-.TH CRYPTSETUP "8" "March 2005" "cryptsetup 1.0.3" "Maintainance Commands"
+.TH CRYPTSETUP "8" "March 2005" "cryptsetup" "Maintenance Commands"
.SH NAME
cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension)
.SH SYNOPSIS
dumps the header information of a LUKS partition. No options.
.PP
-For more information about LUKS, see \fBhttp://luks.endorphin.org\fR
+For more information about LUKS, see \fBhttp://code.google.com/p/cryptsetup/wiki/Specification\fR
.SH OPTIONS
.TP
.B "\-\-hash, \-h"
-specifies hash to use for password hashing. This option is only relevant for the "create" action. The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. Default is "ripemd160".
+For \fIcreate\fR action specifies hash to use for password hashing.
+
+For \fIluksFormat\fR action specifies hash used in LUKS key setup scheme and volume key digest.
+
+\fBWARNING:\fR setting hash other than \fBsha1\fR causes LUKS device incompatible with older version of cryptsetup.
+
+The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported.
+Default is \fB"ripemd160"\fR for \fIcreate\fR action and \fB"sha1"\fR for \fIluksFormat\fR.
.TP
.B "\-\-cipher, \-c"
-set cipher specification string. Usually, this is "aes-cbc-plain". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256".
+set cipher specification string. For plain dm-crypt mappings, the default is "aes-cbc-plain", for LUKS mappings it's "aes-cbc-essiv:sha256". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256".
+
+For XTS mode, kernel version 2.6.24 or more recent is required. Use "aes-xts-plain" cipher specification and set key size to 256 (or 512) bits (see \-s option).
.TP
.B "\-\-verify-passphrase, \-y"
query for passwords twice. Useful when creating a (regular) mapping for the first time, or when running \fIluksFormat\fR.
If the key file is "-", stdin will be used. This is different from how cryptsetup usually reads from stdin. See section \fBNOTES ON PASSWORD PROCESSING\fR for more information.
.TP
.B "\-\-key-slot, \-S"
-For LUKS operations that add key material, this options allows to you specify which key slot is selected for the new key. This option can be used for luksFormat and luksAddKey.
+For LUKS operations that add key material, this options allows to you specify which key slot is selected for the new key. This option can be used for \fIluksFormat\fR and \fIluksAddKey\fR.
.TP
.B "\-\-key-size, \-s"
-set key size in bits. Has to be a multiple of 8 bits. The key size is limited by the used cipher. See output of /proc/crypto for more information. Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will ignore this flag, as the key-size is specified by the partition header. Default is 128.
+set key size in bits. Has to be a multiple of 8 bits. The key size is limited by the used cipher. See output of /proc/crypto for more information. Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will use key-size specified by the LUKS header. Default is 128 for \fIluksFormat\fR and 256 for \fIcreate\fR.
+
+For \fIluksOpen\fR this option specifies number of bits read from the key-file (default is exhaustive read from key-file).
.TP
.B "\-\-size, \-b"
force the size of the underlying device in sectors.
+This option is only relevant for \fIcreate\fR and \fIresize\fR action.
.TP
.B "\-\-offset, \-o"
start offset in the backend device.
+This option is only relevant for \fIcreate\fR action.
.TP
.B "\-\-skip, \-p"
how many sectors of the encrypted data to skip at the beginning. This is different from the \-\-offset options with respect to IV calculations. Using \-\-offset will shift the IV calculation by the same negative amount. Hence, if \-\-offset \fIn\fR, sector \fIn\fR will be the first sector on the mapping with IV \fI0\fR. Using \-\-skip would have resulted in sector \fIn\fR being the first sector also, but with IV \fIn\fR.
+This option is only relevant for \fIcreate\fR action.
.TP
.B "\-\-readonly"
set up a read-only mapping.
The number of milliseconds to spend with PBKDF2 password processing. This option is only relevant to the LUKS operations as \fIluksFormat\fR or \fIluksAddKey\fR.
.TP
.B "\-\-batch-mode, \-q"
-Do not ask for confirmation. This option is only relevant for \fIluksFormat\fR.
+Do not ask for confirmation. Use with care! This option is only relevant for \fIluksFormat\fR,\fIluksAddKey\fR,\fIluksRemoveKey\fR or \fIluksKillSlot\fR.
.TP
.B "\-\-timeout, \-t"
The number of seconds to wait before timeout. This option is relevant every time a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. It has no effect if used in conjunction with \-\-key-file.
Show the version.
.SH NOTES ON PASSWORD PROCESSING
-\fIFrom a file descriptor or a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will process the read material (without newline) with the default hash or the hash given by \-\-hash. After hashing, it will be cropped to the key size given by \-s (default 256 bits).
+\fIFrom a file descriptor or a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will process the read material (without newline) with the default hash or the hash given by \-\-hash. After hashing, it will be cropped to the key size given by \-s.
-\fIFrom stdin\fR: Reading will continue until EOF (so using e.g. /dev/random as stdin will not work), with the trailing newline stripped. After that the read data will be hashed with the default hash or the hash given by \-\-hash and the result will be cropped to the keysize given by \-s (default 256 bits). If "plain" is used as an argument to the hash option, the input data will not be hashed. Instead it will be zero padded (if shorter than the keysize) or truncated (if longer than the keysize) and used directly as the key.
+\fIFrom stdin\fR: Reading will continue until EOF (so using e.g. /dev/random as stdin will not work), with the trailing newline stripped. After that the read data will be hashed with the default hash or the hash given by \-\-hash and the result will be cropped to the keysize given by \-s. If "plain" is used as an argument to the hash option, the input data will not be hashed.
Instead, it will be zero padded (if shorter than the keysize) or truncated (if longer than the keysize) and used directly as the key. No warning will be given if the amount of data read from stdin is less than the keysize.
\fIFrom a key file\fR: It will be cropped to the size given by \-s. If there is insufficient key material in the key file, cryptsetup will quit with an error.
For any password creation action (luksAddKey, or luksFormat), the user may specify how much the time the password processing should consume.
Increasing the time will lead to a more secure password, but also will take luksOpen longer to complete. The default setting of one second is sufficient for good security.
.SH NOTES ON PASSWORDS
-Mathematic can't be bribed. Make sure you keep your passwords safe. There are a few nice tricks for constructing a fallback, when suddenly out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords.
+Mathematics can't be bribed. Make sure you keep your passwords safe. There are a few nice tricks for constructing a fallback, when suddenly out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords.
.SH AUTHORS
cryptsetup is written by Christophe Saout <christophe@saout.de>
.br
dm-crypt website, \fBhttp://www.saout.de/misc/dm-crypt/\fR
-LUKS website, \fBhttp://luks.endorphin.org\fR
+LUKS website, \fBhttp://code.google.com/p/cryptsetup/\fR
dm-crypt TWiki, \fBhttp://www.saout.de/tikiwiki/tiki-index.php\fR
projects / platform / upstream / cryptsetup.git / blobdiff