Why is plain dm-crypt only recommended for experts?

If I stick to standard operations, and I do not require any of the features from LUKS, what risks am I as a non-expert taking?

LUKS partitions have a header that ensures such a partition won't be seen as ext2, vfat, etc. A plain dm-crypt partition may coincidentally end up looking like a unencrypted filesystem, and has a chance of being written to accidentally, destroying your data.

LUKS checks if you entered the correct passphrase. If you put in the wrong passphrase, plain dm-crypt won't pick up on this; instead, it will happily give you garbled crypto-mapping which may also coincidentally look like an unencrypted filesystem, and has a chance of being written to accidentally, destroying your data.

LUKS stores the type of encryption used, while dm-crypt requires you to supply the same options each time. If, after a period of not using your encrypted device, you find there are a few gaps in your recollection of what the password was, and it turns out you forgot the encryption options as well, you are doubly hosed (this happened to me personally before LUKS existed; the encrypted data wasn't so important so I just reformatted after unsuccessfully trying to get in for an hour or so).

Also, there may have been a period during the development of cryptsetup in which essiv was not the default for dm-crypt, but was for LUKS, and the documentation you are reading may have been intended to allude to that.

Finally, some of the options of LUKS do things that are important from a security standpoint. For example, suppose you fall asleep while authenticating with gmail and accidentally type in your drive password. In dm-crypt there is no way to change the password without re-encrypting your whole device (and doing so in-place is risky, since a system crash or power loss event will leave you with a guaranteed hosed system). With LUKS, you can change the password.


I feel this should be mentioned, here.

By far the most questions searched about cryptsetup and LUKS problems are from people that have managed to damage the start of their LUKS partitions, the LUKS header. If the LUKS header is lost or corrupt (which happens more often than you'd like), it is impossible to recover the data even if you have the key! Make sure you understand the problem and limitations imposed by the LUKS security model BEFORE you're faced with such a miserable situation.

That may not exactly answer the question, why is plain dm-crypt only for experts? But from some people's perspective, you're an 'expert' once you've been through the above scenario with LUKS and realized that, in many use cases, plain dm-crypt is far superior. It reliably encrypts (and does do password hashing) and if you know what you're doing you can change the cipher parameters to what suites you.

Expert sysops should understand that the lack of a LUKS header prevents many tools from knowing that the drive is encrypted. To some, that's a valuable feature. Why go through the bother of encrypting something if everyone knows its encrypted, and with what cipher name and mode (which is easy to obtain from a valid/backup LUKS header without a key). In many cases, LUKS is far less secure AND less reliable.

Atsby touched on another, older view of plain dm-crypt, in that aes cbc (without essiv) is considered unsafe. That's expert cryptographer stuff. This explains that fairly well, imho; XTS vs AES-CBC with ESSIV for file-based filesystem encryption