1CRYPTSETUP-LUKSDUMP(8) Maintenance Commands CRYPTSETUP-LUKSDUMP(8)
2
6 cryptsetup-luksDump - dump the header information of a LUKS device
7
9 cryptsetup luksDump [<options>] <device>
10
12 Dump the header information of a LUKS device.
13 If the --dump-volume-key option is used, the LUKS device volume key is
15 dumped instead of the keyslot info. Together with the --volume-key-file
16 option, volume key is dumped to a file instead of standard output.
17 Beware that the volume key cannot be changed without reencryption and
18 can be used to decrypt the data stored in the LUKS container without a
19 passphrase and even without the LUKS header. This means that if the
20 volume key is compromised, the whole device has to be erased or
21 reencrypted to prevent further access. Use this option carefully.
22 To dump the volume key, a passphrase has to be supplied, either
24 interactively or via --key-file.
25 To dump unbound key (LUKS2 format only), --unbound parameter, specific
27 --key-slot id and proper passphrase has to be supplied, either
28 interactively or via --key-file. Optional --volume-key-file parameter
29 enables unbound keyslot dump to a file.
30 To dump LUKS2 JSON metadata (without basic header information like
32 UUID) use --dump-json-metadata option.
33 <options> can be [--dump-volume-key, --dump-json-metadata, --key-file,
35 --keyfile-offset, --keyfile-size, --header, --disable-locks,
36 --volume-key-file, --type, --unbound, --key-slot, --timeout].
37 WARNING: If --dump-volume-key is used with --key-file and the argument
39 to --key-file is '-', no validation question will be asked and no
40 warning given.
41
43 --type <device-type>
44 Specifies required device type, for more info read BASIC ACTIONS
45 section in cryptsetup(8).
46 --key-file, -d name
48 Read the passphrase from file.
49 If the name given is "-", then the passphrase will be read from
51 stdin. In this case, reading will not stop at newline characters.
52 See section NOTES ON PASSPHRASE PROCESSING in cryptsetup(8) for
54 more information.
55 --keyfile-offset value
57 Skip value bytes at the beginning of the key file.
58 --keyfile-size, -l value
60 Read a maximum of value bytes from the key file. The default is to
61 read the whole file up to the compiled-in maximum that can be
62 queried with --help. Supplying more data than the compiled-in
63 maximum aborts the operation.
64 This option is useful to cut trailing newlines, for example. If
66 --keyfile-offset is also given, the size count starts after the
67 offset.
68 --volume-key-file, --master-key-file (OBSOLETE alias)
70 Use a volume key stored in a file. The volume key is stored in a
71 file instead of being printed out to standard output.
72 --dump-json-metadata
74 For luksDump (LUKS2 only) this option prints content of LUKS2
75 header JSON metadata area.
76 --dump-volume-key, --dump-master-key (OBSOLETE alias)
78 Print the volume key in the displayed information. Use with care,
79 as the volume key can be used to bypass the passphrases, see also
80 option --volume-key-file.
81 --key-slot, -S <0-N>
83 For LUKS operations that add key material, this option allows you
84 to specify which key slot is selected for the new key.
85 The maximum number of key slots depends on the LUKS version. LUKS1
87 can have up to 8 key slots. LUKS2 can have up to 32 key slots based
88 on key slot area size and key size, but a valid key slot ID can
89 always be between 0 and 31 for LUKS2.
90 --timeout, -t <number of seconds>
92 The number of seconds to wait before timeout on passphrase input
93 via terminal. It is relevant every time a passphrase is asked. It
94 has no effect if used in conjunction with --key-file.
95 This option is useful when the system should not stall if the user
97 does not input a passphrase, e.g. during boot. The default is a
98 value of 0 seconds, which means to wait forever.
99 --header <device or file storing the LUKS header>
101 Use a detached (separated) metadata device or file where the LUKS
102 header is stored. This option allows one to store ciphertext and
103 LUKS header on different devices.
104 For commands that change the LUKS header (e.g. luksAddKey), specify
106 the device or file with the LUKS header directly as the LUKS
107 device.
108 --disable-locks
110 Disable lock protection for metadata on disk. This option is valid
111 only for LUKS2 and ignored for other formats.
112 WARNING: Do not use this option unless you run cryptsetup in a
114 restricted environment where locking is impossible to perform
115 (where /run directory cannot be used).
116 --unbound
118 Dumps existing LUKS2 unbound keyslot.
119 --batch-mode, -q
121 Suppresses all confirmation questions. Use with care!
122 If the --verify-passphrase option is not specified, this option
124 also switches off the passphrase verification.
125 --debug or --debug-json
127 Run in debug mode with full diagnostic logs. Debug output lines are
128 always prefixed by #.
129 If --debug-json is used, additional LUKS2 JSON data structures are
131 printed.
132 --version, -V
134 Show the program version.
135 --usage
137 Show short option help.
138 --help, -?
140 Show help text and default parameters.
141
143 Report bugs at cryptsetup mailing list <cryptsetup@lists.linux.dev> or
144 in Issues project section
145 <https://gitlab.com/cryptsetup/cryptsetup/-/issues/new>.
146 Please attach output of the failed command with --debug option added.
148
150 Cryptsetup FAQ
151 <https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions>
152 cryptsetup(8), integritysetup(8) and veritysetup(8)
154
156 Part of cryptsetup project <https://gitlab.com/cryptsetup/cryptsetup/>.
157cryptsetup 2.6.1 2023-07-19 CRYPTSETUP-LUKSDUMP(8)