pmt-ehd(8)

1pmt-ehd(8)                         pam_mount                        pmt-ehd(8)
2
3
4

Name

6       pmt-ehd - create an encrypted disk image
7

Syntax

9       pmt-ehd  [-DFx]  [-c  fscipher]  [-h  hash]  [-k  fscipher_keybits] [-t
10       fstype] [-H header_path] -f container_path -s size_in_mb
11

Options

13       Mandatory options that are absent are inquired interactively, and  pmt-
14       ehd will exit if stdin is not a terminal.
15
16       -D     Turn on debugging strings.
17
18       -F     Force operation that would otherwise ask for interactive confir‐
19              mation. Multiple -F can be specified to apply more force.
20
21       -c cipher
22              The cipher to be used for the  filesystem.  This  can  take  any
23              value that cryptsetup(8) recognizes, usually in the form of "ci‐
24              pher-mode[-extras]".  Recommended are aes-cbc-essiv:sha256 (this
25              is the default) or aes-xts-essiv:sha256.
26
27       -f path
28              Store  the  new  disk image at path. If the file already exists,
29              pmt-ehd will prompt before overwriting unless -F  is  given.  If
30              path refers to a symlink, pmt-ehd will act even more cautious.
31
32       -H path
33              Store a detached (separate) metadata file with a new LUKS header
34              at path. If the file already exists, pmt-ehd will prompt  before
35              overwriting  unless  -F  is given.  If path refers to a symlink,
36              pmt-ehd will act even more cautious. The default is to not use a
37              detached  header.  Correlates with the `cryptsetup --header` op‐
38              tion.
39
40       -h hash
41              Message digest/hash used for key derivation in the PBKDF2 stage.
42              The default is sha512.
43
44       -i cipher
45              (This option had been removed in pam_mount/pmt_ehd 2.11.)
46
47       -k keybits
48              The  keysize for the cipher specified with -c. Some ciphers sup‐
49              port multiple keysizes, AES for example  is  available  with  at
50              least  the keysizes 192 and 256.  Defaults to 256 (to match aes-
51              cbc-essiv). Note that XTS uses two keys, but drawn from the same
52              key  material,  so aes-cbc-256 is equivalent to aes-xts-512, and
53              aes-cbc-128 is to aes-xts-256.
54
55       -p path
56              (This option had been removed in pam_mount/pmt_ehd 2.11.)
57
58       -s size
59              The initial size of the encrypted filesystem, in megabytes. This
60              option  is ignored when the filesystem is created on a block de‐
61              vice.
62
63       -t fstype
64              Filesystem to use for the encrypted filesystem. Defaults to xfs.
65
66       -u user
67              Give the container and fskey files to user (because the  program
68              is  usually  runs  as root, and the files would otherwise retain
69              root ownership).
70
71       -x     Do not initialize the container with random bytes. This may  im‐
72              pact secrecy.
73
74   Description
75       pmt-ehd  can  be used to create a new encrypted container, and replaces
76       the previous mkehd script as well as any HOWTOs that explain how to  do
77       it manually.  Without any arguments, pmt-ehd will interactively ask for
78       all missing parameters. To create a container with a size  of  256  MB,
79       use:
80
81       pmt-ehd -f /home/user.cont -s 256
82
83
84
85pam_mount                         2011-Aug-05                       pmt-ehd(8)