UNIX ON-LINE Man Pages - Die Onlinehilfe

Die Syntax von Unixbefehlen wird in den entsprechenden Manpages dokumentiert. Hier können Sie diese Onlinehilfe für viele Standardbefehle abrufen.

Suchoptionen:
Seiten auflisten, welche beginnen mit:
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z   ALPHA   NUM   ANDERE   ALLE
CRYPTSETUP(8)                Maintenance Commands                CRYPTSETUP(8)

NAME
       cryptsetup  -  setup cryptographic volumes for dm-crypt (including LUKS
       extension)

SYNOPSIS
       cryptsetup <options> <action> <action args>

DESCRIPTION
       cryptsetup is used to conveniently setup dm-crypt managed device-mapper
       mappings.   For  basic (plain) dm-crypt mappings, there are four opera-
       tions.

ACTIONS
       These strings are valid for <action>, followed by their <action args>:

       create <name> <device>

              creates a mapping with <name> backed by device <device>.

              <options> can be [--hash, --cipher, --verify-passphrase,  --key-
              file, --key-size, --offset, --skip, --readonly]

       remove <name>

              removes an existing mapping <name>.

       status <name>

              reports the status for the mapping <name>.

       resize <name>

              resizes an active mapping <name>.

              If  --size (in sectors) is not specified, the size of the under-
              lying block device is used.

LUKS EXTENSION
       LUKS, Linux Unified Key Setup, is a standard for hard disk  encryption.
       It  standardizes  a partition header, as well as the format of the bulk
       data. LUKS can manage multiple passwords, that can  be  revoked  effec-
       tively and that are protected against dictionary attacks with PBKDF2.

       These are valid LUKS actions:

       luksFormat <device> [<key file>]

              initializes  a  LUKS  partition and sets the initial key, either
              via prompting or via <key file>.

              <options> can  be  [--cipher,  --verify-passphrase,  --key-size,
              --key-slot,  --key-file  (takes  precedence over optional second
              argument)].

       luksOpen <device> <name>

              opens the LUKS partition <device> and sets up a  mapping  <name>
              after  successful  verification  of  the  supplied  key material
              (either via key file by --key-file, or via prompting).

              <options> can be [--key-file, --readonly].

       luksClose <name>

              identical to remove.

       luksSuspend <name>

              suspends active device (all IO operations are frozen) and  wipes
              encryption  key  from  kernel. Kernel version 2.6.19 or later is
              required.

              After that operation you have to  use  luksResume  to  reinstate
              encryption key (and resume device) or luksClose to remove mapped
              device.

              WARNING: never try to suspend device  where  is  the  cryptsetup
              binary itself.

       luksResume <name>

              Resumes suspended device and reinstates encryption key. You will
              need provide passphrase identical  to  luksOpen  command  (using
              prompting or key file).

              <options> can be [--key-file]

       luksAddKey <device> [<new key file>]

              add  a  new  key  file/passphrase. An existing passphrase or key
              file (via --key-file) must be supplied.  The key file  with  the
              new material is supplied as a positional argument.

              <options> can be [--key-file, --key-slot].

       luksRemoveKey <device> [<key file>]

              remove supplied key or key file from LUKS device

       luksKillSlot <device> <key slot number>

              wipe  key  with  number <key slot> from LUKS device. A remaining
              passphrase or key file (via --key-file) must be supplied.

              <options> can be [--key-file].

       luksDelKey <device> <key slot number>

              identical to luksKillSlot, but deprecated action name.

       luksUUID <device>

              print UUID, if <device> has a LUKS header.

       isLuks <device>

              returns true, if <device> is a LUKS partition. Otherwise, false.

       luksDump <device>

              dumps the header information of a LUKS partition.

       luksHeaderBackup <device> --header-backup-file <file>

              Stores binary backup of LUKS header and keyslot areas.

              WARNING:  Please  note  that  with  this  backup  file  (and old
              passphrase  knowledge)  you  can  decrypt  data  even   if   old
              passphrase was wiped from real device.

              Also note that anti-forensic splitter is not used during manipu-
              lation with backup file.

       luksHeaderRestore <device> --header-backup-file <file>

              Restores binary backup of LUKS header  and  keyslot  areas  from
              specified file.

              WARNING:  All  the  keyslot  areas  are overwritten, only active
              keyslots form backup file are available after issuing this  com-
              mand.

              This  command  allows  restoring header if device do not contain
              LUKS header or if the master key size and data  offset  in  LUKS
              header on device match the backup file.

       For  more  information  about LUKS, see http://code.google.com/p/crypt-
       setup/wiki/Specification

OPTIONS
       --verbose, -v
              Print more verbose messages.

       --debug
              Run in debug mode with full diagnostic logs.

       --hash, -h
              For create action specifies hash to use for password hashing.

              For luksFormat action specifies hash  used  in  LUKS  key  setup
              scheme and volume key digest.

              WARNING:  setting hash other than sha1 causes LUKS device incom-
              patible with older version of cryptsetup.

              The hash string is passed to libgcrypt, so all  hashes  accepted
              by  gcrypt  are  supported.   Default is set during compilation,
              compatible values with old version of cryptsetup are "ripemd160"
              for create action and "sha1" for luksFormat.

              Use cryptsetup --help to show defaults.

       --cipher, -c
              set cipher specification string.

              Default  mode  is  configurable  during compilation, you can see
              compiled-in default using cryptsetup --help.   If  not  changed,
              the  default  is  for plain dm-crypt and LUKS mappings "aes-cbc-
              essiv:sha256".

              For pre-2.6.10 kernels, use "aes-plain" as they don't understand
              the  new  cipher  spec  strings.  To  use  ESSIV,  use "aes-cbc-
              essiv:sha256".

              For XTS mode, kernel version 2.6.24 or more recent is  required.
              Use "aes-xts-plain" cipher specification and set key size to 256
              (or 512) bits (see -s option).

       --verify-passphrase, -y
              query for passwords twice. Useful when creating a (regular) map-
              ping for the first time, or when running luksFormat.

       --key-file, -d
              use file as key material.

              With  LUKS, key material supplied in key files via -d are always
              used for existing passphrases, except in luksFormat action where
              -d  is  equivalent to positional key file argument.  If you want
              to set a new key via a key file, you have to  use  a  positional
              arg to luksAddKey.

              If  the  key  file  is "-", stdin will be used. With the "-" key
              file reading will not stop when new line character is  detected.
              See section NOTES ON PASSWORD PROCESSING for more information.

       --master-key-file
              Use  pre-generated  master key stored in file. For luksFormat it
              allows LUKS header reformatting with the same master key (if all
              other  parameters  are  the same existing encrypted data remains
              intact).

              For luksAddKey it allows adding new passphrase with only  master
              key knowledge.

       --key-slot, -S
              For  LUKS  operations that add key material, this options allows
              to you specify which key slot is selected for the new key.  This
              option can be used for luksFormat and luksAddKey.

       --key-size, -s
              set key size in bits.

              Has  to  be a multiple of 8 bits. The key size is limited by the
              used cipher. See output of /proc/crypto  for  more  information.
              Can  be  used  for  create or luksFormat, all other LUKS actions
              will use key-size specified by the LUKS header.  Default is  set
              during compilation, if not changed it is 256 bits.

              Use cryptsetup --help to show defaults.

              For  luksOpen this option specifies number of bits read from the
              key-file (default is exhaustive read from key-file).

       --size, -b
              force the size of the underlying device in sectors.  This option
              is only relevant for create and resize action.

       --offset, -o
              start  offset  in the backend device.  This option is only rele-
              vant for create action.

       --skip, -p
              how many sectors of the encrypted data to skip at the beginning.
              This  is  different from the --offset options with respect to IV
              calculations. Using --offset will shift the  IV  calculation  by
              the same negative amount. Hence, if --offset n, sector n will be
              the first sector on the mapping with IV 0.  Using  --skip  would
              have  resulted in sector n being the first sector also, but with
              IV n.  This option is only relevant for create action.

       --readonly
              set up a read-only mapping.

       --iter-time, -i
              The number of milliseconds to spend with  PBKDF2  password  pro-
              cessing.  This option is only relevant to the LUKS operations as
              luksFormat or luksAddKey.

       --batch-mode, -q
              Do not ask for confirmation. Use with care! This option is  only
              relevant    for   luksFormat,   luksAddKey,   luksRemoveKey   or
              luksKillSlot.

       --timeout, -t
              The number of seconds to wait before  timeout.  This  option  is
              relevant  every time a password is asked, like create, luksOpen,
              luksFormat or luksAddKey. It has no effect if used  in  conjunc-
              tion with --key-file.

       --tries, -T
              How  often  the  input  of the passphrase shall be retried. This
              option is relevant every time a password is asked, like  create,
              luksOpen, luksFormat or luksAddKey. The default is 3 tries.

       --align-payload=value
              Align  payload  at  a  boundary  of value 512-byte sectors. This
              option is relevant for luksFormat.  If your block  device  lives
              on  a  RAID, it is useful to align the filesystem at full stripe
              boundaries so it can take advantage of the RAID's geometry.  See
              for instance the sunit and swidth options in the mkfs.xfs manual
              page. By default, the payload is aligned at an  8  sector  (4096
              byte) boundary.

       --version
              Show the version.

NOTES ON PASSWORD PROCESSING
       From a terminal: Password processing is new-line sensitive, meaning the
       reading will stop after encountering \n. It will process the read mate-
       rial  (without  newline)  with  the  default  hash or the hash given by
       --hash. After hashing, it will be cropped to the key size given by  -s.

       From  stdin: Reading will continue until EOF (so using e.g. /dev/random
       as stdin will not work), with the trailing newline stripped. After that
       the read data will be hashed with the default hash or the hash given by
       --hash and the result will be cropped to the keysize given  by  -s.  If
       "plain"  is used as an argument to the hash option, the input data will
       not be hashed.  Instead, it will be zero padded (if  shorter  than  the
       keysize) or truncated (if longer than the keysize) and used directly as
       the key. No warning will be given if the amount of data read from stdin
       is less than the keysize.

       From  a  key file: It will be cropped to the size given by -s. If there
       is insufficient key material in the key file, cryptsetup will quit with
       an error.

       If  --key-file=-  is  used  for reading the key from stdin, no trailing
       newline is stripped from the input.  Without  that  option,  cryptsetup
       strips trailing newlines from stdin input.

NOTES ON PASSWORD PROCESSING FOR LUKS
       LUKS  uses PBKDF2 to protect against dictionary attacks (see RFC 2898).

       LUKS will always do an exhaustive password reading. Hence, password can
       not  be  read from /dev/random, /dev/zero or any other stream that does
       not terminate.

       For any password creation action (luksAddKey, or luksFormat), the  user
       may  specify  how much the time the password processing should consume.
       Increasing the time will lead to a more secure password, but also  will
       take  luksOpen longer to complete. The default setting of one second is
       sufficient for good security.

INCOHERENT BEHAVIOUR FOR INVALID PASSWORDS/KEYS
       LUKS checks for a valid password or key when an encrypted partition  is
       unlocked.  Thus the luksOpen action fails with invalid password or key,
       contrary to the plain dm-crypt create action.

       Please also be sure that you are using the same keyboard  and  language
       setting as during device format.

NOTES ON SUPPORTED CIPHERS, MODES, HASHES AND KEY SIZES
       The  available  combinations  of  ciphers,  modes, hashes and key sizes
       depend on kernel support. See /proc/crypto  for  a  list  of  available
       options.  You  might  need  to load additional kernel crypto modules in
       order to get more options.

       For --hash option all algorithms supported by gcrypt library are avail-
       able.

NOTES ON PASSWORDS
       Mathematics  can't  be  bribed. Make sure you keep your passwords safe.
       There are a few nice tricks for constructing a fallback, when  suddenly
       out  of  (or  after being) blue, your brain refuses to cooperate. These
       fallbacks are possible with LUKS, as it's only possible  with  LUKS  to
       have multiple passwords.

AUTHORS
       cryptsetup is written by Christophe Saout <christophe@saout.de>
       LUKS  extensions,  and  man  page  by Clemens Fruhwirth <clemens@endor-
       phin.org>

COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS
       To read images created with SuSE Linux 9.2's  loop_fish2  use  --cipher
       twofish-cbc-null  -s  256 -h sha512, for images created with even older
       SuSE Linux use --cipher twofish-cbc-null -s 192 -h ripemd160:20

DEPRECATED ACTIONS
       reload <name> <device>

              modifies an active mapping <name>. Same options as  for  create.
              WARNING:  Do not use this for LUKS devices, as the semantics are
              identical to the create action, which are  totally  incompatible
              with the LUKS key setup.

              This  action is deprected because it proved to be rarely useful.
              It is uncommon to change the underlying device, key,  or  offset
              on  the  fly. In case, you really want to do this, you certainly
              know what you are doing and then you  are  probably  better  off
              with  the swiss knive tool for device mapper, namely dmsetup. It
              provides you with the same functionality, see dmsetup reload.

       luksDelKey <device> <key slot number>

              identical to luksKillSlot,  but  deprecated  action  name.  This
              option  was  renamed,  as  we introduced luksRemoveKey, a softer
              method for disabling password slots. To make a clear distinction
              that luksDelKey was more brutal than luksRemoveKey

       --non-exclusive

              This  option  is ignored. Non-exclusive access to the same block
              device can cause data corruption thus this  mode  is  no  longer
              supported by cryptsetup.

REPORTING BUGS
       Report  bugs  to <dm-crypt@saout.de> or Issues section on LUKS website.
       Please attach output of failed command with added --debug option.

COPYRIGHT
       Copyright (C) 2004 Christophe Saout
       Copyright (C) 2004-2006 Clemens Fruhwirth
       Copyright (C) 2009-2010 Red Hat, Inc.

       This is free software; see the source for copying conditions.  There is
       NO  warranty;  not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
       PURPOSE.

SEE ALSO
       dm-crypt website, http://www.saout.de/misc/dm-crypt/

       LUKS website, http://code.google.com/p/cryptsetup/

       dm-crypt TWiki, http://www.saout.de/tikiwiki/tiki-index.php

cryptsetup                                                       CRYPTSETUP(8)
 

Scannen Sie den Barcode um die Webseite zu öffnen


Quelle: http://www.trinler.net/de/service/doc/linux/man.html?command=cryptsetup
Gedruckt am: 17.12.2017 15:04 GMT+0100 (2017-12-17T15:04:40+01:00)