# How luks encryption works

## minervaix

OK i was hoping someone could help me with understanding how encrypting a drive with cryptsetup/ luks works.

At first i was expecting to encrypt the entire drive and then maintain it, however

when it took less than five seconds to do the luksFormat bit i decided that there is no

way it could have encrypted and entire drive in that time ( that and because there was no data on the drive yet )

So i looked at the process and thought the only way it could  work is something like this ( overly simplified )

1) first you create the partition

2) run the cryptsetup luksFormat to put the headers on the partition so luks and the kernel can do its thing

3) then create a device map so you have something to mount

4) mount that device ala usual mount only on a virtual device

 At this point there is no encryption actually being done????

5) copy data to the mapped drive , <-- im guessing that copying data to the drive at this point is where the encryption is actually being done and that when data is read from the mapped device its decrypting from the actual partition.

This would make sense to why it is recommended to fill the partition with random data before doing this as all the data on the drive can still be read from the partition by software like photorec ( which by the way works really well if you have deleted files with rm and still need them, comes with the package testdisk ( recovers partitions ) ) , get these apps with emerge testdisk.

I have also encrypted my entire root and usr partitions using luks, with one using a gpg encrypted random pass phrase ( i mount the cdrom in my initrd and grab the key from there ).

Looking forward to all repliesLast edited by minervaix on Thu Aug 23, 2007 11:50 am; edited 1 time in total

----------

## Veldrin

I think you already understood, how cryptosetup/luks works...

It basically inserts a layer between the filesystem and the hardware, and that layer does all the encryption.

luksformat just creates that layer, and does not overwrite the entire partition. Open the device, as you described, and create a filesystem in it [mkfs.foo /dev/mapper/bar] mount it [mount /dev/mapper/bar /foo-mountpoint]. from now on, every works as usual.

A piece of advise: don't use this on a single core system if you value speed. there will be a huge slowdown due to a lot of context switches...

cheers

V.

----------

