Linux Unified Key Setup (LUKS) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a `passphrase/key` management policy.
LUKS uses the kernel device mapper subsystem with the `dm-crypt` module. This arrangement provides a low-level mapping that handles encryption and decryption of the device data. You can use the `cryptsetup` utility to perform user-level operations such as creating and accessing encrypted devices.
** LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.
+
** The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting [command]`swap` devices. This can also be useful with certain databases that use specially formatted block devices for data storage.
+
** LUKS uses the existing device mapper kernel subsystem.
+
** LUKS provides passphrase strengthening which protects against dictionary attacks.
+
** LUKS devices contain multiple key slots, allowing users to add backup keys or passphrases.
What LUKS does *not* do:: {blank}
+
** LUKS is not well-suited for applications requiring more than eight users to have distinct access keys to the same device.
+
** LUKS is not well-suited for applications requiring file-level encryption.
