Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   cryptsetup    ( 8 )

управлять обычными dm-crypt и зашифрованными томами LUKS (manage plain dm-crypt and LUKS encrypted volumes)
  Name  |  Synopsis  |  Description  |  Plain dm-crypt or luks?  |  Warning  |  Basic actions  |  Plain mode  |  Luks extension  |  Loop-aes extension  |    Tcrypt (truecrypt-compatible and veracrypt) extension    |  Bitlk (windows bitlocker-compatible) extension (experimental)  |  Miscellaneous  |  Options  |  Examples  |  Return value  |  Notes on passphrase processing for plain mode  |  Notes on passphrase processing for luks  |  Incoherent behavior for invalid passphrases/keys  |  Notes on supported ciphers, modes, hashes and key sizes  |  Notes on passphrases  |  Notes on random number generators  |  Authenticated disk encryption (experimental)  |  Notes on loopback device use  |  Luks2 header locking  |  Deprecated actions  |  Reporting bugs  |

TCRYPT (TrueCrypt-compatible and VeraCrypt) EXTENSION

cryptsetup supports mapping of TrueCrypt, tcplay or VeraCrypt encrypted partition using a native Linux kernel API. Header formatting and TCRYPT header change is not supported, cryptsetup never changes TCRYPT header on-device.

TCRYPT extension requires kernel userspace crypto API to be available (introduced in Linux kernel 2.6.38). If you are configuring kernel yourself, enable "User-space interface for symmetric key cipher algorithms" in "Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).

Because TCRYPT header is encrypted, you have to always provide valid passphrase and keyfiles.

Cryptsetup should recognize all header variants, except legacy cipher chains using LRW encryption mode with 64 bits encryption block (namely Blowfish in LRW mode is not recognized, this is limitation of kernel crypto API).

VeraCrypt is just extension of TrueCrypt header with increased iteration count so unlocking can take quite a lot of time (in comparison with TCRYPT device).

To open a VeraCrypt device with a custom Personal Iteration Multiplier (PIM) value, use either the --veracrypt-pim=<PIM> option to directly specify the PIM on the command- line or use --veracrypt-query-pim to be prompted for the PIM.

The PIM value affects the number of iterations applied during key derivation. Please refer to https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html for more detailed information.

If you need to disable VeraCrypt device support, use --disable-veracrypt option.

NOTE: Activation with tcryptOpen is supported only for cipher chains using LRW or XTS encryption modes.

The tcryptDump command should work for all recognized TCRYPT devices and doesn't require superuser privilege.

To map system device (device with boot loader where the whole encrypted system resides) use --tcrypt-system option. You can use partition device as the parameter (parameter must be real partition device, not an image in a file), then only this partition is mapped.

If you have the whole TCRYPT device as a file image and you want to map multiple partition encrypted with system encryption, please create loopback mapping with partitions first (losetup -P, see losetup(8) man page for more info), and use loop partition as the device parameter.

If you use the whole base device as a parameter, one device for the whole system encryption is mapped. This mode is available only for backward compatibility with older cryptsetup versions which mapped TCRYPT system encryption using the whole device.

To use hidden header (and map hidden device, if available), use --tcrypt-hidden option.

To explicitly use backup (secondary) header, use --tcrypt-backup option.

NOTE: There is no protection for a hidden volume if the outer volume is mounted. The reason is that if there were any protection, it would require some metadata describing what to protect in the outer volume and the hidden volume would become detectable.

open --type tcrypt <device> <name> tcryptOpen <device> <name> (old syntax)

Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.

<options> can be [--key-file, --tcrypt-hidden, --tcrypt-system, --tcrypt-backup, --readonly, --test-passphrase, --allow-discards, --disable-veracrypt, --veracrypt-pim, --veracrypt-query-pim, --header, --cipher, --hash].

The keyfile parameter allows a combination of file content with the passphrase and can be repeated. Note that using keyfiles is compatible with TCRYPT and is different from LUKS keyfile logic.

If --PBKDF2 variants with the specified hash algorithms are checked. This could speed up unlocking the device (but also it reveals some information about the container).

If you use --header in combination with hidden or system options, the header file must contain specific headers on the same positions as the original encrypted container.

WARNING: Option --allow-discards cannot be combined with option --tcrypt-hidden. For normal mapping, it can cause the destruction of hidden volume (hidden volume appears as unused space for outer volume so this space can be discarded).

tcryptDump <device>

Dump the header information of a TCRYPT device.

If the --dump-master-key option is used, the TCRYPT device master key is dumped instead of TCRYPT header info. Beware that the master key (or concatenated master keys if cipher chain is used) can be used to decrypt the data stored in the TCRYPT container without a passphrase. This means that if the master key is compromised, the whole device has to be erased to prevent further access. Use this option carefully.

<options> can be [--dump-master-key, --key-file, --tcrypt-hidden, --tcrypt-system, --tcrypt-backup, --cipher, --hash].

The keyfile parameter allows a combination of file content with the passphrase and can be repeated.

See also https://en.wikipedia.org/wiki/TrueCrypt for more information regarding TrueCrypt.

Please note that cryptsetup does not use TrueCrypt code, please report all problems related to this compatibility extension to the cryptsetup project.