surprising frequency. This risk is the result of a trade-off
between security and safety, as LUKS is designed for fast and
secure wiping by just overwriting header and key-slot area.
+
+\fBPreviously used partitions:\fR If a partition was previously used,
+it is a very good idea to wipe filesystem signatures, data, etc. before
+creating a LUKS or plain dm-crypt container on it.
+For a quick removal of filesystem signatures, use "wipefs". Take care
+though that this may not remove everything. In particular md (RAID)
+signatures at the end of a device may survive. It also does not
+remove data. For a full wipe, overwrite the whole partition before
+container creation. If you do not know how to to that, the
+cryptsetup FAQ describes several options.
+
.SH BASIC COMMANDS
The following are valid actions for all supported device types.
Header formatting and TCRYPT header change is not supported, cryptsetup
never changes TCRYPT header on-device.
-TCRYPT extension requires kernel userspace crypto API to be available
-(kernel af_alg and algif_skcipher modules, introduced in Linux kernel 2.6.38).
+TCRYPT extension requires kernel userspace
+crypto API to be available (introduced in Linux kernel 2.6.38).
+If you are configuring kernel yourself, enable
+"User-space interface for symmetric key cipher algorithms" in
+"Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
Because TCRYPT header is encrypted, you have to always provide valid
passphrase and keyfiles.
The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
and doesn't require superuser privilege.
+To map system device (device with boot loader where the whole encrypted
+system resides) use \fB\-\-tcrypt-system\fR option. Use the whole
+device not the system partition as the device parameter.
+
To use hidden header (and map hidden device, if available),
-use \fB\-\-hidden\fR option.
+use \fB\-\-tcrypt-hidden\fR option.
.PP
\fIopen\fR \-\-type tcrypt <device> <name>
.br
.IP
Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
-\fB<options>\fR can be [\-\-key-file, \-\-hidden, \-\-readonly,
-\-\-test-passphrase].
+\fB<options>\fR can be [\-\-key-file, \-\-tcrypt-hidden, \-\-tcrypt-system,
+\-\-readonly, \-\-test-passphrase].
The keyfile parameter allows combination of file content with the
passphrase and can be repeated. Note that using keyfiles is compatible
This means that if the master key is compromised, the whole device has
to be erased to prevent further access. Use this option carefully.
-\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-hidden].
+\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-tcrypt-hidden,
+\-\-tcrypt-system].
The keyfile parameter allows combination of file content with the
passphrase and can be repeated.
You cannot directly predict real storage encryption speed from it.
For testing block ciphers, this benchmark requires kernel userspace
-crypto API to be available (kernel af_alg and algif_skcipher modules,
-introduced in Linux kernel 2.6.38).
+crypto API to be available (introduced in Linux kernel 2.6.38).
+If you are configuring kernel yourself, enable
+"User-space interface for symmetric key cipher algorithms" in
+"Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
\fB<options>\fR can be [\-\-cipher, \-\-key-size, \-\-hash].
.SH OPTIONS
arbitrary device as the ciphertext device for \fIopen\fR
with the \-\-header option. Use with care.
.TP
+.B "\-\-force-password\fR"
+Do not use password quality checking for new LUKS passwords.
+
+This option applies only to \fIluksFormat\fR, \fIluksAddKey\fR and
+\fIluksChangeKey\fR and is ignored if cryptsetup is built without
+password quality checking support.
+
+For more info about password quality check, see manual page
+for \fBpwquality.conf(5)\fR.
+.TP
.B "\-\-version"
Show the program version.
.TP