Encrypting volumes without LUKS

In an environment where you do not want or cannot use encrypted volumes formatted with LUKS2, you can use encrypted volumes in plain mode as an alternative. This way, you can exploit the features of the infrastructure for protected volume encryption in the cryptsetup plain mode as described in the contained subtopics.

In plain mode, the keys used to open the volume are not protected by a passphrase in contrast to LUKS. In the infrastructure for protected volume encryption, these keys are secure keys and therefore do not need an additonal encryption using a passphrase. Secure keys are usable only on systems that have access to a cryptographic coprocessor with the correct master key.

In plain mode, you can also use the zkey utility to manage a secure key repository that helps you to work with encrypted volumes in plain mode. It allows to associate secure keys with volumes and knows the volume type. Therefore, it can generate the required commands to open a plain-mode volume for you.