Re: [Question] Distinction responsibilities LUKS and dm-crypt

["Michael Kjörling" <michael@kjorling.se>]

On 31 Mar 2022 18:21 +0000, from jasper.surmont@aalto.fi (Surmont Jasper):
> Reading through the documentation of both dm-crypt and LUKS, 
> I understand that LUKS is a format specification 
> to allow FDE, and that dm-crypt is a dm target which allows
> encryption / decryption of writes / reads to the block device. 
> 
> However, I'm unsure about
> what each of these now exactly provides (ie what are the responsibilities).

Consider the simple case: a plain dm-crypt mapping that uses typical,
non-authenticated, length-preserving (when used for amounts of data
that is a multiple of the block size) encryption.

That gets you encryption, but the encryption metadata (algorithm, key
size, block size, cipher mode, key, ...) must be kept elsewhere,
because there's no room for it within the container itself (because if
there were, the mapping wouldn't be length-preserving). Maybe some of
it, such as the key, is derived from a passphrase provided by the
user, but then you need somewhere to store metadata on _how_ the
transformation from a passphrase to a cryptographic key is performed.
So suppose that, instead of relying solely on the user to memorize
such details, you allow for keeping it in a configuration file
somewhere. Maybe call it /etc/crypttab.

That's still moderately inconvenient, especially when /etc and the
container lives on different media, because the two work in tandem;
one is meaningless without the other. So suppose instead that we were
to reserve a small chunk out of the container itself to hold that
metadata. The encryption can still be length-preserving, but we accept
that the usable size of the container is slightly less than its total
size on the outside, because this metadata requires some non-zero
amount of storage space; just like how we accept that creating a file
system on a volume costs a non-zero amount of storage space out of
that volume in order to provide greater flexibility in its usage. Now
the container itself can hold enough information that it's usable
without any external knowledge that would change from one container to
the next, other than the passphrase.

That latter is basically what LUKS 1 does.

As well as what LUKS 2 does.

There are of course many, many more details to _how_ it's done in
order to make it both secure and usable in practice, but that should
give you a reasonable picture of the different responsibilities
between dm-crypt itself and LUKS.

-- 
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
 “Remember when, on the Internet, nobody cared that you were a dog?”