Man Cryptsetup

Man Cryptsetup. AUTHORS cryptsetup originally written by Jana Saout The LUKS extensions and original man page were written by Clemens Fruh wirth Man page extensions by Milan Broz .

DescriptionActionsLuks ExtensionOptionsNotes on Password ProcessingNotes on Password Processing For LuksIncoherent Behaviour For Invalid Passwords/KeysNotes on RNGDeprecated ActionsCopyrightcryptsetup is used to conveniently setup dmcrypt managed devicemapper mappings For basic (plain) dmcrypt mappings there are four operations create creates a mapping with backed by device 1 can be [hash cipher verifypassphrase keyfile keysize offset skip readonly] remove removes an existing mapping status reports the status for the mapping resize resizes an active mapping 1 If size (in sectors) is not specified the size of the underlying block device is used LUKS Linux Unified Key Setup is a standard for hard disk encryption It standardizes a partition header as well as the format of the bulk data LUKS canmanage multiple passwords that can be revoked effectively and that are protected against dictionary attacks with PBKDF2 These are valid LUKS actions luksFormat [ ] initializes a LUKS partition and sets the initial key either via prompting or via 1 can be [cipher verifypassphrase keysize keyslot keyfile (takes precedence over optional second argument)keyfilesize userandom | useurandom uuid] luksOpen opens the LUKS partition and sets up a mapping after successful verification of the supplied key material (either via key fileby keyfile or via prompting) 1 can be [keyfile keyfilesize readonly] luksClose identical to remove luksSuspend suspends active device (all IO operations are frozen) and verbose v 1 Print more verbose messages debug 1 Run in debug mode with full diagnostic logs hash h 1 For create action specifies hash to use for password hashingFor luksFormat action specifies hash used in LUKS key setup scheme and volume key digestWARNING setting hash other than sha1 causes LUKS device incompatible with older version of cryptsetupThe hash string is passed to libgcrypt so all hash algorithms are supported (for luksFormat algorithm must provide at least 20 byte long hash)Default is set during compilation compatible values with old version of cryptsetup are “ripemd16 From stdin Reading will continue until EOF (so using eg /dev/random as stdin will not work) with the trailing newline stripped After that theread data will be hashed with the default hash or the hash given by hash and the result will be cropped to the keysize given by s If “plain” is used as anargument to the hash option the input data will not be hashed Instead it will be zero padded (if shorter than the keysize) or truncated (if longer than thekeysize) and used directly as the key No warning will be given if the amount of data read from stdin is less than the keysize From a key file It will be cropped to the size given by s If there is insufficient key material in the key file cryptsetup will quit with anerror If keyfile= is used for reading the key from stdin no trailing newline is stripped from the input Without that option cryptsetup strips trailingnewlines from stdin input LUKS will always do an exhaustive password reading Hence password can not be read from /dev/random /dev/zero or any other stream that does not terminate For any password creation action (luksAddKey or luksFormat) the user may specify how much the time the password processing should consume Increasing thetime will lead to a more secure password but also will take luksOpen longer to complete The default setting of one second is sufficient for good security Please also be sure that you are using the same keyboard and language setting as during device format There are two types of randomness cryptsetup/LUKS needs One type (which always uses /dev/urandom) is used for salt AF splitter and for wiping removedkeyslot Second type is used for volume (master) key You can switch between using /dev/random and /dev/urandom here see userandom and useurandom optionsUsing /dev/random on system without enough entropy sources can cause luksFormat to block until the requested amount of random data is gathered Seeurandom(4)for more information The reload action is no longer supported Please use dmsetup(8)if you need to directly manipulate with the device mapping table The luksDelKey was replaced with luksKillSlot This is free software see the source for copying conditions There is NO warranty not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

cryptsetup(8) Linux manual page

Cryptsetup is usually used directly on a block device (disk partition or LVM volume) However if the device argument is a file cryptsetup tries to allocate a loopback device and map it into this file.

cryptsetup Linux Man Pages Online

cryptsetup is used to conveniently setup dmcrypt managed devicemapper mappings These include plain dmcrypt volumes and LUKS volumes The difference is that LUKS uses a metadata header and can hence offer more features than plain dmcrypt On the other hand the header is visible and vulnerable to damage.

cryptsetup (8) Linux Man Pages SysTutorials

cryptsetup (8) [centos man page] cryptsetup is used to conveniently setup dmcrypt managed devicemapper mappings These include plain dmcrypt volumes and LUKS volumes The difference is that LUKS uses a metadata header and can hence offer more features than plain dmcrypt On the other hand the header is visible and vulnerable to damage.