+Dump the header information of a LUKS device.
+
+If the \-\-dump-master-key option is used, the LUKS device master key is
+dumped instead of the keyslot info. Beware that the master key cannot be
+changed and can be used to decrypt the data stored in the LUKS container
+without a passphrase and even without the LUKS header. This means
+that if the master key is compromised, the whole device has to be
+erased to prevent further access. Use this option carefully.
+
+In order to dump the master key, a passphrase has to be supplied,
+either interactively or via \-\-key-file.
+
+\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file,
+\-\-keyfile-offset, \-\-keyfile-size].
+
+\fBWARNING:\fR If \-\-dump-master-key is used with \-\-key-file
+and the argument to \-\-key-file is '-', no validation question
+will be asked and no warning given.
+.PP
+\fIluksHeaderBackup\fR <device> \-\-header-backup-file <file>
+.IP
+Stores a binary backup of the LUKS header and keyslot area.
+.br
+Note: Using '-' as filename writes the header backup to a file named '-'.
+
+\fBWARNING:\fR This backup file and a passphrase valid
+at the time of backup allows decryption of the
+LUKS data area, even if the passphrase was later changed or
+removed from the LUKS device. Also note that with a header
+backup you lose the ability to securely wipe the LUKS
+device by just overwriting the header and key-slots. You
+either need to securely erase all header backups in
+addition or overwrite the encrypted data area as well.
+The second option is less secure, as some sectors
+can survive, e.g. due to defect management.
+.PP
+\fIluksHeaderRestore\fR <device> \-\-header-backup-file <file>
+.IP
+Restores a binary backup of the LUKS header and keyslot area
+from the specified file.
+.br
+Note: Using '-' as filename reads the header backup from a file named '-'.
+
+\fBWARNING:\fR Header and keyslots will be replaced, only
+the passphrases from the backup will work afterwards.
+
+This command requires that the master key size and data offset
+of the LUKS header already on the device and of the header backup
+match. Alternatively, if there is no LUKS header on the device,
+the backup will also be written to it.
+.SH loop-AES EXTENSION
+cryptsetup supports mapping loop-AES encrypted partition using
+a compatibility mode.
+.PP
+\fIopen\fR \-\-type loopaes <device> <name> \-\-key-file <keyfile>
+.br
+\fIloopaesOpen\fR <device> <name> \-\-key-file <keyfile> (\fBold syntax\fR)
+.IP
+Opens the loop-AES <device> and sets up a mapping <name>.
+
+If the key file is encrypted with GnuPG, then you have to use
+\-\-key-file=- and decrypt it before use, e.g. like this:
+.br
+gpg \-\-decrypt <keyfile> | cryptsetup loopaesOpen \-\-key-file=- <device> <name>
+
+Use \fB\-\-keyfile-size\fR to specify the proper key length if needed.
+
+Use \fB\-\-offset\fR to specify device offset. Note that the units
+need to be specified in number of 512 byte sectors.
+
+Use \fB\-\-skip\fR to specify the IV offset. If the original device
+used an offset and but did not use it in IV sector calculations,
+you have to explicitly use \fB\-\-skip 0\fR in addition to the offset
+parameter.
+
+Use \fB\-\-hash\fR to override the default hash function for
+passphrase hashing (otherwise it is detected according to key
+size).
+
+\fB<options>\fR can be [\-\-key-file, \-\-key-size, \-\-offset, \-\-skip,
+\-\-hash, \-\-readonly, \-\-allow-discards].
+.PP
+See also section 7 of the FAQ and \fBhttp://loop-aes.sourceforge.net\fR
+for more information regarding loop-AES.
+.SH TCRYPT (TrueCrypt-compatible) EXTENSION
+cryptsetup supports mapping of TrueCrypt or tcplay encrypted partition
+using a native Linux kernel API.
+Header formatting and TCRYPT header change is not supported, cryptsetup
+never changes TCRYPT header on-device.
+
+TCRYPT extension requires kernel userspace
+crypto API to be available (introduced in Linux kernel 2.6.38).
+If you are configuring kernel yourself, enable
+"User-space interface for symmetric key cipher algorithms" in
+"Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
+
+Because TCRYPT header is encrypted, you have to always provide valid
+passphrase and keyfiles.
+
+Cryptsetup should recognize all header variants, except legacy cipher chains
+using LRW encryption mode with 64 bits encryption block (namely Blowfish
+in LRW mode is not recognized, this is limitation of kernel crypto API).
+
+\fBNOTE:\fR Activation with \fBtcryptOpen\fR is supported only for cipher chains
+using LRW or XTS encryption modes.
+
+The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
+and doesn't require superuser privilege.
+
+To map system device (device with boot loader where the whole encrypted
+system resides) use \fB\-\-tcrypt-system\fR option. Use the whole
+device not the system partition as the device parameter.
+
+To use hidden header (and map hidden device, if available),
+use \fB\-\-tcrypt-hidden\fR option.
+.PP
+\fIopen\fR \-\-type tcrypt <device> <name>
+.br
+\fItcryptOpen\fR <device> <name> (\fBold syntax\fR)
+.IP
+Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
+
+\fB<options>\fR can be [\-\-key-file, \-\-tcrypt-hidden, \-\-tcrypt-system,
+\-\-readonly, \-\-test-passphrase].
+
+The keyfile parameter allows combination of file content with the
+passphrase and can be repeated. Note that using keyfiles is compatible
+with TCRYPT and is different from LUKS keyfile logic.
+.PP
+\fItcryptDump\fR <device>
+.IP
+Dump the header information of a TCRYPT device.
+
+If the \-\-dump-master-key option is used, the TCRYPT device master key is
+dumped instead of TCRYPT header info. Beware that the master key
+(or concatenated master keys if cipher chain is used)
+can be used to decrypt the data stored in the TCRYPT container without
+a passphrase.
+This means that if the master key is compromised, the whole device has
+to be erased to prevent further access. Use this option carefully.
+
+\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-tcrypt-hidden,
+\-\-tcrypt-system].
+
+The keyfile parameter allows combination of file content with the
+passphrase and can be repeated.