• intrepid
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    1 year ago

    Native encryption is when the filesystem driver does the decryption in addition to the regular decoding job. Dmcrypt is where encryption is done by a separate component that’s part of the kernel. Dmcrypt decrypts the raw block device (partition) and creates an unencrypted virtual block device (usually in /dev/mapper/). The filesystem driver then decodes this virtual device to give the final data access. It’s like having a filesystem within a filesystem.

    Regular bootloaders like Grub can’t decrypt anything. So the /boot device is usually on a separate unencrypted partition. You need the initramfs to be able to decrypt and decode the partition. That’s not very complicated - most users don’t even need to deal with it.

    Dmcrypt is arguably more secure than native encryption, since you won’t know the filesystem type until you decrypt the partition first. On the other hand, native encryption is likely to be faster and more flexible for complex filesystems like ZFS, Btrfs and BCachefs.