The full disk encryption is a well-known way to achieve confidentiality of data. Unfortunately, it usually does not provide any integrity protection of data because of its length-preserving nature (plaintext is the same size as ciphertext; there is no space for data integrity tags).
Since Linux kernel 4.12 and cryptsetup2 we can configure new Linux kernel dm-integrity and dm-crypt devices that support data integrity protection over block devices (by emulating sector data integrity extensions over standard disks).
We will explain the architecture of such integrity-protected block devices (with the support of new integritysetup tool) and also a possibility to use cryptographically sound data integrity protection (authenticated encryption) in combination with disk encryption.
We will also shortly introduce new LUKS2 on-disk format that is designed to integrate these features into existing Linux disk encryption toolset easily.