1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
.TH CRYPTSETUP "8" "March 2005" "cryptsetup 1.0.3" "Maintainance Commands"
.SH NAME
cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension)
.SH SYNOPSIS
.B cryptsetup <options> <action> <action args>
.SH DESCRIPTION
.\" Add any additional description here
.PP
cryptsetup is used to conveniently setup up dm-crypt managed device-mapper mappings. For basic dm-crypt mappings, there are five operations.
.SH ACTIONS
These strings are valid for \fB<action>\fR, followed by their \fB<action args>\fR:
\fIcreate\fR <name> <device>
.IP
creates a mapping with <name> backed by device <device>.
<options> can be [\-\-hash, \-\-cipher, \-\-verify-passphrase, \-\-key-file, \-\-key-size, \-\-offset, \-\-skip, \-\-readonly]
.PP
\fIremove\fR <name>
.IP
removes an existing mapping <name>. No options.
.PP
\fIstatus\fR <name>
.IP
reports the status for the mapping <name>. No options.
.PP
\fIreload\fR <name>
.IP
modifies an active mapping <name>. Same options as for create.
.PP
\fIresize\fR <name>
.IP
resizes an active mapping <name>. <options> must include \-\-size
.PP
.br
.SH LUKS EXTENSION
LUKS, Linux Unified Key Setup, is a standard for hard disk encryption. It standardizes a partition header, as well as the format of the bulk data. LUKS can manage multiple passwords, that can be revoked effectively and that are protected against dictionary attacks with PBKDF2.
These are valid LUKS actions:
\fIluksFormat\fR <device> [<key file>]
.IP
initializes a LUKS partition and set the initial key, either via prompting or via <key file>.
<options> can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size]
.PP
\fIluksOpen\fR <device> <name>
.IP
opens the LUKS partition <device> and sets up a mapping <name> after successful verification of the supplied key material (either via key file by \-\-key-file, or via prompting).
<options> can be [\-\-key-file, \-\-readonly].
.PP
\fIluksClose\fR <name>
.IP
identical to \fIremove\fR.
.PP
\fIluksAddKey\fR <device> [<new key file>]
.IP
add a new key file/passphrase. An existing passphrase or key file (via \-\-key-file) must be supplied. The key file with the new material is supplied as after \fIluksAddKey\fR as positional argument. <options> can be [\-\-key-file].
.PP
\fIluksDelKey\fR <device> <key slot number>
.IP
remove key from key slot. A remaining passphrase or key file (via \-\-key-file) must be supplied. <options> can be [\-\-key-file].
.PP
\fIluksUUID\fR <device>
.IP
print UUID, if <device> has a LUKS header. No options.
.PP
\fIisLuks\fR <device>
.IP
returns true, if <device> is a LUKS partition. Otherwise, false. No options.
.PP
\fIluksDump\fR <device>
.IP
dumps the header information of a LUKS partition. No options.
.PP
For more information about LUKS, see \fBhttp://luks.endorphin.org\fR
.SH OPTIONS
.TP
.B "\-\-hash, \-h"
specifies hash to use for password hashing. This option is only relevant for the "create" action. The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. Default is "ripemd160".
.TP
.B "\-\-cipher, \-c"
set cipher specification string. Usually, this is "aes-cbc-plain". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256".
.TP
.B "\-\-verify-passphrase, \-y"
query for passwords twice. Useful, when creating a (regular) mapping for the first time, or when running \fIluksFormat\fR.
.TP
.B "\-\-key-file, \-d"
use file as key material. With LUKS, key material supplied in key files via \-d are always used for existing passphrases. If you want to set a new key via a key file, you have to use a positional arg to \fIluksFormat\fR or \fIluksAddKey\fR. If the key file is "-", stdin will be used.
.TP
.B "\-\-key-size, \-s"
set key size in bits. Has to be a multiple of 8 bits. The key size is limited by the used cipher. See output of /proc/crypto for more information. Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will ignore this flag, as the key-size is specified by the partition header. Default is 128.
.TP
.B "\-\-size, \-b"
force the size of the underlaying device in sectors.
.TP
.B "\-\-offset, \-o"
start offset in the backend device.
.TP
.B "\-\-skip, \-p"
how many sectors of the encrypted data to skip at the beginning. This is different from the \-\-offset options with respect to IV calculations. Using \-\-offset will shift the IV calculcation by the same negative amount. Hence, if \-\-offset \fIn\fR, sector \fIn\fR will be the first sector on the mapping with IV \fI0\fR. Using \-\-skip would have resulted in sector \fIn\fR being the first sector also, but with IV \fIn\fR.
.TP
.B "\-\-readonly"
setup a read-only mapping.
.TP
.B "\-\-iter-time, \-i"
The number of microseconds to spend with PBKDF2 password processing. This options is only relevant to LUKS key setting operations as \fIluksFormat\fR or \fIluksAddKey\fR.
.TP
.B "\-\-batch-mode, \-q"
Do not ask for confirmation. This option is only relevant for \fIluksFormat\fR.
.TP
.B "\-\-timeout, \-t"
The number of seconds to wait before timeout. This option is relevant evertime a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR.
.TP
.B "\-\-tries, \-T"
How often the input of the passphrase shall be retried. This option is relevant evertime a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. The default is 3 tries.
.TP
.B "\-\-align-payload=\fIvalue\fR"
Align payload at a boundary of \fIvalue\fR 512-byte sectors. This option is relevant for \fIluksFormat\fR. If your block device lives on a RAID it is
useful to align the filesystem at full stripe boundaries so it can take advantage of the RAID's geometry. See for instance the sunit and swidth options
in the mkfs.xfs manual page. By default the payload is aligned at an 8 sector (4096 byte) boundary.
.TP
.B "\-\-version"
Show the version.
.SH NOTES ON PASSWORD PROCESSING FOR REGULAR MAPPINGS
\fIFrom a file descriptor or a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will processed the read material with the default hash or the hash given by \-\-hash. After hashing it will be cropped to the key size given by \-s (default 256 bits).
\fIFrom stdin\fR: Reading will continue until EOF (so using e.g. /dev/random as stdin will not work). After that the read data will be hashed with the default hash or the hash given by \-\-hash and the result will be cropped to the keysize given by \-s (default 256 bits). If "plain" is used as an argument to the hash option, the input data will not be hashed. Instead it will be zero padded (if shorter than the keysize) or truncated (if longer than the keysize) and used directly as the key. No warning will be given if the amount of data read from stdin is less than the keysize.
\fIFrom a key file\fR: It will be cropped to the size given by \-s. If there is insufficient key material in the key file, cryptsetup will quit with an error.
.SH NOTES ON PASSWORD PROCESSING FOR LUKS
Password processing is totally different for LUKS. LUKS uses PBKDF2 to protect against dictionary attacks (see RFC 2898).
LUKS will always use SHA1 in HMAC mode, and no other mode is supported at the moment.
Hence, \-h is ignored.
LUKS will always do an exhaustive password reading. Hence, password can not be read from /dev/random, /dev/zero or any other stream, that does not terminate.
LUKS saves the processing options when a password is set to the respective key slot.
Therefore, no options can be given to luksOpen.
For any password creation action (luksAddKey, or luksFormat), the user specify, how much the time the password processing should consume.
Increasing the time will lead to a more secure password, but also will take luksOpen longer to complete. The default setting of one second is sufficient for good security.
.SH NOTES ON PASSWORDS
Mathematic can't be bribed. Make sure you keep your passwords safe. There are a few nice tricks for constructing a fallback, when suddely out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords.
.SH AUTHORS
cryptsetup is written by Christophe Saout <christophe@saout.de>
.br
LUKS extensions, and man page by Clemens Fruhwirth <clemens@endorphin.org>
.SH "REPORTING BUGS"
Report bugs to <dm-crypt@saout.de>.
.SH COPYRIGHT
Copyright \(co 2004 Christophe Saout
.br
Copyright \(co 2004-2006 Clemens Fruhwirth
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
.SH "SEE ALSO"
dm-crypt website, \fBhttp://www.saout.de/misc/dm-crypt/\fR
LUKS website, \fBhttp://luks.endorphin.org\fR
dm-crypt TWiki, \fBhttp://www.saout.de/tikiwiki/tiki-index.php\fR
|
