9.0 Encrypting Directories Using cryptctl

cryptctl consists of two components:

  • A client is a machine that has one or more encrypted partitions but does not permanently store the necessary key to decrypt those partitions. For example, clients can be cloud or otherwise hosted machines.

  • The server holds encryption keys that can be requested by clients to unlock encrypted partitions.

    You can also set up the cryptctl server to store encryption keys on a KMIPĀ 1.3-compatible (Key Management Interoperability Protocol) server. In that case, the cryptctl server will not store the encryption keys of clients and is dependent upon the KMIP-compatible server to provide these.

WARNING: cryptctl Server Maintenance

Since the cryptctl server manages timeouts for the encrypted disks and, depending on the configuration, can also hold encryption keys, it should be under your direct control and managed only by trusted personnel.

Additionally, it should be backed up regularly. Losing the server's data means losing access to encrypted partitions on the clients.

To handle encryption, cryptctl uses LUKS with aes-xts-256 encryption and 512-bit keys. Encryption keys are transferred using TLS with certificate verification.

Figure 9-1 Key Retrieval with cryptctl (Model Without Connection to KMIP Server)

The client asks the server for the disk decryption key, the server responds

NOTE: Install cryptctl

Before continuing, make sure the package cryptctl is installed on all machines you intend to set up as servers or clients.