[dm-crypt] Help What is ./configure --with-crypto_backend=openssl for?

Milan Broz gmazyland at gmail.com
Wed Sep 20 07:49:00 CEST 2017


On 09/20/2017 01:38 AM, Tung Nguyen wrote:
> Dear Wizard(s),
> 
> Help! I really need your help to understand --with-crypto_backend flag.
> 
> I downloaded cryptsetup-1.7.5.tar.xz and noticed that configure -h
> showed --with-crypto_backend=openssl. I wonder what that configure
> flag is for?
> 
> Obviously, the root Makefile had
> CRYPTO_LIBS = -lssl -lcrypto  
> OPENSSL_LIBS = -lssl -lcrypto
> 
> but how does dm-crypt relate or use openssl lib?

It is not for dm-crypt but for userspace, LUKS header is processed in userspace.
It will use hash, HMAC and PBKDF2 as crypto primitives from this userspace library
when processing the LUKS header.

Once the kernel dm-crypt device is configured, it is no longer used - dm-crypt
use only kernel crypto API.

Anyway, there are safe defaults, so if you do not understand some option,
it is always better to not change it ;-)

(Default is to use libgcrypt. Openssl should provide the same capabilities,
other backends can be limited in compatibility - some hash algorithms are missing etc.
You can configure also to use wrapper for kernel userspace crypto API, then
userspace is not linked to any crypto library and uses only kernel crypto API.
But as said, there are some possible limitations.)

> ---
> The contents of this e-mail and any attachments are confidential and
> only for use by the intended recipient. Any unauthorized use,
> distribution or copying of this message is strictly prohibited. If
> you are not the intended recipient please inform the sender
> immediately by reply e-mail and delete this message from your system.
> Thank you for your co-operation.

This corporate footnotes make me always smile when appear in a public list :-)
Please if you can, do not use it. (I know it is sometimes forced though.)

Milan


More information about the dm-crypt mailing list