Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   cryptsetup    ( 8 )

управлять обычными dm-crypt и зашифрованными томами LUKS (manage plain dm-crypt and LUKS encrypted volumes)
  Name  |  Synopsis  |  Description  |  Plain dm-crypt or luks?  |  Warning  |    Basic actions    |  Plain mode  |  Luks extension  |  Loop-aes extension  |  Tcrypt (truecrypt-compatible and veracrypt) extension  |  Bitlk (windows bitlocker-compatible) extension (experimental)  |  Miscellaneous  |  Options  |  Examples  |  Return value  |  Notes on passphrase processing for plain mode  |  Notes on passphrase processing for luks  |  Incoherent behavior for invalid passphrases/keys  |  Notes on supported ciphers, modes, hashes and key sizes  |  Notes on passphrases  |  Notes on random number generators  |  Authenticated disk encryption (experimental)  |  Notes on loopback device use  |  Luks2 header locking  |  Deprecated actions  |  Reporting bugs  |

BASIC ACTIONS

The following are valid actions for all supported device types.

open <device> <name> --type <device_type>

Opens (creates a mapping with) <name> backed by device <device>.

Device type can be plain, luks (default), luks1, luks2, loopaes or tcrypt.

For backward compatibility there are open command aliases:

create (argument-order <name> <device>): open --type plain plainOpen: open --type plain luksOpen: open --type luks loopaesOpen: open --type loopaes tcryptOpen: open --type tcrypt bitlkOpen: open --type bitlk

<options> are type specific and are described below for individual device types. For create, the order of the <name> and <device> options is inverted for historical reasons, all other aliases use the standard <device> <name> order.

close <name>

Removes the existing mapping <name> and wipes the key from kernel memory.

For backward compatibility there are close command aliases: remove, plainClose, luksClose, loopaesClose, tcryptClose (all behaves exactly the same, device type is determined automatically from active device).

<options> can be [--deferred] or [--cancel-deferred]

status <name>

Reports the status for the mapping <name>.

resize <name>

Resizes an active mapping <name>.

If --size (in 512-bytes sectors) or --device-size are not specified, the size is computed from the underlying device. For LUKS it is the size of the underlying device without the area reserved for LUKS header (see data payload offset in luksDump command). For plain crypt device, the whole device size is used.

Note that this does not change the raw device geometry, it just changes how many sectors of the raw device are represented in the mapped device.

If cryptsetup detected volume key for active device loaded in kernel keyring service, resize action would first try to retrieve the key using a token and only if it failed it'd ask for a passphrase to unlock a keyslot (LUKS) or to derive a volume key again (plain mode). The kernel keyring is used by default for LUKS2 devices.

With LUKS2 device additional <options> can be [--token-id, --token-only, --token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset, --timeout, --disable-external-tokens, --disable-locks, --disable-keyring].

refresh <name>

Refreshes parameters of active mapping <name>.

Updates parameters of active device <name> without need to deactivate the device (and umount filesystem). Currently it supports parameters refresh on following devices: LUKS1, LUKS2 (including authenticated encryption), plain crypt and loopaes.

Mandatory parameters are identical to those of an open action for respective device type.

You may change following parameters on all devices --perf-same_cpu_crypt, --perf-submit_from_crypt_cpus, --perf-no_read_workqueue, --perf-no_write_workqueue and --allow-discards.

Refreshing device without any optional parameter will refresh the device with default setting (respective to device type).

LUKS2 only:

--integrity-no-journal parameter affects only LUKS2 devices with underlying dm-integrity device.

Adding option --persistent stores any combination of device parameters above in LUKS2 metadata (only after successful refresh operation).

--disable-keyring parameter refreshes a device with volume key passed in dm-crypt driver.

reencrypt <device> or --active-name <name> [<new_name>]

Run resilient reencryption (LUKS2 device only).

There are 3 basic modes of operation:

• device reencryption (reencrypt)

• device encryption (reencrypt --encrypt)

• device decryption (reencrypt --decrypt)

<device> or --active-name <name> is mandatory parameter.

With <device> parameter cryptsetup looks up active <device> dm mapping. If no active mapping is detected, it starts offline reencryption otherwise online reencryption takes place.

Reencryption process may be safely interrupted by a user via SIGTERM signal (ctrl+c).

To resume already initialized or interrupted reencryption, just run the cryptsetup reencrypt command again to continue the reencryption operation. Reencryption may be resumed with different --resilience or --hotzone-size unless implicit datashift resilience mode is used (reencrypt --encrypt with --reduce-device-size option).

If the reencryption process was interrupted abruptly (reencryption process crash, system crash, poweroff) it may require recovery. The recovery is currently run automatically on next activation (action open) when needed.

Optional parameter <new_name> takes effect only with --encrypt option and it activates device <new_name> immediately after encryption initialization gets finished. That's useful when device needs to be ready as soon as possible and mounted (used) before full data area encryption is completed.

Action supports following additional <options> [--encrypt, --decrypt, --device-size, --resilience, --resilience-hash, --hotzone-size, --init-only, --resume-only, --reduce-device-size, --master-key-file, --key-size].