Release of Cryptsetup 2.8: Advanced Disk Encryption Utilities for Linux Enhanced with New Features

At the end of June 2025, the open-source project Cryptsetup 2.8 was released. This collection of utilities facilitates the configuration of disk partition encryption in Linux using the dm-crypt module. The solution is compatible with dm-crypt partitions, LUKS, LUKS2, BITLK, loop-AES, and TrueCrypt/VeraCrypt. The project’s development, licensed under the GNU General Public License v2.0, has been ongoing since March 2015.

Cryptsetup also includes the veritysetup and integritysetup utilities, which are designed for managing data integrity checks based on the dm-verity and dm-integrity modules.

According to information from OpenNET, the key improvements and updates in Cryptsetup 2.8 include:

— Support for inline mode has been added, enabling the use of extended sectors that incorporate an additional area for metadata storage. This feature is supported by certain NVMe drives, which allow the storage of both data and a metadata block within a sector (for instance, 4096 bytes for data plus 64 bytes for metadata).

— Cryptsetup can utilize the metadata area within a sector to store administrative information, which eliminates the need for a separate layer based on dm-integrity that allocates space for metadata. Thus, it is possible to forgo the dm-integrity logging, which is a bottleneck that negatively impacts performance. The necessary capabilities for inline mode became available in the Linux kernel from version 6.11. An option, “–integrity-inline”, has been added to enable inline mode.

— The Keyslot Context API has been developed for managing key slots. This new API allows for extended functionality in many existing commands, such as activating tokens, resuming work with suspended encrypted devices, and performing re-encryption.

— The cryptsetup utility has gained the «–key-description» and «–new-key-description» options, which allow users to attach descriptions to keys.

— The capability to resume a suspended re-encryption operation has been introduced, using tokens and partition keys.

— The repair command has been enhanced with checks for damage in the areas containing LUKS key slots.

— The veritysetup command now includes the “–error-as-corruption” option, which treats any errors as data corruption, allowing users to configure a reboot or panic state in response to errors when using the “–restart-on-corruption” and “–panic-on-corruption” options.

— An optional feature to use the Mbed-TLS library as a cryptographic backend has been added (enabled during compilation with the option “–with-crypto_backend=mbedtls”).