What happens to the files when they are being decrypted?

Question Overflow asked:

I have the server’s webroot directory mounted on a partition which is being protected with LUKS encryption. I want to know what happens to the files within when that partition is being decrypted. Does

  • a copy of the unencrypted version of these files goes to the RAM, or;

  • a copy of the unencrypted version of these files goes to the temp
    directory, or;

  • the server decrypts the files upon demand each time they are being
    accessed, or;

  • other scenarios I have missed?

The reason why I ask this is to have a better understanding on the decryption process and how it affects the server’s resource in terms of CPU and RAM and whether disk encryption with LUKS is more efficient compared to file system encryption like eCryptfs.

I tried looking at Wikipedia but could not find any such information. Not sure if this is the best place to ask this question. Feel free to migrate if you think otherwise. Thanks.


I answered:

LUKS is a block device encryption layer which sits on top of a block device and encrypts/decrypts all accesses to that device. No unencrypted data ever touches the physical device.

LUKS then provides a virtual block device which gets used by the system to access the files. It is thus transparent to applications, which have no idea that encryption is taking place.

Consider a trivial system with a single block device and a root file system on /dev/sda1. If we encrypt this with LUKS, then it will handle all direct access to that device, and will provide its own device, for instance /dev/mapper/encrypted-root which will actually be used by the system. This might be in /etc/fstab:

/dev/mapper/encrypted-root  /       ext4    noatime 0 0

So every access to a file on this filesystem will pass through LUKS.

Also note that LUKS does not know or care what data it is processing. Thus you can layer anything on top of it, whether it be a straight filesystem, a software RAID array, an LVM volume, etc. LUKS can also be placed on top of any of these.

Note well that data cached in RAM by the normal caching processes may be unencrypted.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.