Cryptsetup 2.8 is out today as the newest feature release for this widely-used utility used to setup disk encryption under Linux around the DM-CRYPT kernel functionality for LUKS volumes and more.
Most prominent with Cryptsetup 2.8 is adding support for inline mode for makingu se of hardware sectors with additional hardware metadata space. This inline mode currently works with select enterprise NVMe SSDs and can be used for overcoming the performance bottleneck of the DM-INTEGRITY journal.
The Cryptsetup 2.8 release notes explain of the new inline mode:
“Introduce support for inline mode (use HW sectors with additional hardware metadata space).
Some enterprise NVMe drives allow formatting sector size with additional metadata space, for example, sector size 4096 bytes + 64 bytes for metadata. We hope common firmware will soon support such features in more recent models.
If this metadata space is available (not internally used by a data integrity profile), it removes the need to use the dm-integrity layer for sector metadata allocation. This means that the performance bottleneck caused by the dm-integrity journal is eliminated.
Note: such drive must be reformatted with an external nvme tool. You can check for support (reported as LBA format) by running the command “nvme id-ns -H ” and then you can reformat to the selected profile (with complete data loss) with “nvme format -l . This way, you can also reformat NVMe drive to 4096-byte sectors,which is strongly recommended for encryption performance.
The required device mapper for inline mode was introduced in Linux kernel version 6.11.
The inline mode can be used with the new –integrity-inline option.
For integritysetup, the kernel dm-integrity layer is still used, but it directly maps metadata to the hardware (eliminating the journal). For cryptsetup, the dm-integrity layer is eliminated, and only the dm-crypt kernel driver is used. The libcryptsetup exports a new crypt_format_inline API call.
Examples (underlying device must provide inline HW metadata space):
Use integritysetup format with inline mode with default CRC32 checksums:
# integritysetup format –sector-size 4096 –integrity-inline [–no-wipe]
# integritysetup open test
# integritysetup status test
/dev/mapper/test is active.
type: INTEGRITY
tag size: 4 [bytes]
integrity: crc32c
device:
sector size: 4096 [bytes]
…
inline mode
journal: not activeUse LUKS2 with authenticated encryption (here with AEGIS AEAD cipher):
# cryptsetup luksFormat –integrity-inline –integrity aead –sector-size 4096 -c aegis128-random –key-size 128 [–integrity-no-wipe]
# cryptsetup open test
# cryptsetup luksDump
…
Requirements: inline-hw-tagsAfter format, the inline mode is used automatically, and no special options are needed. Please check the manual pages for more details about used options.
Note that the LUKS2 authenticated encryption is still an experimental feature. The inline mode only improves performance by removing the dm-integrity layer.”
Cryptsetup 2.8 also brings updates around the Keyslot context API use, OPAL2 handling updates and fixes, optimizing LUKS2 metadata writes, and various other fixes and updates. Cryptsetup 2.8 can be downloaded from GitLab.
