Cryptsetup

From aldeid
Jump to navigation Jump to search

Description

Setup cryptographic volumes for dm-crypt (including LUKS extension).

Usage

Syntax

cryptsetup [OPTION...] <action> <action-specific>

Options

-v, --verbose
Shows more detailed error messages
--debug
Show debug messages
--debug-json
Show debug messages including JSON metadata
-c, --cipher=STRING
The cipher used to encrypt the disk (see /proc/crypto)
-h, --hash=STRING
The hash used to create the encryption key from the passphrase
-y, --verify-passphrase
Verifies the passphrase by asking for it twice
-d, --key-file=STRING
Read the key from a file
--master-key-file=STRING
Read the volume (master) key from file.
--dump-master-key
Dump volume (master) key instead of keyslots info
-s, --key-size=BITS
The size of the encryption key
-l, --keyfile-size=bytes
Limits the read from keyfile
--keyfile-offset=bytes
Number of bytes to skip in keyfile
--new-keyfile-size=bytes
Limits the read from newly added keyfile
--new-keyfile-offset=bytes
Number of bytes to skip in newly added keyfile
-S, --key-slot=INT
Slot number for new key (default is first free)
-b, --size=SECTORS
The size of the device
--device-size=bytes
Use only specified device size (ignore rest of device). DANGEROUS!
-o, --offset=SECTORS
The start offset in the backend device
-p, --skip=SECTORS
How many sectors of the encrypted data to skip at the beginning
-r, --readonly
Create a readonly mapping
-q, --batch-mode
Do not ask for confirmation
-t, --timeout=secs
Timeout for interactive passphrase prompt (in seconds)
--progress-frequency=secs
Progress line update (in seconds)
-T, --tries=INT
How often the input of the passphrase can be retried
--align-payload=SECTORS
Align payload at <n> sector boundaries - for luksFormat
--header-backup-file=STRING
File with LUKS header and keyslots backup
--use-random
Use /dev/random for generating volume key
--use-urandom
Use /dev/urandom for generating volume key
--shared
Share device with another non-overlapping crypt segment
--uuid=STRING
UUID for device to use
--allow-discards
Allow discards (aka TRIM) requests for device
--header=STRING
Device or file with separated LUKS header
--test-passphrase
Do not activate device, just check passphrase
--tcrypt-hidden
Use hidden header (hidden TCRYPT device)
--tcrypt-system
Device is system TCRYPT drive (with bootloader)
--tcrypt-backup
Use backup (secondary) TCRYPT header
--veracrypt
Scan also for VeraCrypt compatible device
--veracrypt-pim=INT
Personal Iteration Multiplier for VeraCrypt compatible device
--veracrypt-query-pim
Query Personal Iteration Multiplier for VeraCrypt compatible device
-M, --type=STRING
Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk
--force-password
Disable password quality check (if enabled)
--perf-same_cpu_crypt
Use dm-crypt same_cpu_crypt performance compatibility option
--perf-submit_from_crypt_cpus
Use dm-crypt submit_from_crypt_cpus performance compatibility option
--deferred
Device removal is deferred until the last user closes it
--serialize-memory-hard-pbkdf
Use global lock to serialize memory hard PBKDF (OOM workaround)
-i, --iter-time=msecs
PBKDF iteration time for LUKS (in ms)
--pbkdf=STRING
PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2
--pbkdf-memory=kilobytes
PBKDF memory cost limit
--pbkdf-parallel=threads
PBKDF parallel cost
--pbkdf-force-iterations=LONG
PBKDF iterations cost (forced, disables benchmark)
--priority=STRING
Keyslot priority: ignore, normal, prefer
--disable-locks
Disable locking of on-disk metadata
--disable-keyring
Disable loading volume keys via kernel keyring
-I, --integrity=STRING
Data integrity algorithm (LUKS2 only)
--integrity-no-journal
Disable journal for integrity device
--integrity-no-wipe
Do not wipe device after format
--integrity-legacy-padding
Use inefficient legacy padding (old kernels)
--token-only
Do not ask for passphrase if activation by token fails
--token-id=INT
Token number (default: any)
--key-description=STRING
Key description
--sector-size=INT
Encryption sector size (default: 512 bytes)
--persistent
Set activation flags persistent for device
--label=STRING
Set label for the LUKS2 device
--subsystem=STRING
Set subsystem label for the LUKS2 device
--unbound
Create unbound (no assigned data segment) LUKS2 keyslot
--json-file=STRING
Read or write the json from or to a file
--luks2-metadata-size=bytes
LUKS2 header metadata area size
--luks2-keyslots-size=bytes
LUKS2 header keyslots area size
--refresh
Refresh (reactivate) device with new parameters
--keyslot-key-size=BITS
LUKS2 keyslot: The size of the encryption key
--keyslot-cipher=STRING
LUKS2 keyslot: The cipher used for keyslot encryption
--encrypt
Encrypt LUKS2 device (in-place encryption).
--decrypt
Decrypt LUKS2 device (remove encryption).
--init-only
Initialize LUKS2 reencryption in metadata only.
--resume-only
Resume initialized LUKS2 reencryption only.
--reduce-device-size=bytes
Reduce data device size (move data offset). DANGEROUS!
--hotzone-size=bytes
Maximal reencryption hotzone size.
--resilience=STRING
Reencryption hotzone resilience type (checksum,journal,none)
--resilience-hash=STRING
Reencryption hotzone checksums hash
--active-name=STRING
Override device autodetection of dm device to be reencrypted

Actions

<action> is one of
  • open <device> [--type <type>] [<name>] - open device as <name>
  • close <name> - close device (remove mapping)
  • resize <name> - resize active device
  • status <name> - show device status
  • benchmark [--cipher <cipher>] - benchmark cipher
  • repair <device> - try to repair on-disk metadata
  • reencrypt <device> - reencrypt LUKS2 device
  • erase <device> - erase all keyslots (remove encryption key)
  • convert <device> - convert LUKS from/to LUKS2 format
  • config <device> - set permanent configuration options for LUKS2
  • luksFormat <device> [<new key file>] - formats a LUKS device
  • luksAddKey <device> [<new key file>] - add key to LUKS device
  • luksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS device
  • luksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS device
  • luksConvertKey <device> [<key file>] - converts a key to new pbkdf parameters
  • luksKillSlot <device> <key slot> - wipes key with number <key slot> from LUKS device
  • luksUUID <device> - print UUID of LUKS device
  • isLuks <device> - tests <device> for LUKS partition header
  • luksDump <device> - dump LUKS partition information
  • tcryptDump <device> - dump TCRYPT device information
  • bitlkDump <device> - dump BITLK device information
  • luksSuspend <device> - Suspend LUKS device and wipe key (all IOs are frozen)
  • luksResume <device> - Resume suspended LUKS device
  • luksHeaderBackup <device> - Backup LUKS device header and keyslots
  • luksHeaderRestore <device> - Restore LUKS device header and keyslots
  • token <add|remove|import|export> <device> - Manipulate LUKS2 tokens
<name> is the device to create under /dev/mapper
<device> is the encrypted device
<key slot> is the LUKS key slot number to modify
<key file> optional key file for the new key for luksAddKey action

Defaults

Default compiled-in metadata format is LUKS2 (for luksFormat action).
Default compiled-in key and passphrase parameters
Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1
pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2
argon2i
Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4
Default compiled-in device cipher parameters
loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
LUKS: Default keysize with XTS mode (two internal keys) will be doubled.
Retrieved from "https://www.aldeid.com/w/index.php?title=Cryptsetup&oldid=34741"