cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings. For basic (plain) dm-crypt mappings, there are four operations.
remove <name>
removes an existing mapping <name>.status <name>
reports the status for the mapping <name>.resize <name>
resizes an active mapping <name>. If --size (in sectors) is not specified, the size of the underlying block device is used.
luksOpen <device> <name>
opens the LUKS partition <device> and sets up a mapping <name> after successful verification of the supplied key material (either via key file by --key-file, or via prompting). <options> can be [--key-file, --readonly].luksClose <name>
identical to remove.luksSuspend <name>
suspends active device (all IO operations are frozen) and wipes encryption key from kernel. Kernel version 2.6.19 or later is required. After that operation you have to use luksResume to reinstate encryption key (and resume device) or luksClose to remove mapped device. WARNING: never try to suspend device where is the cryptsetup binary itself.luksResume <name>
Resumes suspended device and reinstates encryption key. You will need provide passphrase identical to luksOpen command (using prompting or key file). <options> can be [--key-file]luksAddKey <device> [<new key file>]
add a new key file/passphrase. An existing passphrase or key file (via --key-file) must be supplied. The key file with the new material is supplied as a positional argument. <options> can be [--key-file, --key-slot].luksRemoveKey <device> [<key file>]
remove supplied key or key file from LUKS deviceluksKillSlot <device> <key slot number>
wipe key with number <key slot> from LUKS device. A remaining passphrase or key file (via --key-file) must be supplied. <options> can be [--key-file].luksDelKey <device> <key slot number>
identical to luksKillSlot, but deprecated action name.luksUUID <device>
print UUID, if <device> has a LUKS header.isLuks <device>
returns true, if <device> is a LUKS partition. Otherwise, false.luksDump <device>
dumps the header information of a LUKS partition.luksHeaderBackup <device> --header-backup-file <file>
Stores binary backup of LUKS header and keyslot areas. WARNING: Please note that with this backup file (and old passphrase knowledge) you can decrypt data even if old passphrase was wiped from real device. Also note that anti-forensic splitter is not used during manipulation with backup file.luksHeaderRestore <device> --header-backup-file <file>
Restores binary backup of LUKS header and keyslot areas from specified file. WARNING: All the keyslot areas are overwritten, only active keyslots form backup file are available after issuing this command. This command allows restoring header if device do not contain LUKS header or if the master key size and data offset in LUKS header on device match the backup file.For more information about LUKS, see http://code.google.com/p/cryptsetup/wiki/Specification
"--verbose, -v" Print more verbose messages.
"--debug" Run in debug mode with full diagnostic logs.
"--hash, -h" For create action specifies hash to use for password hashing. For luksFormat action specifies hash used in LUKS key setup scheme and volume key digest. WARNING: setting hash other than sha1 causes LUKS device incompatible with older version of cryptsetup. The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. Default is set during compilation, compatible values with old version of cryptsetup are "ripemd160" for create action and "sha1" for luksFormat. Use cryptsetup --help to show defaults.
"--cipher, -c" set cipher specification string. Default mode is configurable during compilation, you can see compiled-in default using cryptsetup --help. If not changed, the default is for plain dm-crypt and LUKS mappings "aes-cbc-essiv:sha256". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256". For XTS mode, kernel version 2.6.24 or more recent is required. Use "aes-xts-plain" cipher specification and set key size to 256 (or 512) bits (see -s option).
"--verify-passphrase, -y" query for passwords twice. Useful when creating a (regular) mapping for the first time, or when running luksFormat.
"--key-file, -d" use file as key material. With LUKS, key material supplied in key files via -d are always used for existing passphrases, except in luksFormat action where -d is equivalent to positional key file argument. If you want to set a new key via a key file, you have to use a positional arg to luksAddKey. If the key file is "-", stdin will be used. With the "-" key file reading will not stop when new line character is detected. See section NOTES ON PASSWORD PROCESSING for more information.
"--master-key-file" Use pre-generated master key stored in file. For luksFormat it allows LUKS header reformatting with the same master key (if all other parameters are the same existing encrypted data remains intact). For luksAddKey it allows adding new passphrase with only master key knowledge.
"--key-slot, -S" For LUKS operations that add key material, this options allows to you specify which key slot is selected for the new key. This option can be used for luksFormat and luksAddKey.
"--key-size, -s" set key size in bits. Has to be a multiple of 8 bits. The key size is limited by the used cipher. See output of /proc/crypto for more information. Can be used for create or luksFormat, all other LUKS actions will use key-size specified by the LUKS header. Default is set during compilation, if not changed it is 256 bits. Use cryptsetup --help to show defaults. For luksOpen this option specifies number of bits read from the key-file (default is exhaustive read from key-file).
"--size, -b" force the size of the underlying device in sectors. This option is only relevant for create and resize action.
"--offset, -o" start offset in the backend device. This option is only relevant for create action.
"--skip, -p" how many sectors of the encrypted data to skip at the beginning. This is different from the --offset options with respect to IV calculations. Using --offset will shift the IV calculation by the same negative amount. Hence, if --offset n, sector n will be the first sector on the mapping with IV 0. Using --skip would have resulted in sector n being the first sector also, but with IV n. This option is only relevant for create action.
"--readonly" set up a read-only mapping.
"--iter-time, -i" The number of milliseconds to spend with PBKDF2 password processing. This option is only relevant to the LUKS operations as luksFormat or luksAddKey.
"--batch-mode, -q" Do not ask for confirmation. Use with care! This option is only relevant for luksFormat, luksAddKey, luksRemoveKey or luksKillSlot.
"--timeout, -t" The number of seconds to wait before timeout. This option is relevant every time a password is asked, like create, luksOpen, luksFormat or luksAddKey. It has no effect if used in conjunction with --key-file.
"--tries, -T" How often the input of the passphrase shall be retried. This option is relevant every time a password is asked, like create, luksOpen, luksFormat or luksAddKey. The default is 3 tries.
"--align-payload=value" Align payload at a boundary of value 512-byte sectors. This option is relevant for luksFormat. If your block device lives on a RAID, it is useful to align the filesystem at full stripe boundaries so it can take advantage of the RAID's geometry. See for instance the sunit and swidth options in the mkfs.xfs manual page. By default, the payload is aligned at an 8 sector (4096 byte) boundary.
"--version" Show the version.
LUKS extensions, and man page by Clemens Fruhwirth <clemens@endorphin.org>
reload <name> <device>
modifies an active mapping <name>. Same options as for create. WARNING: Do not use this for LUKS devices, as the semantics are identical to the create action, which are totally incompatible with the LUKS key setup. This action is deprected because it proved to be rarely useful. It is uncommon to change the underlying device, key, or offset on the fly. In case, you really want to do this, you certainly know what you are doing and then you are probably better off with the swiss knive tool for device mapper, namely dmsetup. It provides you with the same functionality, see dmsetup reload.luksDelKey <device> <key slot number>
identical to luksKillSlot, but deprecated action name. This option was renamed, as we introduced luksRemoveKey, a softer method for disabling password slots. To make a clear distinction that luksDelKey was more brutal than luksRemoveKey--non-exclusive
This option is ignored. Non-exclusive access to the same block device can cause data corruption thus this mode is no longer supported by cryptsetup.Copyright \(co 2004-2006 Clemens Fruhwirth
Copyright \(co 2009-2010 Red Hat, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.