Nice blog https://wiki.archlinux.org/title/Data-at-rest_encryption

Ways of Encryption

• Application side, Read more at https://www.percona.com/blog/transparent-data-encryption-tde/
  • Server side encryption(MySQL stores the tables etc encrypted, but when we read etc we get unencrypted data) - the encryption process is transparent to the user, allowing them to access and manipulate the data as usual without worrying about the encryption and decryption process.
  • Client side encryption(Client writes encrypted data to server, say we encrypt and store that encrypted data in MySQL rows)
• Disk level encryption that encrypts all data stored on a disk or storage device
  • Several tools are available for implementing disk-level encryption, including BitLocker for Windows, dm-crypt for Linux, and FileVault for MacOS.

All data-at-rest encryption methods operate in such a way that even though the disk actually holds encrypted data, the operating system and applications “see” it as the corresponding normal readable data as long as the cryptographic container (i.e. the logical part of the disk that holds the encrypted data) has been “unlocked” and mounted. Ref: https://wiki.archlinux.org/title/Data-at-rest_encryption

For this to happen, some “secret information” (usually in the form of a keyfile and/or passphrase) needs to be supplied by the user, from which the actual encryption key can be derived (and stored in the kernel keyring for the duration of the session).

Device Mapper - Framework provided by the Linux Kernel, used to map physical block devices to higher level virtual block devices

DM-Crypt - A target used with device mapper that provides transparent encryption. Allows us to create a virtual block device and have all data be encrypted on the fly before being committed to disk and can decrypt in the same way for reads.

LUKS - Linux Unified Key Setup Provides an efficient user-friendly way to store and manage keys. Without LUKS, DM-Crypt can be more cumbersome and error-prone.

Device Mapper

The device mapper is a framework provided by the Linux kernel for mapping physical block devices onto higher-level virtual block devices.

It forms the foundation of the logical volume manager (LVM), software RAIDs and dm-crypt disk encryption, and offers additional features such as file system snapshots.

• The Device Mapper is a kernel driver that provides a framework for volume management.
• It provides a generic way of creating mapped devices, which may be used as logical volumes. It does not specifically know about volume groups or metadata formats.

dm-crypt

dm-crypt is the Linux kernel’s device mapper(dm) crypto target. A transparent disk encryption subsystem in the Linux kernel. It is implemented as a device mapper target and may be stacked on top of other device mapper transformations.

dm-crypt is a transparent disk encryption subsystem. That being said, it’s better suited to encrypt disks and partitions. It can encrypt files, but they have to be mapped as devices for this to work. You can still encrypt files by using loop devices, cryptsetup will even automatically create those loop devices as needed. https://unix.stackexchange.com/questions/275707/how-can-i-encrypt-a-file-with-dm-crypt

Ref: https://wiki.gentoo.org/wiki/Custom_Initramfs#Encrypted_keyfile

If you want to encrypt only one file, GnuPG could be a better tool. Example: gpg -c filename

https://gitlab.com/cryptsetup/cryptsetup

When you unlock an encrypted volume, cryptsetup creates a new device mapping that applications can access like any regular storage device. The actual encryption and decryption work is performed transparently by the kernel’s device-mapper dm-crypt driver.

Raw DM-Crypt requires manual key management. You have to handle key derivation, storage, and potential header formats yourself, which is prone to errors like weak key generation or incompatibility across systems.

Linux Unified Key Setup (LUKS)

LUKS builds on DM-Crypt by standardizing the on-disk format for encrypted volumes, focusing on key management. It’s essentially a header format that stores metadata (like encryption parameters and key slots) at the beginning of the block device.

LUKS is the standard on-disk format for disk encryption on Linux systems, based on the dm-crypt kernel module.

LUKS, the Linux Unified Key Setup, is a standard for disk encryption.

• It adds a standardized header at the start of the device, a keyslot area directly behind the header and the bulk data area behind that.
• The whole set is called a ‘LUKS container’. The device that a LUKS container resides on is called a ‘LUKS device’.

Demo

cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --iter-time=4000 --hash sha512 --key-file=pw.txt luksFormat /dev/sdc

• --cipher aes-xts-plain64: Specifies the encryption algorithm.
  • aes: The Advanced Encryption Standard, a very common and secure cipher.
  • xts: A block cipher mode (XTS-AES) designed for disk encryption that prevents an attacker from seeing patterns in the data.
  • plain64: The initialization vector (IV) mode.

• --key-size 512: Sets the size of the master encryption key in bits. A 512-bit key is very strong.

• --iter-time=4000: This is a security feature to make brute-force attacks much harder. It tells the system to spend 4000 milliseconds (4 seconds) repeatedly hashing your passphrase to derive the actual decryption key. A longer time means it’s much slower for an attacker to guess passwords.

• --hash sha512: The hashing algorithm used in the key derivation process. SHA-512 is a secure hashing algorithm.
• --key-file=pw.txt : Instead of prompting you to type a passphrase, this tells cryptsetup to use the content of the file pw.txt as the passphrase. This is useful for scripting.

time cryptsetup open --type luks /dev/sdc cryptdemo --key-file=pw.txt

• --type luks: Explicitly tells the command that this is a LUKS device.
• cryptdemo: The name for the decrypted virtual device that will be created. You will see it at /dev/mapper/cryptdemo

luksDump Dumps the LUKS header information from the physical device. This works even if the volume is locked. It shows you the configuration (cipher, hash, etc.) and information about the key slots.

cryptsetup luksDump /dev/sdc

Storing data on unencrypted and encrypted volumes

Trusted Platform Module (TPM)

In Linux, a TPM is a hardware chip on your computer’s motherboard that acts as a secure cryptoprocessor to store cryptographic keys, perform cryptographic operations, and ensure the integrity of the system’s boot process.

Linux systems use TPMs for key management, device authentication, and to bind secrets, like disk encryption keys, to the system’s secure state through Platform Configuration Registers (PCRs).

The TPM specification is an operating system agnostic, international standard (from the Trusted Computing Group and International Standards Organization) for a secure cryptoprocessor, which is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices.