Cryptsetup


Manage plain dm-crypt and LUKS encrypted volumes.

Usage

cryptsetup [OPTION...] <action> <action-specific>

Flags

      --version                         Print package version
  -v, --verbose                         Shows more detailed error messages
      --debug                           Show debug messages
      --debug-json                      Show debug messages including JSON
                                        metadata
  -c, --cipher=STRING                   The cipher used to encrypt the disk
                                        (see /proc/crypto)
  -h, --hash=STRING                     The hash used to create the encryption
                                        key from the passphrase
  -y, --verify-passphrase               Verifies the passphrase by asking for
                                        it twice
  -d, --key-file=STRING                 Read the key from a file
      --master-key-file=STRING          Read the volume (master) key from file.
      --dump-master-key                 Dump volume (master) key instead of
                                        keyslots info
  -s, --key-size=BITS                   The size of the encryption key
  -l, --keyfile-size=bytes              Limits the read from keyfile
      --keyfile-offset=bytes            Number of bytes to skip in keyfile
      --new-keyfile-size=bytes          Limits the read from newly added
                                        keyfile
      --new-keyfile-offset=bytes        Number of bytes to skip in newly added
                                        keyfile
  -S, --key-slot=INT                    Slot number for new key (default is
                                        first free)
  -b, --size=SECTORS                    The size of the device
      --device-size=bytes               Use only specified device size (ignore
                                        rest of device). DANGEROUS!
  -o, --offset=SECTORS                  The start offset in the backend device
  -p, --skip=SECTORS                    How many sectors of the encrypted data
                                        to skip at the beginning
  -r, --readonly                        Create a readonly mapping
  -q, --batch-mode                      Do not ask for confirmation
  -t, --timeout=secs                    Timeout for interactive passphrase
                                        prompt (in seconds)
      --progress-frequency=secs         Progress line update (in seconds)
  -T, --tries=INT                       How often the input of the passphrase
                                        can be retried
      --align-payload=SECTORS           Align payload at <n> sector boundaries
                                        - for luksFormat
      --header-backup-file=STRING       File with LUKS header and keyslots
                                        backup
      --use-random                      Use /dev/random for generating volume
                                        key
      --use-urandom                     Use /dev/urandom for generating volume
                                        key
      --shared                          Share device with another
                                        non-overlapping crypt segment
      --uuid=STRING                     UUID for device to use
      --allow-discards                  Allow discards (aka TRIM) requests for
                                        device
      --header=STRING                   Device or file with separated LUKS
                                        header
      --test-passphrase                 Do not activate device, just check
                                        passphrase
      --tcrypt-hidden                   Use hidden header (hidden TCRYPT
                                        device)
      --tcrypt-system                   Device is system TCRYPT drive (with
                                        bootloader)
      --tcrypt-backup                   Use backup (secondary) TCRYPT header
      --veracrypt                       Scan also for VeraCrypt compatible
                                        device
      --veracrypt-pim=INT               Personal Iteration Multiplier for
                                        VeraCrypt compatible device
      --veracrypt-query-pim             Query Personal Iteration Multiplier
                                        for VeraCrypt compatible device
  -M, --type=STRING                     Type of device metadata: luks, luks1,
                                        luks2, plain, loopaes, tcrypt
      --force-password                  Disable password quality check (if
                                        enabled)
      --perf-same_cpu_crypt             Use dm-crypt same_cpu_crypt
                                        performance compatibility option
      --perf-submit_from_crypt_cpus     Use dm-crypt submit_from_crypt_cpus
                                        performance compatibility option
      --deferred                        Device removal is deferred until the
                                        last user closes it
      --serialize-memory-hard-pbkdf     Use global lock to serialize memory
                                        hard PBKDF (OOM workaround)
  -i, --iter-time=msecs                 PBKDF iteration time for LUKS (in ms)
      --pbkdf=STRING                    PBKDF algorithm (for LUKS2): argon2i,
                                        argon2id, pbkdf2
      --pbkdf-memory=kilobytes          PBKDF memory cost limit
      --pbkdf-parallel=threads          PBKDF parallel cost
      --pbkdf-force-iterations=LONG     PBKDF iterations cost (forced,
                                        disables benchmark)
      --priority=STRING                 Keyslot priority: ignore, normal,
                                        prefer
      --disable-locks                   Disable locking of on-disk metadata
      --disable-keyring                 Disable loading volume keys via kernel
                                        keyring
  -I, --integrity=STRING                Data integrity algorithm (LUKS2 only)
      --integrity-no-journal            Disable journal for integrity device
      --integrity-no-wipe               Do not wipe device after format
      --token-only                      Do not ask for passphrase if
                                        activation by token fails
      --token-id=INT                    Token number (default: any)
      --key-description=STRING          Key description
      --sector-size=INT                 Encryption sector size (default: 512
                                        bytes)
      --persistent                      Set activation flags persistent for
                                        device
      --label=STRING                    Set label for the LUKS2 device
      --subsystem=STRING                Set subsystem label for the LUKS2
                                        device
      --unbound                         Create unbound (no assigned data
                                        segment) LUKS2 keyslot
      --json-file=STRING                Read or write the json from or to a
                                        file
      --luks2-metadata-size=bytes       LUKS2 header metadata area size
      --luks2-keyslots-size=bytes       LUKS2 header keyslots area size
      --refresh                         Refresh (reactivate) device with new
                                        parameters
      --keyslot-key-size=BITS           LUKS2 keyslot: The size of the
                                        encryption key
      --keyslot-cipher=STRING           LUKS2 keyslot: The cipher used for
                                        keyslot encryption
      --encrypt                         Encrypt LUKS2 device (in-place
                                        encryption).
      --decrypt                         Decrypt LUKS2 device (remove
                                        encryption).
      --init-only                       Initialize LUKS2 reencryption in
                                        metadata only.
      --resume-only                     Resume initialized LUKS2 reencryption
                                        only.
      --reduce-device-size=bytes        Reduce data device size (move data
                                        offset). DANGEROUS!
      --hotzone-size=bytes              Maximal reencryption hotzone size.
      --resilience=STRING               Reencryption hotzone resilience type
                                        (checksum,journal,none)
      --resilience-hash=STRING          Reencryption hotzone checksums hash
      --active-name=STRING              Override device autodetection of dm
                                        device to be reencrypted

Help options:
  -?, --help                            Show this help message
      --usage                           Display brief usage

<action> is one of:
    open <device> [--type <type>] [<name>] - open device as <name>
    close <name> - close device (remove mapping)
    resize <name> - resize active device
    status <name> - show device status
    benchmark [--cipher <cipher>] - benchmark cipher
    repair <device> - try to repair on-disk metadata
    reencrypt <device> - reencrypt LUKS2 device
    erase <device> - erase all keyslots (remove encryption key)
    convert <device> - convert LUKS from/to LUKS2 format
    config <device> - set permanent configuration options for LUKS2
    luksFormat <device> [<new key file>] - formats a LUKS device
    luksAddKey <device> [<new key file>] - add key to LUKS device
    luksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS device
    luksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS device
    luksConvertKey <device> [<key file>] - converts a key to new pbkdf parameters
    luksKillSlot <device> <key slot> - wipes key with number <key slot> from LUKS device
    luksUUID <device> - print UUID of LUKS device
    isLuks <device> - tests <device> for LUKS partition header
    luksDump <device> - dump LUKS partition information
    tcryptDump <device> - dump TCRYPT device information
    luksSuspend <device> - Suspend LUKS device and wipe key (all IOs are frozen)
    luksResume <device> - Resume suspended LUKS device
    luksHeaderBackup <device> - Backup LUKS device header and keyslots
    luksHeaderRestore <device> - Restore LUKS device header and keyslots
    token <add|remove|import|export> <device> - Manipulate LUKS2 tokens

You can also use old <action> syntax aliases:
    open: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen
    close: remove (plainClose), luksClose, loopaesClose, tcryptClose

<name> is the device to create under /dev/mapper
<device> is the encrypted device
<key slot> is the LUKS key slot number to modify
<key file> optional key file for the new key for luksAddKey action

Default compiled-in metadata format is LUKS2 (for luksFormat action).

Default compiled-in key and passphrase parameters:
    Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2: argon2i
    Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4

Default compiled-in device cipher parameters:
    loop-AES: aes, Key 256 bits
    plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
    LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
    LUKS: Default keysize with XTS mode (two internal keys) will be doubled.

Examples

Check for encrypted partitions

Find partitions on the system.

$ lsblk

NAME            MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda               8:0    0 465.8G  0 disk  
├─sda1            8:1    0   498M  0 part  /boot/efi
├─sda2            8:2    0     4G  0 part  /recovery
├─sda3            8:3    0 457.3G  0 part  
│ └─cryptdata   253:0    0 457.3G  0 crypt
│   └─data-root 253:1    0 457.3G  0 lvm   /
└─sda4            8:4    0     4G  0 part  
  └─cryptswap   253:2    0     4G  0 crypt [SWAP]

When the partition entered but it’s not encrypted, the following occurs.

$ sudo cryptsetup -v isLuks /dev/sda1

Command failed with code -1 (wrong or missing parameters).

When the partition entered is indeed encrypted, the following occurs.

$ sudo cryptsetup -v isLuks /dev/sda3

Command successful.

Change current LUSK passphrase

sudo cryptsetup luksChangeKey <device>

URL List