Presentation: Authenticated disk encryption and protection from bit rot in Linux using dm-integrity

by vimja on 2024-04-24

  • Date: Thursday, 23st of May
  • Time: From 19:30 until about 20:30
  • Location: At our hackerspace (Kyburgstrasse 13 in 3013 Bern)

dm-integrity is a relatively young component in the Linux storage stack. This device mapper target adds two important abilities that have been lacking in Linux before.

One of those is protection from bit rot, that is to say the gradual degradation of the storage medium and the resulting loss of data. This process is inherent to all types of storage media, if not to the same degree. dm-integrity adds the ability to detect bit rot which then empowers us to combat it.

The second new ability is authenticated encryption. LUKS / dm-crypt has long been providing good full disk encryption on Linux systems. A tight integration with dm-integrity now brings protection from additional, if admittedly exotic, attack vectors.

I will describe both use cases in more detail in my presentation. It will also feature some advantages and disadvantages and explain how to integrate dm-integrity with some typical storage stack set-ups.

The image shows how different functions in a Linux storage set-up stack on top of each other. Each function is represented as it's own layer. 5 SSDs represent the base layer, following that are partitions, two layer of LUKS with one being integrity and the other being encryption, RAID, LVM and finally the filesystems and SWAP on top. There is a second set of partitions, too, hosting a rather simpler set-up with only a RAID and filesystem for /boot.
Example of the integration of dm-integrity into a typical storage set-up in Linux.


Free access to knowledge is one of our core values. As such and as always, entry to the presentation will be free to all. However, with the pending relocation of our hackerspace we will be taking a collection. Anyone who can afford it is kindly asked to contribute some money to our moving funds.