Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   cryptsetup    ( 8 )

управлять обычными dm-crypt и зашифрованными томами LUKS (manage plain dm-crypt and LUKS encrypted volumes)
  Name  |  Synopsis  |  Description  |  Plain dm-crypt or luks?  |  Warning  |  Basic actions  |  Plain mode  |    Luks extension    |  Loop-aes extension  |  Tcrypt (truecrypt-compatible and veracrypt) extension  |  Bitlk (windows bitlocker-compatible) extension (experimental)  |  Miscellaneous  |  Options  |  Examples  |  Return value  |  Notes on passphrase processing for plain mode  |  Notes on passphrase processing for luks  |  Incoherent behavior for invalid passphrases/keys  |  Notes on supported ciphers, modes, hashes and key sizes  |  Notes on passphrases  |  Notes on random number generators  |  Authenticated disk encryption (experimental)  |  Notes on loopback device use  |  Luks2 header locking  |  Deprecated actions  |  Reporting bugs  |

LUKS EXTENSION

LUKS, the Linux Unified Key Setup, is a standard for disk encryption. It adds a standardized header at the start of the device, a key-slot area directly behind the header and the bulk data area behind that. The whole set is called a 'LUKS container'. The device that a LUKS container resides on is called a 'LUKS device'. For most purposes, both terms can be used interchangeably. But note that when the LUKS header is at a nonzero offset in a device, then the device is not a LUKS device anymore, but has a LUKS container stored in it at an offset.

LUKS can manage multiple passphrases that can be individually revoked or changed and that can be securely scrubbed from persistent media due to the use of anti-forensic stripes. Passphrases are protected against brute-force and dictionary attacks by PBKDF2, which implements hash iteration and salting in one function.

LUKS2 is a new version of header format that allows additional extensions like different PBKDF algorithm or authenticated encryption. You can format device with LUKS2 header if you specify --type luks2 in luksFormat command. For activation, the format is already recognized automatically.

Each passphrase, also called a key in this document, is associated with one of 8 key-slots. Key operations that do not specify a slot affect the first slot that matches the supplied passphrase or the first empty slot if a new passphrase is added.

The <device> parameter can also be specified by a LUKS UUID in the format UUID=<uuid>. Translation to real device name uses symlinks in /dev/disk/by-uuid directory.

To specify a detached header, the --header parameter can be used in all LUKS commands and always takes precedence over the positional <device> parameter.

The following are valid LUKS actions:

luksFormat <device> [<key file>]

Initializes a LUKS partition and sets the initial passphrase (for key-slot 0), either via prompting or via <key file>. Note that if the second argument is present, then the passphrase is taken from the file given there, without the need to use the --key-file option. Also note that for both forms of reading the passphrase from a file you can give '-' as file name, which results in the passphrase being read from stdin and the safety-question being skipped.

You cannot call luksFormat on a device or filesystem that is mapped or in use, e.g. mounted filesysem, used in LVM, active RAID member etc. The device or filesystem has to be un-mounted in order to call luksFormat.

To use LUKS2, specify --type luks2.

<options> can be [--hash, --cipher, --verify-passphrase, --key-size, --key-slot, --key-file (takes precedence over optional second argument), --keyfile-offset, --keyfile-size, --use-random | --use-urandom, --uuid, --master-key-file, --iter-time, --header, --pbkdf-force-iterations, --force-password, --disable- locks].

For LUKS2, additional <options> can be [--integrity, --integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf, --pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring, --luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher, --keyslot-key-size].

WARNING: Doing a luksFormat on an existing LUKS container will make all data the old container permanently irretrievable unless you have a header backup.

open --type luks <device> <name> luksOpen <device> <name> (old syntax)

Opens the LUKS device <device> and sets up a mapping <name> after successful verification of the supplied passphrase.

First, the passphrase is searched in LUKS tokens. If it's not found in any token and also the passphrase is not supplied via --key-file, the command prompts for it interactively.

<options> can be [--key-file, --keyfile-offset, --keyfile-size, --readonly, --test-passphrase, --allow-discards, --header, --key-slot, --master-key-file, --token-id, --token-only, --token-type, --disable-external-tokens, --disable-keyring, --disable-locks, --type, --refresh, --serialize-memory-hard-pbkdf].

luksSuspend <name>

Suspends an active device (all IO operations will block and accesses to the device will wait indefinitely) and wipes the encryption key from kernel memory. Needs kernel 2.6.19 or later.

After this operation you have to use luksResume to reinstate the encryption key and unblock the device or close to remove the mapped device.

WARNING: never suspend the device on which the cryptsetup binary resides.

<options> can be [--header, --disable-locks].

luksResume <name>

Resumes a suspended device and reinstates the encryption key. Prompts interactively for a passphrase if --key-file is not given.

<options> can be [--key-file, --keyfile-size, --header, --disable-keyring, --disable-locks, --type]

luksAddKey <device> [<key file with new key>]

Adds a new passphrase. An existing passphrase must be supplied interactively or via --key-file. The new passphrase to be added can be specified interactively or read from the file given as positional argument.

NOTE: with --unbound option the action creates new unbound LUKS2 keyslot. The keyslot cannot be used for device activation. If you don't pass new key via --master-key-file option, new random key is generated. Existing passphrase for any active keyslot is not required.

<options> can be [--key-file, --keyfile-offset, --keyfile-size, --new-keyfile-offset, --new-keyfile-size, --key-slot, --master-key-file, --force-password, --header, --disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations, --unbound, --type, --keyslot-cipher, --keyslot-key-size].

luksRemoveKey <device> [<key file with passphrase to be removed>]

Removes the supplied passphrase from the LUKS device. The passphrase to be removed can be specified interactively, as the positional argument or via --key-file.

<options> can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type]

WARNING: If you read the passphrase from stdin (without further argument or with '-' as an argument to --key-file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container. Removing the last passphrase makes the LUKS container permanently inaccessible.

luksChangeKey <device> [<new key file>]

Changes an existing passphrase. The passphrase to be changed must be supplied interactively or via --key-file. The new passphrase can be supplied interactively or in a file given as positional argument.

If a key-slot is specified (via --key-slot), the passphrase for that key-slot must be given and the new passphrase will overwrite the specified key-slot. If no key-slot is specified and there is still a free key-slot, then the new passphrase will be put into a free key-slot before the key-slot containing the old passphrase is purged. If there is no free key-slot, then the key-slot with the old passphrase is overwritten directly.

WARNING: If a key-slot is overwritten, a media failure during this operation can cause the overwrite to fail after the old passphrase has been wiped and make the LUKS container inaccessible.

<options> can be [--key-file, --keyfile-offset, --keyfile-size, --new-keyfile-offset, --iter-time, --pbkdf, --pbkdf-force-iterations, --new-keyfile-size, --key-slot, --force-password, --header, --disable-locks, --type, --keyslot-cipher, --keyslot-key-size].

luksConvertKey <device>

Converts an existing LUKS2 keyslot to new pbkdf parameters. The passphrase for keyslot to be converted must be supplied interactively or via --key-file. If no --pbkdf parameters are specified LUKS2 default pbkdf values will apply.

If a keyslot is specified (via --key-slot), the passphrase for that keyslot must be given. If no keyslot is specified and there is still a free keyslot, then the new parameters will be put into a free keyslot before the keyslot containing the old parameters is purged. If there is no free keyslot, then the keyslot with the old parameters is overwritten directly.

WARNING: If a keyslot is overwritten, a media failure during this operation can cause the overwrite to fail after the old parameters have been wiped and make the LUKS container inaccessible.

<options> can be [--key-file, --keyfile-offset, --keyfile-size, --key-slot, --header, --disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --keyslot-cipher, --keyslot-key-size].

luksKillSlot <device> <key slot number>

Wipe the key-slot number <key slot> from the LUKS device. Except running in batch-mode (-q) a remaining passphrase must be supplied, either interactively or via --key-file. This command can remove the last remaining key-slot, but requires an interactive confirmation when doing so. Removing the last passphrase makes a LUKS container permanently inaccessible.

<options> can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type].

WARNING: If you read the passphrase from stdin (without further argument or with '-' as an argument to --key- file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container. Removing the last passphrase makes the LUKS container permanently inaccessible.

NOTE: If there is no passphrase provided (on stdin or through --key-file argument) and batch-mode (-q) is active, the key-slot is removed without any other warning.

erase <device> luksErase <device>

Erase all keyslots and make the LUKS container permanently inaccessible. You do not need to provide any password for this operation.

WARNING: This operation is irreversible.

luksUUID <device>

Print the UUID of a LUKS device. Set new UUID if --uuid option is specified.

isLuks <device>

Returns true, if <device> is a LUKS device, false otherwise. Use option -v to get human-readable feedback. 'Command successful.' means the device is a LUKS device.

By specifying --type you may query for specific LUKS version.

luksDump <device>

Dump the header information of a LUKS device.

If the --dump-master-key option is used, the LUKS device master key is dumped instead of the keyslot info. Together with --master-key-file option, master key is dumped to a file instead of standard output. Beware that the master key cannot be changed without reencryption and can be used to decrypt the data stored in the LUKS container without a passphrase and even without the LUKS header. This means that if the master key is compromised, the whole device has to be erased or reencrypted to prevent further access. Use this option carefully.

To dump the master key, a passphrase has to be supplied, either interactively or via --key-file.

To dump unbound key (LUKS2 format only), --unbound parameter, specific --key-slot id and proper passphrase has to be supplied, either interactively or via --key-file. Optional --master-key-file parameter enables unbound keyslot dump to a file.

To dump LUKS2 JSON metadata (without basic heade information like UUID) use --dump-json-metadata option.

<options> can be [--dump-master-key, --dump-json-metadata, --key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --master-key-file, --type, --unbound, --key-slot].

WARNING: If --dump-master-key is used with --key-file and the argument to --key-file is '-', no validation question will be asked and no warning given.

luksHeaderBackup <device> --header-backup-file <file>

Stores a binary backup of the LUKS header and keyslot area. Note: Using '-' as filename writes the header backup to a file named '-'.

WARNING: This backup file and a passphrase valid at the time of backup allows decryption of the LUKS data area, even if the passphrase was later changed or removed from the LUKS device. Also note that with a header backup you lose the ability to securely wipe the LUKS device by just overwriting the header and key-slots. You either need to securely erase all header backups in addition or overwrite the encrypted data area as well. The second option is less secure, as some sectors can survive, e.g. due to defect management.

luksHeaderRestore <device> --header-backup-file <file>

Restores a binary backup of the LUKS header and keyslot area from the specified file. Note: Using '-' as filename reads the header backup from a file named '-'.

WARNING: Header and keyslots will be replaced, only the passphrases from the backup will work afterward.

This command requires that the master key size and data offset of the LUKS header already on the device and of the header backup match. Alternatively, if there is no LUKS header on the device, the backup will also be written to it.

token <add|remove|import|export> <device>

Action add creates new keyring token to enable auto- activation of the device. For the auto-activation, the passphrase must be stored in keyring with the specified description. Usually, the passphrase should be stored in user or user-session keyring. The token command is supported only for LUKS2.

For adding new keyring token, option --key-description is mandatory. Also, new token is assigned to key slot specified with --key-slot option or to all active key slots in the case --key-slot option is omitted.

To remove existing token, specify the token ID which should be removed with --token-id option.

WARNING: The action token remove removes any token type, not just keyring type from token slot specified by --token-id option.

Action import can store arbitrary valid token json in LUKS2 header. It may be passed via standard input or via file passed in --json-file option. If you specify --key-slot then successfully imported token is also assigned to the key slot.

Action export writes requested token json to a file passed with --json-file or to standard output.

<options> can be [--header, --token-id, --key-slot, --key-description, --disable-external-tokens, --disable-locks, --disable-keyring, --json-file].

convert <device> --type <format>

Converts the device between LUKS1 and LUKS2 format (if possible). The conversion will not be performed if there is an additional LUKS2 feature or LUKS1 has unsupported header size.

Conversion (both directions) must be performed on inactive device. There must not be active dm-crypt mapping established for LUKS header requested for conversion.

--type option is mandatory with following accepted values: luks1 or luks2.

WARNING: The convert action can destroy the LUKS header in the case of a crash during conversion or if a media error occurs. Always create a header backup before performing this operation!

<options> can be [--header, --type].

config <device>

Set permanent configuration options (store to LUKS header). The config command is supported only for LUKS2.

The permanent options can be --priority to set priority (normal, prefer, ignore) for keyslot (specified by --key-slot) or --label and --subsystem.

<options> can be [--priority, --label, --subsystem, --key-slot, --header].