User guide

LUKS Disk Encryption

default_algorithms = ALL

dynamic_path = /usr/lib/openssl/engines/libpadlock.so

init = 1

Note: for 64-bit systems, use dynamic_path = /usr/lib64/openssl/engines/

libpadlock.so.

To check if the module is enabled, run the following command:

# openssl engine -c -tt

To test its speed, run the following command:

# openssl speed aes-128-cbc

To test the speed of OpenSSH you can run a command like the following:

# dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null"

PadLock is a third-party initiative available in the Linux kernel. You can find out more about the

VIA PadLock engine at the following URLs: http://www.logix.cz/michal/devel/padlock/ and http://

www.via.com.tw/en/initiatives/padlock/.

3.8. LUKS Disk Encryption

Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux

computer. This is particularly important when it comes to mobile computers and removable media.

LUKS allows multiple user keys to decrypt a master key which is used for the bulk encryption of the

partition.

3.8.1. LUKS Implementation in Red Hat Enterprise Linux

Red Hat Enterprise Linux 6 utilizes LUKS to perform file system encryption. By default, the option to

encrypt the file system is unchecked during the installation. If you select the option to encrypt you hard

drive, you will be prompted for a passphrase that will be asked every time you boot the computer. This

passphrase "unlocks" the bulk encryption key that is used to decrypt your partition. If you choose to

modify the default partition table you can choose which partitions you want to encrypt. This is set in the

partition table settings

The default implementation of LUKS in Red Hat Enterprise Linux is AES 128 with a SHA256 hashing.

Ciphers that are available are:

• AES - Advanced Encryption Standard - FIPS PUB 197

• Twofish (A 128-bit Block Cipher)

• Serpent

• cast5 - RFC 2144

• cast6 - RFC 2612