using ctrl+c) but you need to retain temporary files named LUKS-<uuid>.[log|org|new].
LUKS device is unavailable until reencryption is finished though.
+Current working directory must by writable and temporary
+files created during reencryption must be present.
+
For more info about LUKS see cryptsetup(8).
.PP
.SH OPTIONS
.B "\-\-cipher, \-c" \fI<cipher-spec>\fR
Set the cipher specification string.
.TP
+.B "\-\-key-size, \-s \fI<bits>\fR"
+Set key size in bits. The argument has to be a multiple of 8.
+
+The possible key-sizes are limited by the cipher and mode used.
+
+If you are increasing key size, there must be enough space in the LUKS header
+for enlarged keyslots (data offset must be large enough) or reencryption
+cannot be performed.
+
+If there is not enough space for keyslots with new key size,
+you can destructively shrink device with \-\-reduce-device-size option.
+.TP
.B "\-\-hash, \-h \fI<hash-spec>\fR"
Specifies the hash used in the LUKS key setup scheme and volume key digest.
.TP
.TP
.B "\-\-key-file, \-d \fIname\fR"
Read the passphrase from file.
-.br
+
WARNING: \-\-key-file option can be used only if there only one active keyslot,
or alternatively, also if \-\-key-slot option is specified (then all other keyslots
will be disabled in new LUKS device).
-If this option is not used, cryptswtup-reencrypt will ask for all active keyslot
+If this option is not used, cryptsetup-reencrypt will ask for all active keyslot
passphrases.
.TP
.B "\-\-key-slot, \-S <0-7>"
Specify which key slot is used.
-.br
+
WARNING: All other keyslots will be disabled if this option is used.
.TP
.B "\-\-keyfile-offset \fIvalue\fR"
.TP
.B "\-\-block-size, \-B \fIvalue\fR"
Use re-encryption block size of <value> in MiB.
-.br
+
Values can be between 1 and 64 MiB.
.TP
+.B "\-\-device-size \fIsize[units]\fR"
+Instead of real device size, use specified value.
+
+It means that only specified area (from the start of the device
+to the specified size) will be reencrypted.
+
+WARNING: This is destructive operation.
+
+If no unit suffix is specified, the size is in bytes.
+
+Unit suffix can be S for 512 byte sectors, K/M/G/T (or KiB,MiB,GiB,TiB)
+for units with 1024 base or KB/MB/GB/TB for 1000 base (SI scale).
+
+WARNING: This is destructive operation.
+.TP
+.B "\-\-reduce-device-size \fIsize[units]\fR"
+Enlarge data offset to specified value by shrinking device size.
+
+This means that last sectors on the original device will be lost,
+ciphertext data will be effectively shifted by specified
+number of sectors.
+
+It can be usefull if you e.g. added some space to underlying
+partition (so last sectors contains no data).
+
+For units suffix see \-\-device-size parameter description.
+
+WARNING: This is destructive operation and cannot be reverted.
+Use with extreme care - shrinked filesystems are usually unrecoverable.
+
+You cannot shrink device more than by 64 MiB (131072 sectors).
+.TP
+.B "\-\-new, N"
+Create new header (encrypt not yet encrypted device).
+
+This option must be used together with \-\-reduce-device-size.
+
+WARNING: This is destructive operation and cannot be reverted.
+
+.TP
.B "\-\-use-directio"
Use direct-io (O_DIRECT) for all read/write data operations.
-.br
+
Usefull if direct-io operations perform better than normal buffered
operations (e.g. in virtual environments).
.TP
Error codes are: 1 wrong parameters, 2 no permission,
3 out of memory, 4 wrong device specified, 5 device already exists
or device is busy.
+.SH EXAMPLES
+.TP
+Reencrypt /dev/sdb1 (change volume key)
+cryptsetup-reencrypt /dev/sdb1
+.TP
+Reencrypt and also change cipher and cipher mode
+cryptsetup-reencrypt /dev/sdb1 -c aes-xts-plain64
+.TP
+Add LUKS encryption to not yet encrypted device
+
+First, be sure you have space added to disk.
+Or alternatively shrink filesystem in advance.
+.br
+Here we need 4096 512-bytes sectors (enough for 2x128 bit key).
+
+fdisk -u /dev/sdb # move sdb1 partition end + 4096 sectors
+
+cryptsetup-reencrypt /dev/sdb1 --new --reduce-device-size 4096
+
.SH REPORTING BUGS
Report bugs, including ones in the documentation, on
the cryptsetup mailing list at <dm-crypt@saout.de>
projects / platform / upstream / cryptsetup.git / blobdiff