[dm-crypt] hardware encryption question

[dm-crypt] hardware encryption question

[Chuck Tuffli]

I'm developing a device driver for a SCSI card that is able to do
XTS-AES encryption as a part of IO. Is it possible for dm-crypt to
take advantage of this encryption offload? If not, what would I need
to change to enable this capability? TIA!

---chuck

Re: [dm-crypt] hardware encryption question

[Milan Broz]

On 02/26/2011 12:35 AM, Chuck Tuffli wrote:
> I'm developing a device driver for a SCSI card that is able to do
> XTS-AES encryption as a part of IO. Is it possible for dm-crypt to
> take advantage of this encryption offload? If not, what would I need
> to change to enable this capability? TIA!

dm-crypt uses kernel cryptoAPI, so if you implement proper driver
for cryptoAPI and this driver will be primary (or automatically detected)
for the cipher/mode it will be used in dm-crypt.

But it if it is not able to separate encryption from io path, you
cannot use it in dm-crypt. But you can stack other block devices over it
(like LVM).

Milan

Re: [dm-crypt] hardware encryption question

[Chuck Tuffli]

On Sat, Feb 26, 2011 at 2:18 AM, Milan Broz <mbroz@redhat.com> wrote:
> dm-crypt uses kernel cryptoAPI, so if you implement proper driver
> for cryptoAPI and this driver will be primary (or automatically detected)
> for the cipher/mode it will be used in dm-crypt.
>
> But it if it is not able to separate encryption from io path, you
> cannot use it in dm-crypt. But you can stack other block devices over it
> (like LVM).

Milan -

The device cannot separate encryption from the IO path, but cryptsetup
seems like a great interface and I would love to take advantage of it
if at all possible. Do you have any advice on possible approaches I
might consider? For example, would creating a new dm-something driver
that passed keys etc. to my driver + modifications to cryptsetup to
recognize this path work? Or would it make more sense to by-pass the
device mapper entirely but still use cryptsetup? Or ... ?

Thanks again for your help!

---chuck

Re: [dm-crypt] hardware encryption question

[Milan Broz]

On 03/03/2011 02:28 AM, Chuck Tuffli wrote:
> The device cannot separate encryption from the IO path, but cryptsetup
> seems like a great interface and I would love to take advantage of it
> if at all possible. Do you have any advice on possible approaches I
> might consider? For example, would creating a new dm-something driver
> that passed keys etc. to my driver + modifications to cryptsetup to
> recognize this path work? Or would it make more sense to by-pass the
> device mapper entirely but still use cryptsetup? Or ... ?

If there is (or will be) some generic interface for hw-disk FDE, maybe
it can be added some day into libcryptsetup.

dm-crypt (resp. device-mapper) backend is currently fixed in code,
but if there is an alternative, I'll add code to support different backend.

(devel code just did the same for various userspace crypto backends)

But adding code just for one proprietary device is not the option.

Milan