cryptsetup

Cryptsetup is a suite of tools for disk encryption support in Kali Linux, featuring integrated Linux Unified Key Setup (LUKS) for secure block device encryption such as /home or swap partitions. It uses the Linux kernel's dm-crypt device mapper target and is backwards compatible with cryptoloop but supports more secure formats. The package includes startup scripts for automatic configuration of encrypted devices at boot time via /etc/crypttab, cryptoroot support through initramfs-tools, and multiple passphrase or key input methods.

Key utilities include cryptsetup for LUKS management, integritysetup for dm-integrity devices, veritysetup for dm-verity verification, and wrappers like cryptdisks_start/stop and luksformat. Additional packages provide initramfs integration, experimental SSH token handling for remote unlocking, suspend mode support, and development libraries. It supports advanced features like reencryption, keyslot manipulation, and external token plugins.

Use cases include setting up full disk encryption, creating encrypted containers, verifying data integrity, and managing LUKS2 devices with modern PBKDF algorithms like argon2id.

Cryptsetup operates through the Linux kernel's device mapper (dm-crypt) to create encrypted block devices. It formats devices with LUKS metadata headers containing keyslots encrypted with PBKDF (pbkdf2 for LUKS1, argon2id for LUKS2), master key, and configuration. Devices are opened as /dev/mapper mappings using passphrases or keyfiles. integritysetup adds dm-integrity tags (default crc32c) for data integrity, while veritysetup uses dm-verity with Merkle trees (sha256 hashes) for read-only data verification. External token plugins and SSH integration enable advanced key management.