@@ -94,20 +94,16 @@ submit_from_crypt_cpus
same context.
integrity:<bytes>:<type>
- Calculates and verifies integrity for the encrypted device (uses
- authenticated encryption). This mode requires metadata stored in per-bio
- integrity structure of <bytes> in size.
+ The device requires additional <bytes> metadata per-sector stored
+ in per-bio integrity structure. This metadata must by provided
+ by underlying dm-integrity target.
- This option requires that the underlying device is created by dm-integrity
- target and provides exactly <bytes> of per-sector metadata.
+ The <type> can be "none" if metadata is used only for persistent IV.
- There can by two options for <type>. The first one is used when encryption
- mode is Authenticated mode (AEAD mode), then type must be just "aead".
- The second option is integrity calculated by keyed hash (HMAC), then
- <type> is for example "hmac(sha256)".
-
- If random IV is used (persistently stored IV in metadata per-sector),
- then <bytes> includes both space for random IV and authentication tag.
+ For Authenticated Encryption with Additional Data (AEAD)
+ the <type> is "aead". An AEAD mode additionally calculates and verifies
+ integrity for the encrypted device. The additional space is then
+ used for storing authentication tag (and persistent IV if needed).
Example scripts
===============
This patch updates old documentation to really implemented version, previous "hmac" option was merged to the same processing path. Signed-off-by: Milan Broz <gmazyland@gmail.com> --- Documentation/device-mapper/dm-crypt.txt | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-)