1CRYPTSETUP(8)                Maintainance Commands               CRYPTSETUP(8)
2
3
4

NAME

6       cryptsetup  -  setup cryptographic volumes for dm-crypt (including LUKS
7       extension)
8

SYNOPSIS

10       cryptsetup <options> <action> <action args>
11
12

DESCRIPTION

14       cryptsetup is used to conveniently setup up  dm-crypt  managed  device-
15       mapper  mappings.  For  basic  dm-crypt mappings, there are five opera‐
16       tions.
17

ACTIONS

19       These strings are valid for <action>, followed by their <action args>:
20
21       create <name> <device>
22
23              creates  a  mapping  with  <name>  backed  by  device  <device>.
24              <options>  can be [--hash, --cipher, --verify-passphrase, --key-
25              file, --key-size, --offset, --skip, --readonly]
26
27       remove <name>
28
29              removes an existing mapping <name>. No options.
30
31       status <name>
32
33              reports the status for the mapping <name>. No options.
34
35       reload <name>
36
37              modifies an active mapping <name>. Same options as for create.
38
39       resize <name>
40
41              resizes an active mapping <name>. <options> must include --size
42

LUKS EXTENSION

44       LUKS, Linux Unified Key Setup, is a standard for hard disk  encryption.
45       It  standardizes  a partition header, as well as the format of the bulk
46       data. LUKS can manage multiple passwords, that can  be  revoked  effec‐
47       tively and that are protected against dictionary attacks with PBKDF2.
48
49       These are valid LUKS actions:
50
51       luksFormat <device> [<key file>]
52
53              initializes a LUKS partition and set the initial key, either via
54              prompting or via <key file>.  <options> can be [--cipher, --ver‐
55              ify-passphrase, --key-size]
56
57       luksOpen <device> <name>
58
59              opens  the  LUKS partition <device> and sets up a mapping <name>
60              after successful  verification  of  the  supplied  key  material
61              (either   via   key  file  by  --key-file,  or  via  prompting).
62              <options> can be [--key-file, --readonly].
63
64       luksClose <name>
65
66              identical to remove.
67
68       luksAddKey <device> [<new key file>]
69
70              add a new key file/passphrase. An  existing  passphrase  or  key
71              file  (via  --key-file)  must be supplied. The key file with the
72              new material is supplied as after luksAddKey as positional argu‐
73              ment. <options> can be [--key-file].
74
75       luksDelKey <device> <key slot number>
76
77              remove  key  from  key  slot. A remaining passphrase or key file
78              (via --key-file) must be  supplied.  <options>  can  be  [--key-
79              file].
80
81       luksUUID <device>
82
83              print UUID, if <device> has a LUKS header. No options.
84
85       isLuks <device>
86
87              returns true, if <device> is a LUKS partition. Otherwise, false.
88              No options.
89
90       luksDump <device>
91
92              dumps the header information of a LUKS partition. No options.
93
94       For more information about LUKS, see http://luks.endorphin.org
95

OPTIONS

97       --hash, -h
98              specifies hash to use for password hashing. This option is  only
99              relevant  for  the "create" action. The hash string is passed to
100              libgcrypt, so all  hashes  accepted  by  gcrypt  are  supported.
101              Default is "ripemd160".
102
103       --cipher, -c
104              set  cipher  specification  string.  Usually,  this is "aes-cbc-
105              plain". For pre-2.6.10 kernels, use "aes-plain"  as  they  don't
106              understand  the new cipher spec strings. To use ESSIV, use "aes-
107              cbc-essiv:sha256".
108
109       --verify-passphrase, -y
110              query for passwords twice. Useful,  when  creating  a  (regular)
111              mapping for the first time, or when running luksFormat.
112
113       --key-file, -d
114              use  file  as  key material. With LUKS, key material supplied in
115              key files via -d are always used for  existing  passphrases.  If
116              you  want  to  set  a  new key via a key file, you have to use a
117              positional arg to luksFormat or luksAddKey. If the key  file  is
118              "-", stdin will be used.
119
120       --key-size, -s
121              set  key  size  in bits. Has to be a multiple of 8 bits. The key
122              size is limited by the used cipher. See output  of  /proc/crypto
123              for  more information. Can be used for create or luksFormat, all
124              other LUKS actions will ignore this flag,  as  the  key-size  is
125              specified by the partition header. Default is 128.
126
127       --size, -b
128              force the size of the underlaying device in sectors.
129
130       --offset, -o
131              start offset in the backend device.
132
133       --skip, -p
134              how many sectors of the encrypted data to skip at the beginning.
135              This is different from the --offset options with respect  to  IV
136              calculations.  Using  --offset will shift the IV calculcation by
137              the same negative amount. Hence, if --offset n, sector n will be
138              the  first  sector  on the mapping with IV 0. Using --skip would
139              have resulted in sector n being the first sector also, but  with
140              IV n.
141
142       --readonly
143              setup a read-only mapping.
144
145       --iter-time, -i
146              The  number  of  microseconds to spend with PBKDF2 password pro‐
147              cessing. This options is only relevant to LUKS key setting oper‐
148              ations as luksFormat or luksAddKey.
149
150       --batch-mode, -q
151              Do  not  ask  for confirmation. This option is only relevant for
152              luksFormat.
153
154       --timeout, -t
155              The number of seconds to wait before  timeout.  This  option  is
156              relevant  evertime  a  password is asked, like create, luksOpen,
157              luksFormat or luksAddKey.
158
159       --tries, -T
160              How often the input of the passphrase  shall  be  retried.  This
161              option  is  relevant  evertime a password is asked, like create,
162              luksOpen, luksFormat or luksAddKey. The default is 3 tries.
163
164       --align-payload=value
165              Align payload at a boundary of  value  512-byte  sectors.   This
166              option  is  relevant for luksFormat.  If your block device lives
167              on a RAID it is useful to align the filesystem  at  full  stripe
168              boundaries so it can take advantage of the RAID's geometry.  See
169              for instance the sunit and swidth options in the mkfs.xfs manual
170              page.   By  default  the payload is aligned at an 8 sector (4096
171              byte) boundary.
172
173       --version
174              Show the version.
175
176

NOTES ON PASSWORD PROCESSING FOR REGULAR MAPPINGS

178       From a file descriptor or a terminal: Password processing  is  new-line
179       sensitive, meaning the reading will stop after encountering \n. It will
180       processed the read material with the default hash or the hash given  by
181       --hash.  After  hashing  it will be cropped to the key size given by -s
182       (default 256 bits).
183
184       From stdin: Reading will continue until EOF (so using e.g.  /dev/random
185       as  stdin  will not work). After that the read data will be hashed with
186       the default hash or the hash given by --hash and  the  result  will  be
187       cropped  to  the  keysize given by -s (default 256 bits). If "plain" is
188       used as an argument to the hash option, the  input  data  will  not  be
189       hashed. Instead it will be zero padded (if shorter than the keysize) or
190       truncated (if longer than the keysize) and used directly as the key. No
191       warning  will  be  given  if the amount of data read from stdin is less
192       than the keysize.
193
194       From a key file: It will be cropped to the size given by -s.  If  there
195       is insufficient key material in the key file, cryptsetup will quit with
196       an error.
197

NOTES ON PASSWORD PROCESSING FOR LUKS

199       Password processing is totally different for LUKS. LUKS uses PBKDF2  to
200       protect  against  dictionary  attacks (see RFC 2898).  LUKS will always
201       use SHA1 in HMAC mode, and no other mode is supported  at  the  moment.
202       Hence, -h is ignored.
203
204       LUKS will always do an exhaustive password reading. Hence, password can
205       not be read from /dev/random, /dev/zero or any other stream, that  does
206       not terminate.
207
208       LUKS saves the processing options when a password is set to the respec‐
209       tive key slot.  Therefore, no options can be given  to  luksOpen.   For
210       any  password  creation  action  (luksAddKey,  or luksFormat), the user
211       specify, how much the time  the  password  processing  should  consume.
212       Increasing  the time will lead to a more secure password, but also will
213       take luksOpen longer to complete. The default setting of one second  is
214       sufficient for good security.
215

NOTES ON PASSWORDS

217       Mathematic  can't  be  bribed.  Make sure you keep your passwords safe.
218       There are a few nice tricks for constructing a fallback,  when  suddely
219       out  of  (or  after being) blue, your brain refuses to cooperate. These
220       fallbacks are possible with LUKS, as it's only possible  with  LUKS  to
221       have multiple passwords.
222

AUTHORS

224       cryptsetup is written by Christophe Saout <christophe@saout.de>
225       LUKS  extensions,  and  man  page  by Clemens Fruhwirth <clemens@endor‐
226       phin.org>
227

COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS

229       To read images created with SuSE Linux 9.2's  loop_fish2  use  --cipher
230       twofish-cbc-null  -s  256 -h sha512, for images created with even older
231       SuSE Linux use --cipher twofish-cbc-null -s 192 -h ripemd160:20
232

REPORTING BUGS

234       Report bugs to <dm-crypt@saout.de>.
235

COPYRIGHT

237       Copyright © 2004 Christophe Saout
238       Copyright © 2004-2006 Clemens Fruhwirth
239
240       This is free software; see the source for copying conditions.  There is
241       NO  warranty;  not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
242       PURPOSE.
243

SEE ALSO

245       dm-crypt website, http://www.saout.de/misc/dm-crypt/
246
247       LUKS website, http://luks.endorphin.org
248
249       dm-crypt TWiki, http://www.saout.de/tikiwiki/tiki-index.php
250
251
252
253cryptsetup 1.0.3                  March 2005                     CRYPTSETUP(8)