File: cryptsetup-luksFormat.8.adoc

package info (click to toggle)
cryptsetup 2%3A2.8.4-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 20,356 kB
  • sloc: ansic: 65,885; sh: 17,691; cpp: 994; xml: 920; makefile: 495; perl: 486
file content (44 lines) | stat: -rw-r--r-- 2,583 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
= cryptsetup-luksFormat(8)
:doctype: manpage
:manmanual: Maintenance Commands
:mansource: cryptsetup {release-version}
:man-linkstyle: pass:[blue R < >]
:COMMON_OPTIONS:
:ACTION_LUKSFORMAT:

== Name

cryptsetup-luksFormat - initialize a LUKS partition and set the initial passphrase

== SYNOPSIS

*cryptsetup _luksFormat_ [<options>] <device> [<key file>]*

== DESCRIPTION

Initializes a LUKS partition and sets the passphrase via prompting or <key file>.
Note that if the second argument is present, the passphrase is taken from the file given there, without using the --key-file option.
Also note that for both forms of reading the passphrase from a file, you can give '-' as a file name, which results in the passphrase being read from stdin and the safety question being skipped.

You cannot call luksFormat on a device or filesystem that is mapped or in use, e.g., a mounted filesystem, used in LVM, active RAID member, etc.
The device or filesystem has to be unmounted in order to call luksFormat.

To enforce a specific version of LUKS format, use _--type luks1_ or _type luks2_.
The default format is LUKS2.

To use hardware encryption on an OPAL self-encrypting drive, use --hw-opal or --hw-opal-only.
Note that some OPAL drives can require a PSID reset (with deletion of data) before using the LUKS format with OPAL options.
See --hw-opal-factory-reset option in cryptsetup _erase_ command.

Doing a luksFormat on an existing LUKS container will regenerate the volume key.
Unless you have a header backup, all old encrypted data in the container will be permanently irretrievable.
Note that luksFormat does not wipe or overwrite the data area.
It only creates a new LUKS header with fresh keyslots.
See cryptsetup FAQ for more info on how to wipe the whole device, including encrypted data.

*<options>* can be [--hash, --cipher, --verify-passphrase, --key-size, --key-slot, --key-file (takes precedence over optional second argument), --keyfile-offset, --keyfile-size, --use-random, --use-urandom, --uuid, --volume-key-file, --iter-time, --header, --pbkdf-force-iterations, --force-password, --disable-locks, --timeout, --type, --offset, --align-payload (DEPRECATED)].

For LUKS2, additional *<options>* can be [--integrity, --integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf, --pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring, --luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher, --keyslot-key-size, --integrity-legacy-padding, --hw-opal, --hw-opal-only].

include::man/common_options.adoc[]
include::man/common_footer.adoc[]