LUKS provides entire block device encryption and is well suited to protecting data on virtually any device type. The transparency to the operating system by using the crypto device mapper makes it a good fit for encrypting operating systems, database storage partitions and swap devices.
Each time another high-profile data breach hits the news, the question on everyone’s lips is why their data was not encrypted. Should the worst happen and your business suffer a successful cyber-attack, your data needs a last line of defence to render it useless to the attackers.
LUKS encrypts at the block level and is an obvious choice for laptops, phones and portable media, but is also well suited for protecting your data at rest on mission critical server infrastructure both physical and virtual.
At a minimal overhead, why not add that extra layer of protection? Protect your disk contents from malicious or accidental removal, and protect your brand reputation in those events.
Benefit from transparent encryption, fast retrieval of data, secure encryption algorithms, compliance, confidential data on disk, and a 90 day key rotation.
First, we fill the disk with random data so that we don’t give away any clues should the disk fall into the wrong hands. The disk is then encrypted using LUKS tools, and each time the server is started a secure passphrase or pre-generated key is used to unlock the master key, which is then used to open the LUKS container.
The container is mapped through to the operating system via the device mapper crypt support, dm-crypt, and there you have it- a device that appears to be regular, as cryptographic operations are transparent to the filesytem via the Linux kernel. The default cipher for LUKS is aes-cbc-essiv:sha256, RedHat by default uses aes-xts-plain64:sha256.
