From aldeid
Jump to navigation Jump to search


Setup cryptographic volumes for dm-crypt (including LUKS extension).



cryptsetup [OPTION...] <action> <action-specific>


-v, --verbose
Shows more detailed error messages
Show debug messages
Show debug messages including JSON metadata
-c, --cipher=STRING
The cipher used to encrypt the disk (see /proc/crypto)
-h, --hash=STRING
The hash used to create the encryption key from the passphrase
-y, --verify-passphrase
Verifies the passphrase by asking for it twice
-d, --key-file=STRING
Read the key from a file
Read the volume (master) key from file.
Dump volume (master) key instead of keyslots info
-s, --key-size=BITS
The size of the encryption key
-l, --keyfile-size=bytes
Limits the read from keyfile
Number of bytes to skip in keyfile
Limits the read from newly added keyfile
Number of bytes to skip in newly added keyfile
-S, --key-slot=INT
Slot number for new key (default is first free)
-b, --size=SECTORS
The size of the device
Use only specified device size (ignore rest of device). DANGEROUS!
-o, --offset=SECTORS
The start offset in the backend device
-p, --skip=SECTORS
How many sectors of the encrypted data to skip at the beginning
-r, --readonly
Create a readonly mapping
-q, --batch-mode
Do not ask for confirmation
-t, --timeout=secs
Timeout for interactive passphrase prompt (in seconds)
Progress line update (in seconds)
-T, --tries=INT
How often the input of the passphrase can be retried
Align payload at <n> sector boundaries - for luksFormat
File with LUKS header and keyslots backup
Use /dev/random for generating volume key
Use /dev/urandom for generating volume key
Share device with another non-overlapping crypt segment
UUID for device to use
Allow discards (aka TRIM) requests for device
Device or file with separated LUKS header
Do not activate device, just check passphrase
Use hidden header (hidden TCRYPT device)
Device is system TCRYPT drive (with bootloader)
Use backup (secondary) TCRYPT header
Scan also for VeraCrypt compatible device
Personal Iteration Multiplier for VeraCrypt compatible device
Query Personal Iteration Multiplier for VeraCrypt compatible device
-M, --type=STRING
Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk
Disable password quality check (if enabled)
Use dm-crypt same_cpu_crypt performance compatibility option
Use dm-crypt submit_from_crypt_cpus performance compatibility option
Device removal is deferred until the last user closes it
Use global lock to serialize memory hard PBKDF (OOM workaround)
-i, --iter-time=msecs
PBKDF iteration time for LUKS (in ms)
PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2
PBKDF memory cost limit
PBKDF parallel cost
PBKDF iterations cost (forced, disables benchmark)
Keyslot priority: ignore, normal, prefer
Disable locking of on-disk metadata
Disable loading volume keys via kernel keyring
-I, --integrity=STRING
Data integrity algorithm (LUKS2 only)
Disable journal for integrity device
Do not wipe device after format
Use inefficient legacy padding (old kernels)
Do not ask for passphrase if activation by token fails
Token number (default: any)
Key description
Encryption sector size (default: 512 bytes)
Set activation flags persistent for device
Set label for the LUKS2 device
Set subsystem label for the LUKS2 device
Create unbound (no assigned data segment) LUKS2 keyslot
Read or write the json from or to a file
LUKS2 header metadata area size
LUKS2 header keyslots area size
Refresh (reactivate) device with new parameters
LUKS2 keyslot: The size of the encryption key
LUKS2 keyslot: The cipher used for keyslot encryption
Encrypt LUKS2 device (in-place encryption).
Decrypt LUKS2 device (remove encryption).
Initialize LUKS2 reencryption in metadata only.
Resume initialized LUKS2 reencryption only.
Reduce data device size (move data offset). DANGEROUS!
Maximal reencryption hotzone size.
Reencryption hotzone resilience type (checksum,journal,none)
Reencryption hotzone checksums hash
Override device autodetection of dm device to be reencrypted


<action> is one of
  • open <device> [--type <type>] [<name>] - open device as <name>
  • close <name> - close device (remove mapping)
  • resize <name> - resize active device
  • status <name> - show device status
  • benchmark [--cipher <cipher>] - benchmark cipher
  • repair <device> - try to repair on-disk metadata
  • reencrypt <device> - reencrypt LUKS2 device
  • erase <device> - erase all keyslots (remove encryption key)
  • convert <device> - convert LUKS from/to LUKS2 format
  • config <device> - set permanent configuration options for LUKS2
  • luksFormat <device> [<new key file>] - formats a LUKS device
  • luksAddKey <device> [<new key file>] - add key to LUKS device
  • luksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS device
  • luksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS device
  • luksConvertKey <device> [<key file>] - converts a key to new pbkdf parameters
  • luksKillSlot <device> <key slot> - wipes key with number <key slot> from LUKS device
  • luksUUID <device> - print UUID of LUKS device
  • isLuks <device> - tests <device> for LUKS partition header
  • luksDump <device> - dump LUKS partition information
  • tcryptDump <device> - dump TCRYPT device information
  • bitlkDump <device> - dump BITLK device information
  • luksSuspend <device> - Suspend LUKS device and wipe key (all IOs are frozen)
  • luksResume <device> - Resume suspended LUKS device
  • luksHeaderBackup <device> - Backup LUKS device header and keyslots
  • luksHeaderRestore <device> - Restore LUKS device header and keyslots
  • token <add|remove|import|export> <device> - Manipulate LUKS2 tokens
<name> is the device to create under /dev/mapper
<device> is the encrypted device
<key slot> is the LUKS key slot number to modify
<key file> optional key file for the new key for luksAddKey action


Default compiled-in metadata format is LUKS2 (for luksFormat action).
Default compiled-in key and passphrase parameters
Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1
pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2
Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4
Default compiled-in device cipher parameters
loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
LUKS: Default keysize with XTS mode (two internal keys) will be doubled.