Introduction to cryptsetup

cryptsetup is used to set up transparent encryption of block devices using the kernel crypto API.

This package is known to build and work properly using an LFS-9.0 platform.

Package Information

cryptsetup Dependencies


JSON-C-0.13.1, libgcrypt-1.8.5, LVM2-2.03.05, and popt-1.16


libpwquality-1.4.0, Python-2.7.16, and passwdqc

User Notes:

Kernel Configuration

Encrypted block devices require kernel support. To use it, the appropriate kernel configuration parameters need to be set:

Device Drivers  --->          
  [*] Multiple devices driver support (RAID and LVM) ---> [CONFIG_MD]
       <*/M> Device mapper support                        [CONFIG_BLK_DEV_DM]
       <*/M> Crypt target support                         [CONFIG_DM_CRYPT]

Cryptographic API  --->                                    
  <*/M> XTS support                                       [CONFIG_CRYPTO_XTS]
  <*/M> SHA224 and SHA256 digest algorithm                [CONFIG_CRYPTO_SHA256]
  <*/M> AES cipher algorithms                             [CONFIG_CRYPTO_AES]
  <*/M> AES cipher algorithms (x86_64)                    [CONFIG_CRYPTO_AES_X86_64] 
  <*/M> User-space interface for symmetric key cipher algorithms
  For tests:
  <*/M> Twofish cipher algorithm                          [CONFIG_CRYPTO_TWOFISH]

Installation of cryptsetup

Install cryptsetup by running the following commands:

./configure --prefix=/usr \
            --with-crypto_backend=openssl &&

To test the result, issue as the root user: make check. Some tests may fail if the kernel configuration parameters above are not set. One (of 12) tests is known to fail.

Now, as the root user:

make install

Command Explanations

--with-crypto_backend=openssl: This parameter selects the cryptographic libraries to use with the application. gcrypt is the default.

Configuring cryptsetup

Because of the number of possible configurations, setup of encrypted volumes is beyond the scope of the BLFS book. Please see the configuration guide in the cryptsetup FAQ.


Installed Programs: cryptsetup, cryptsetup-reencrypt, integritysetup, and veritysetup
Installed Libraries:
Installed Directories: None

Short Descriptions


is used to setup dm-crypt managed device-mapper mappings.


is a for offline LUKS device re-encryption.


is a tool to manage dm-integrity (block level integrity) volumes.


is used to configure dm-verity managed device-mapper mappings. Device-mapper verity target provides read-only transparent integrity checking of block devices using kernel crypto API.

Last updated on 2019-08-18 18:01:59 -0700