On this page
Crypto API and Storage Encryption
Coverage: Crypto API → dm-crypt/LUKS2 → fscrypt → WireGuard → kTLS → Hardware Acceleration → TPM Kernel Versions: 2.6 ~ 6.x
Crypto API: Unified Encryption Framework
// crypto/ — Unified interface for all cryptographic operations in the kernel
// Supports both synchronous and asynchronous (hardware accelerator) operations
// Operation types:
;
;
;
;
dm-crypt / LUKS2
dm-crypt: Block device-level transparent encryption (inserts an encryption layer between bio and block device)
LUKS2: Key management and metadata format for dm-crypt
LUKS header (first 16MB):
- Encryption algorithm: aes-xts-plain64, aes-cbc-essiv, ...
- Key slots (up to 8): Each slot contains an encrypted master key (unlocked by passphrase/PKCS#11/tpm2)
- PBKDF: argon2id (LUKS2, resistant to GPU/ASIC attacks) or PBKDF2 (LUKS1)
Data path:
bio → scatter-gather list → crypto_skcipher → encrypt/decrypt per sector
→ Submit to underlying block device
Encryption modes: XTS (recommended), CBC-ESSIV (compatible)
fscrypt: Filesystem-Native Encryption
// fs/crypto/
// Difference from dm-crypt: Not block-device-level, but per-file/per-directory
// Each file uses its own key (derived from user master key + per-file nonce)
// → Different keys for different files → Even if the filesystem is read offline, files cannot be correlated
// Supported: ext4, f2fs, UBIFS (Android)
// Usage: Android adoptable storage, Chrome OS user data
// ioctl interface:
FS_IOC_SET_ENCRYPTION_POLICY // Set encryption policy for a directory
FS_IOC_GET_ENCRYPTION_PWSALT // Get per-directory salt
WireGuard
// drivers/net/wireguard/ (Merged into mainline in 5.6+)
// Protocol: Noise + ChaCha20-Poly1305 + Curve25519
// ~4000 lines of code → Feasible for security audit
// Key design features:
// - Connectionless: Upon receiving a valid packet → Automatically establish session
// - Key rotation: Noise IK handshake → Symmetric keys rotated every 2 minutes
// - Post-quantum resistance: Not a priority (Curve25519 is currently optimal)
// Interface: Standard network device + rtnetlink
wg-quick up wg0 → /etc/wireguard/wg0.conf
kTLS (Kernel TLS, 4.13+)
// net/tls/
// Moves TLS record layer to kernel → Enables zero-copy operations like sendfile in userspace with TLS
// Use cases: HTTPS proxies (nginx/haproxy), file servers
;
// → Kernel takes over symmetric encryption → sendfile() sends encrypted data directly
// Supported: TLS 1.2 (AES-GCM), TLS 1.3 (AES-GCM, ChaCha20-Poly1305)
// Hardware offload: Network cards supporting kTLS offload (Mellanox, Intel)
Hardware Acceleration
x86 AES-NI: AES instruction set → ~10x encryption speed
x86 CLMUL: Carry-less multiplication (GHASH for GCM)
x86 SHA-NI: SHA-1/SHA-256 hardware acceleration
ARMv8 CE: Crypto Extensions (AES, SHA, GHASH)
Kernel auto-selection: If hardware accelerator available → Use accelerated tfm → Software fallback otherwise
TPM: Trusted Platform Module
// drivers/char/tpm/
// TPM 2.0 (TPM 1.2 is deprecated) → Secure key storage, boot chain measurement, remote attestation
// Integration with LUKS:
// TPM stores LUKS key → Releases key only when known-good PCR values are present (systemd-cryptenroll)
// Tampered kernel → PCR values change → TPM refuses to release key → Disk becomes unreadable
References
- Source Code:
crypto/,drivers/md/dm-crypt.c,fs/crypto/,drivers/net/wireguard/,net/tls/,drivers/char/tpm/ - Kernel Documentation:
Documentation/crypto/,Documentation/filesystems/fscrypt.rst
Keywords: Crypto API, dm-crypt, LUKS2, fscrypt, WireGuard, kTLS, AES-NI, TPM