[dm-crypt] kernel: CONFIG_KEYS

Milan Broz gmazyland at gmail.com
Sun Nov 26 10:23:03 CET 2017

On 11/26/2017 09:53 AM, Karel wrote:
> Hello,
> in linux kernel, there is this option: CONFIG_KEYS
>   "Security options" -> "Enable access key retention support"
> from the description it is not clear to me whether this has any
> relevance to cryptsetup.
> Does cryptsetup use this facility ?


new cryptsetup (version 2) will use kernel keyring (for dm-crypt volume
key and also for activation by so-called token in LUKS2).

But it will be optional, and cryptsetup should still work even without it.

If you are using LUKS version 1 (almost every device today), kernel keyring
is not used.

But keyring can be used for LUKS by some other services
(systemd cache passphrase this way already).

So I would suggest to enable it in your kernel, despite it is not yet necessary
to use in cryptsetup.


More information about the dm-crypt mailing list