified encryption mode and mapped to /dev/mapper as a dm device. Subsequent drive read and write operations are performed through the dm device. Data encryption and decryption are performed in kernel mode and are not perceived by users. The procedure is as follows:
Format the drive and map the drive as a dm device.
a. luks2 mode
Set the encryption mode to luks2, encryption algorithm to sm4-xts-plain64, key length to 256 bits, and message digest algorithm to SM3.
shell# cryptsetup luksFormat /dev/sdd -c sm4-xts-plain64 --key-size 256 --hash sm3 # cryptsetup luksOpen /dev/sdd crypt1
b. plain mode
Set the encryption mode to plain, encryption algorithm to sm4-xts-plain64, key length to 256 bits, and message digest algorithm to SM3.
shell# cryptsetup plainOpen /dev/sdd crypt1 -c sm4-xts-plain64 --key-size 256 --hash sm3
After the mapping is successful, run the lsblk command to view the device information.
shell# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS ...... sdd 8:48 0 50G 0 disk └─crypt1 253:3 0 50G 0 crypt ......
Perform I/O read and write operations on the encrypted device.
Deliver I/Os to raw drives.
shell# dd if=/dev/random of=/dev/mapper/crypt1 bs=4k count=10240
Deliver I/Os through the file system.
shell# mkfs.ext4 /dev/mapper/crypt1 # mount /dev/mapper/crypt1 /mnt/crypt/ # dd if=/dev/random of=/mnt/crypt/tmp bs=4k count=10240
Disable device mapping.
If a file system is mounted, unmount it first.
shell# umount /mnt/crypt
Closes a device.
shell# cryptsetup close crypt1