cryptsetup

Cryptsetup provides an interface for configuring encryption on blockdevices (such as /home or swap partitions), using the Linux kerneldevice mapper target dm-crypt. It features integrated Linux Unified KeySetup (LUKS) support.

Cryptsetup is backwards compatible with the on-disk format of cryptoloop,but also supports more secure formats. This package includes support forautomatically configuring encrypted devices at boot time via the configfile /etc/crypttab. Additional features are cryptoroot support throughinitramfs-tools and several supported ways to read a passphrase or key.

This package provides the cryptdisks_start and _stop wrappers, as well asluksformat.

Installed size: 439 KB
How to install: sudo apt install cryptsetup

Dependencies:

cryptsetup-bin
debconf | debconf-2.0
dmsetup
libc6

cryptdisks_start

Wrapper around cryptsetup that parses /etc/crypttab.

root@kali:~# cryptdisks_start -hUsage: /usr/sbin/cryptdisks_start [-r|--readonly] <name> [.. <name>]reads /etc/crypttab and starts the mapping corresponding to <name>

cryptdisks_stop

Wrapper around cryptsetup that parses /etc/crypttab.

root@kali:~# cryptdisks_stop -hStopping crypto disk...-h (stopped)...done.

luksformat

Create and format an encrypted LUKS device

root@kali:~# luksformat -hluksformat - Create and format an encrypted LUKS deviceUsage: luksformat [-t <file system>] <device> [ mkfs options ]

cryptsetup-bin

This package provides the cryptsetup, integritysetup and veritysetuputilities.

cryptsetup

Manage plain dm-crypt, LUKS, and other encrypted volumes

root@kali:~# cryptsetup --helpcryptsetup 2.7.2 flags: UDEV BLKID KEYRING KERNEL_CAPI HW_OPAL Usage: cryptsetup [OPTION...] <action> <action-specific>Help options: -?, --help Show this help message --usage Display brief usage -V, --version Print package version --active-name=STRING Override device autodetection of dm device to be reencrypted --align-payload=SECTORS Align payload at <n> sector boundaries - for luksFormat --allow-discards Allow discards (aka TRIM) requests for device -q, --batch-mode Do not ask for confirmation --cancel-deferred Cancel a previously set deferred device removal -c, --cipher=STRING The cipher used to encrypt the disk (see /proc/crypto) --debug Show debug messages --debug-json Show debug messages including JSON metadata --decrypt Decrypt LUKS2 device (remove encryption) --deferred Device removal is deferred until the last user closes it --device-size=bytes Use only specified device size (ignore rest of device), DANGEROUS! --disable-blkid Disable blkid on-disk signature detection and wiping --disable-external-tokens Disable loading of external LUKS2 token plugins --disable-keyring Disable loading volume keys via kernel keyring --disable-locks Disable locking of on-disk metadata --disable-veracrypt Do not scan for VeraCrypt compatible device --dump-json-metadata Dump info in JSON format (LUKS2 only) --dump-volume-key Dump volume key instead of keyslots info --encrypt Encrypt LUKS2 device (in-place encryption) --external-tokens-path=STRING Path to directory with external token handlers (plugins). --force-password Disable password quality check (if enabled) --force-offline-reencrypt Force offline LUKS2 reencryption and bypass active device detection -h, --hash=STRING The hash used to create the encryption key from the passphrase --header=STRING Device or file with separated LUKS header --header-backup-file=STRING File with LUKS header and keyslots backup --hotzone-size=bytes Maximal reencryption hotzone size --hw-opal Use HW OPAL encryption together with SW encryption --hw-opal-factory-reset Wipe WHOLE OPAL disk on luksErase --hw-opal-only Use only HW OPAL encryption --init-only Initialize LUKS2 reencryption in metadata only -I, --integrity=STRING Data integrity algorithm (LUKS2 only) --integrity-legacy-padding Use inefficient legacy padding (old kernels) --integrity-no-journal Disable journal for integrity device --integrity-no-wipe Do not wipe device after format -i, --iter-time=msecs PBKDF iteration time for LUKS (in ms) --iv-large-sectors Use IV counted in sector size (not in 512 bytes) --json-file=STRING Read or write the json from or to a file --keep-key Do not change volume key --key-description=STRING Key description -d, --key-file=STRING Read the key from a file -s, --key-size=BITS The size of the encryption key -S, --key-slot=INT Slot number for new key (default is first free) --keyfile-offset=bytes Number of bytes to skip in keyfile -l, --keyfile-size=bytes Limits the read from keyfile --keyslot-cipher=STRING LUKS2 keyslot: The cipher used for keyslot encryption --keyslot-key-size=BITS LUKS2 keyslot: The size of the encryption key --label=STRING Set label for the LUKS2 device --link-vk-to-keyring=STRING Set keyring where to link volume key --luks2-keyslots-size=bytes LUKS2 header keyslots area size --luks2-metadata-size=bytes LUKS2 header metadata area size --new-keyfile=STRING Read the key for a new slot from a file --new-keyfile-offset=bytes Number of bytes to skip in newly added keyfile --new-keyfile-size=bytes Limits the read from newly added keyfile --new-key-slot=INT Slot number for new key (default is first free) --new-token-id=INT Token number (default: any) -o, --offset=SECTORS The start offset in the backend device --pbkdf=STRING PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2 --pbkdf-force-iterations=LONG PBKDF iterations cost (forced, disables benchmark) --pbkdf-memory=kilobytes PBKDF memory cost limit --pbkdf-parallel=threads PBKDF parallel cost --perf-no_read_workqueue Bypass dm-crypt workqueue and process read requests synchronously --perf-no_write_workqueue Bypass dm-crypt workqueue and process write requests synchronously --perf-same_cpu_crypt Use dm-crypt same_cpu_crypt performance compatibility option --perf-submit_from_crypt_cpus Use dm-crypt submit_from_crypt_cpus performance compatibility option --persistent Set activation flags persistent for device --priority=STRING Keyslot priority: ignore, normal, prefer --progress-json Print progress data in json format (suitable for machine processing) --progress-frequency=secs Progress line update (in seconds) -r, --readonly Create a readonly mapping --reduce-device-size=bytes Reduce data device size (move data offset), DANGEROUS! --refresh Refresh (reactivate) device with new parameters --resilience=STRING Reencryption hotzone resilience type (checksum,journal,none) --resilience-hash=STRING Reencryption hotzone checksums hash --resume-only Resume initialized LUKS2 reencryption only --sector-size=INT Encryption sector size (default: 512 bytes) --serialize-memory-hard-pbkdf Use global lock to serialize memory hard PBKDF (OOM workaround) --shared Share device with another non-overlapping crypt segment -b, --size=SECTORS The size of the device -p, --skip=SECTORS How many sectors of the encrypted data to skip at the beginning --subsystem=STRING Set subsystem label for the LUKS2 device --test-args Do not run action, just validate all command line parameters --test-passphrase Do not activate device, just check passphrase -t, --timeout=secs Timeout for interactive passphrase prompt (in seconds) --token-id=INT Token number (default: any) --token-only Do not ask for passphrase if activation by token fails --token-replace Replace the current token --token-type=STRING Restrict allowed token types used to retrieve LUKS2 key --tcrypt-backup Use backup (secondary) TCRYPT header --tcrypt-hidden Use hidden header (hidden TCRYPT device) --tcrypt-system Device is system TCRYPT drive (with bootloader) -T, --tries=INT How often the input of the passphrase can be retried -M, --type=STRING Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk --unbound Create or dump unbound LUKS2 keyslot (unassigned to data segment) or LUKS2 token (unassigned to keyslot) --use-random Use /dev/random for generating volume key --use-urandom Use /dev/urandom for generating volume key --uuid=STRING UUID for device to use --veracrypt Scan also for VeraCrypt compatible device --veracrypt-pim=INT Personal Iteration Multiplier for VeraCrypt compatible device --veracrypt-query-pim Query Personal Iteration Multiplier for VeraCrypt compatible device -v, --verbose Shows more detailed error messages -y, --verify-passphrase Verifies the passphrase by asking for it twice --volume-key-file=STRING Use the volume key from file --volume-key-keyring=STRING Use the specified keyring key as a volume key -B, --block-size=MiB Reencryption block size -N, --new Create new header on not encrypted device --use-directio Use direct-io when accessing devices --use-fsync Use fsync after each block --write-log Update log file after every block --dump-master-key Alias for --dump-volume-key --master-key-file=STRING Alias for --dump-volume-key-file<action> is one of:open <device> [--type <type>] [<name>] - open device as <name>close <name> - close device (remove mapping)resize <name> - resize active devicestatus <name> - show device statusbenchmark [--cipher <cipher>] - benchmark cipherrepair <device> - try to repair on-disk metadatareencrypt <device> - reencrypt LUKS2 deviceerase <device> - erase all keyslots (remove encryption key)convert <device> - convert LUKS from/to LUKS2 formatconfig <device> - set permanent configuration options for LUKS2luksFormat <device> [<new key file>] - formats a LUKS deviceluksAddKey <device> [<new key file>] - add key to LUKS deviceluksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS deviceluksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS deviceluksConvertKey <device> [<key file>] - converts a key to new pbkdf parametersluksKillSlot <device> <key slot> - wipes key with number <key slot> from LUKS deviceluksUUID <device> - print UUID of LUKS deviceisLuks <device> - tests <device> for LUKS partition headerluksDump <device> - dump LUKS partition informationtcryptDump <device> - dump TCRYPT device informationbitlkDump <device> - dump BITLK device informationfvault2Dump <device> - dump FVAULT2 device informationluksSuspend <device> - Suspend LUKS device and wipe key (all IOs are frozen)luksResume <device> - Resume suspended LUKS deviceluksHeaderBackup <device> - Backup LUKS device header and keyslotsluksHeaderRestore <device> - Restore LUKS device header and keyslotstoken <add|remove|import|export> <device> - Manipulate LUKS2 tokensYou can also use old <action> syntax aliases:open: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Openclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close<name> is the device to create under /dev/mapper<device> is the encrypted device<key slot> is the LUKS key slot number to modify<key file> optional key file for the new key for luksAddKey actionDefault compiled-in metadata format is LUKS2 (for luksFormat action).LUKS2 external token plugin support is enabled.LUKS2 external token plugin path: /usr/lib/x86_64-linux-gnu/cryptsetup.Default compiled-in key and passphrase parameters:Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms)Default PBKDF for LUKS2: argon2idIteration time: 2000, Memory required: 1048576kB, Parallel threads: 4Default compiled-in device cipher parameters:loop-AES: aes, Key 256 bitsplain: aes-xts-plain64, Key: 256 bits, Password hashing: sha256LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandomLUKS: Default keysize with XTS mode (two internal keys) will be doubled.

integritysetup

Manage dm-integrity (block level integrity) volumes

root@kali:~# integritysetup --helpintegritysetup 2.7.2 flags: UDEV BLKID KEYRING KERNEL_CAPI HW_OPAL Usage: integritysetup [OPTION...] <action> <action-specific>Help options: -?, --help Show this help message --usage Display brief usage -V, --version Print package version --allow-discards Allow discards (aka TRIM) requests for device -q, --batch-mode Do not ask for confirmation --buffer-sectors=SECTORS Buffers size --bitmap-flush-time=ms Bitmap mode flush time --bitmap-sectors-per-bit=INT Number of 512-byte sectors per bit (bitmap mode) --cancel-deferred Cancel a previously set deferred device removal --data-device=path Path to data device (if separated) --debug Show debug messages --deferred Device removal is deferred until the last user closes it --device-size=bytes Use only specified device size (ignore rest of device), DANGEROUS! --disable-blkid Disable blkid on-disk signature detection and wiping -I, --integrity=STRING Data integrity algorithm -B, --integrity-bitmap-mode Use bitmap to track changes and disable journal for integrity device --integrity-key-file=STRING Read the integrity key from a file --integrity-key-size=BITS The size of the data integrity key --integrity-legacy-padding Use inefficient legacy padding (old kernels) --integrity-legacy-hmac Do not protect superblock with HMAC (old kernels) --integrity-legacy-recalculate Allow recalculating of volumes with HMAC keys (old kernels) -D, --integrity-no-journal Disable journal for integrity device --integrity-recalculate Recalculate initial tags automatically --integrity-recalculate-reset Reset automatic recalculate position -R, --integrity-recovery-mode Recovery mode (no journal, no tag checking) --interleave-sectors=SECTORS Interleave sectors --journal-commit-time=ms Journal commit time --journal-integrity=STRING Journal integrity algorithm --journal-integrity-key-size=BITS The size of the journal integrity key --journal-integrity-key-file=STRING Read the journal integrity key from a file --journal-crypt=STRING Journal encryption algorithm --journal-crypt-key-file=STRING Read the journal encryption key from a file --journal-crypt-key-size=BITS The size of the journal encryption key -j, --journal-size=bytes Journal size --journal-watermark=percent Journal watermark --no-wipe Do not wipe device after format --progress-frequency=secs Progress line update (in seconds) --progress-json Print wipe progress data in json format (suitable for machine processing) -s, --sector-size=bytes Sector size -b, --size=SECTORS The size of the device -t, --tag-size=bytes Tag size (per-sector) -v, --verbose Shows more detailed error messages --wipe Wipe the end of the device after resize<action> is one of:format <integrity_device> - format deviceopen <integrity_device> <name> - open device as <name>close <name> - close device (remove mapping)status <name> - show active device statusdump <integrity_device> - show on-disk informationresize <name> - resize active device<name> is the device to create under /dev/mapper<integrity_device> is the device containing data with integrity tagsDefault compiled-in dm-integrity parameters:Checksum algorithm: crc32cMaximum keyfile size: 4kB

veritysetup

Manage dm-verity (block level verification) volumes

root@kali:~# veritysetup --helpveritysetup 2.7.2 flags: UDEV BLKID KEYRING KERNEL_CAPI HW_OPAL Usage: veritysetup [OPTION...] <action> <action-specific>Help options: -?, --help Show this help message --usage Display brief usage -V, --version Print package version --cancel-deferred Cancel a previously set deferred device removal --check-at-most-once Verify data block only the first time it is read --data-block-size=bytes Block size on the data device --data-blocks=blocks The number of blocks in the data file --debug Show debug messages --deferred Device removal is deferred until the last user closes it --fec-device=path Path to device with error correction data --fec-offset=bytes Starting offset on the FEC device --fec-roots=bytes FEC parity bytes --format=number Format type (1 - normal, 0 - original Chrome OS) -h, --hash=string Hash algorithm --hash-block-size=bytes Block size on the hash device --hash-offset=bytes Starting offset on the hash device --ignore-corruption Ignore corruption, log it only --ignore-zero-blocks Do not verify zeroed blocks --no-superblock Do not use verity superblock --panic-on-corruption Panic kernel if corruption is detected --restart-on-corruption Restart kernel if corruption is detected --root-hash-file=STRING Path to root hash file --root-hash-signature=STRING Path to root hash signature file -s, --salt=hex string Salt --use-tasklets Use kernel tasklets for performance --uuid=STRING UUID for device to use -v, --verbose Shows more detailed error messages<action> is one of:format <data_device> <hash_device> - format deviceverify <data_device> <hash_device> [<root_hash>] - verify deviceopen <data_device> <name> <hash_device> [<root_hash>] - open device as <name>close <name> - close device (remove mapping)status <name> - show active device statusdump <hash_device> - show on-disk information<name> is the device to create under /dev/mapper<data_device> is the data device<hash_device> is the device containing verification data<root_hash> hash of the root node on <hash_device>Default compiled-in dm-verity parameters:Hash: sha256, Data block (bytes): 4096, Hash block (bytes): 4096, Salt size: 32, Hash format: 1

cryptsetup-initramfs

This package provides initramfs integration for cryptsetup.

Installed size: 121 KB
How to install: sudo apt install cryptsetup-initramfs

Dependencies:

busybox | busybox-static
cryptsetup
debconf | debconf-2.0
initramfs-tools | linux-initramfs-tool

cryptsetup-ssh

This package provides the cryptsetup-ssh(8) utility and an SSH token pluginwhich can be used to unlock LUKS2 devices using a remote keyfile hosted on asystem accessible through SSH. This is currently an experimental featureand mostly serves as a demonstration of the plugin interface API.

cryptsetup-ssh

Manage LUKS2 SSH token

root@kali:~# cryptsetup-ssh --helpUsage: cryptsetup-ssh [OPTION...] <action> <device>Experimental cryptsetup plugin for unlocking LUKS2 devices with token connectedto an SSH server Options for the 'add' action: --external-tokens-path=STRING Path to directory containinig libcryptsetup external tokens --key-slot=NUM Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase. --ssh-keypath=STRING Path to the SSH key for connecting to the remote server --ssh-path=STRING Path to the key file on the remote server --ssh-server=STRING IP address/URL of the remote server for this token --ssh-user=STRING Username used for the remote server Generic options: --debug Show debug messages --debug-json Show debug messages including JSON metadata -v, --verbose Shows more detailed error messages -?, --help Give this help list --usage Give a short usage message -V, --version Print program versionThis plugin currently allows only adding a token to an existing key slot.Specified SSH server must contain a key file on the specified path with apassphrase for an existing key slot on the device.Provided credentials will be used by cryptsetup to get the password whenopening the device using the token.Note: The information provided when adding the token (SSH server address, userand paths) will be stored in the LUKS2 header in plaintext.

cryptsetup-suspend

This package provides suspend mode integration for cryptsetup. It takescare of removing LUKS master key from memory before system suspend.

Please note that the suspend mode integration is limited to LUKS devicesand requires systemd. Moreover, this is an early implementation and may notbe as mature as the other cryptsetup-* packages yet.

Installed size: 96 KB
How to install: sudo apt install cryptsetup-suspend

Dependencies:

cryptsetup-initramfs
initramfs-tools-core
kbd
libc6
libcryptsetup12
systemd

libcryptsetup-dev

This package provides the libcryptsetup development files.

Installed size: 175 KB
How to install: sudo apt install libcryptsetup-dev

Dependencies:

libblkid-dev
libcryptsetup12
libdevmapper-dev
libjson-c-dev
libssl-dev
uuid-dev

libcryptsetup12

This package provides the libcryptsetup shared library.

Installed size: 644 KB
How to install: sudo apt install libcryptsetup12

Dependencies:

libblkid1
libc6
libdevmapper1.02.1
libjson-c5
libssl3t64
libuuid1

Updated on: 2024-Aug-06

Edit this page

cosigndbeaver