The following are valid actions for all supported device types.
open <device> <name> --type <device_type>
Opens (creates a mapping with) <name> backed by device
<device>.
Device type can be plain, luks (default), luks1, luks2,
loopaes or tcrypt.
For backward compatibility there are open
command aliases:
create
(argument-order <name> <device>): open --type plain
plainOpen
: open --type plain
luksOpen
: open --type luks
loopaesOpen
: open --type loopaes
tcryptOpen
: open --type tcrypt
bitlkOpen
: open --type bitlk
<options>
are type specific and are described below for
individual device types. For create
, the order of the
<name> and <device> options is inverted for historical
reasons, all other aliases use the standard <device>
<name>
order.
close <name>
Removes the existing mapping <name> and wipes the key from
kernel memory.
For backward compatibility there are close
command
aliases: remove
, plainClose
, luksClose
, loopaesClose
,
tcryptClose
(all behaves exactly the same, device type is
determined automatically from active device).
<options>
can be [--deferred] or [--cancel-deferred]
status <name>
Reports the status for the mapping <name>.
resize <name>
Resizes an active mapping <name>.
If --size (in 512-bytes sectors) or --device-size are not
specified, the size is computed from the underlying
device. For LUKS it is the size of the underlying device
without the area reserved for LUKS header (see data
payload offset in luksDump
command). For plain crypt
device, the whole device size is used.
Note that this does not change the raw device geometry, it
just changes how many sectors of the raw device are
represented in the mapped device.
If cryptsetup detected volume key for active device loaded
in kernel keyring service, resize action would first try
to retrieve the key using a token and only if it failed
it'd ask for a passphrase to unlock a keyslot (LUKS) or to
derive a volume key again (plain mode). The kernel
keyring is used by default for LUKS2 devices.
With LUKS2 device additional <options>
can be [--token-id,
--token-only, --token-type, --key-slot, --key-file,
--keyfile-size, --keyfile-offset, --timeout,
--disable-external-tokens, --disable-locks,
--disable-keyring].
refresh <name>
Refreshes parameters of active mapping <name>.
Updates parameters of active device <name> without need to
deactivate the device (and umount filesystem). Currently
it supports parameters refresh on following devices:
LUKS1, LUKS2 (including authenticated encryption), plain
crypt and loopaes.
Mandatory parameters are identical to those of an open
action for respective device type.
You may change following parameters on all devices
--perf-same_cpu_crypt, --perf-submit_from_crypt_cpus,
--perf-no_read_workqueue, --perf-no_write_workqueue and
--allow-discards.
Refreshing device without any optional parameter will
refresh the device with default setting (respective to
device type).
LUKS2 only:
--integrity-no-journal parameter affects only LUKS2
devices with underlying dm-integrity device.
Adding option --persistent stores any combination of
device parameters above in LUKS2 metadata (only after
successful refresh operation).
--disable-keyring parameter refreshes a device with volume
key passed in dm-crypt driver.
reencrypt <device> or --active-name <name> [<new_name>]
Run resilient reencryption (LUKS2 device only).
There are 3 basic modes of operation:
• device reencryption (reencrypt)
• device encryption (reencrypt --encrypt)
• device decryption (reencrypt --decrypt)
<device> or --active-name <name> is mandatory parameter.
With <device> parameter cryptsetup looks up active
<device> dm mapping. If no active mapping is detected, it
starts offline reencryption otherwise online reencryption
takes place.
Reencryption process may be safely interrupted by a user
via SIGTERM signal (ctrl+c).
To resume already initialized or interrupted reencryption,
just run the cryptsetup reencrypt command again to
continue the reencryption operation. Reencryption may be
resumed with different --resilience or --hotzone-size
unless implicit datashift resilience mode is used
(reencrypt --encrypt with --reduce-device-size option).
If the reencryption process was interrupted abruptly
(reencryption process crash, system crash, poweroff) it
may require recovery. The recovery is currently run
automatically on next activation (action open) when
needed.
Optional parameter <new_name> takes effect only with
--encrypt option and it activates device <new_name>
immediately after encryption initialization gets finished.
That's useful when device needs to be ready as soon as
possible and mounted (used) before full data area
encryption is completed.
Action supports following additional <options>
[--encrypt,
--decrypt, --device-size, --resilience, --resilience-hash,
--hotzone-size, --init-only, --resume-only,
--reduce-device-size, --master-key-file, --key-size].