Cryptsetup in Debian: tips, tricks, and future plans

Speaker: Guilhem Moulin

Track: Security

Type: Long talk (45 minutes)


Room: Xueshan (雪山) Live Stream

Time: Aug 03 (Fri), 15:00

Duration: 0:45

cryptsetup(8) is a popular tool to setup block-device encryption, usually based on the kernel’s dm-crypt module. The debian package comes up with its own set of features such as initramfs integration, which enables encryption of root devices, resume devices, and other devices required at early boot stage.

I will briefly talk about the new “LUKS2” format, which is not the default yet but is available since upstream released v2.0.0 last autumn.

However the emphasis of the talk is on the Debian-specific features (such as key scripts, remote disk unlocking, storing key material directly in the initrd, etc.) and which use-case each of them covers. Most of these features have been added along the years per popular request; but as it turns out they are not always well known, and many users are still using more or less brittle workarounds while they could use our scripts — and blame us for regressions :-) — instead.

I will conclude by sharing some of our future plans, the other features we’d like to have, the challenges and the blockers.