57 lines
2.3 KiB
Text
57 lines
2.3 KiB
Text
= cryptsetup-luksFormat(8)
|
|
:doctype: manpage
|
|
:manmanual: Maintenance Commands
|
|
:mansource: cryptsetup {release-version}
|
|
:man-linkstyle: pass:[blue R < >]
|
|
:COMMON_OPTIONS:
|
|
:ACTION_LUKSFORMAT:
|
|
|
|
== Name
|
|
|
|
cryptsetup-luksFormat - initialize a LUKS partition and set the initial passphrase
|
|
|
|
== SYNOPSIS
|
|
|
|
*cryptsetup _luksFormat_ [<options>] <device> [<key file>]*
|
|
|
|
== DESCRIPTION
|
|
|
|
Initializes a LUKS partition and sets the initial passphrase (for
|
|
key-slot 0), either via prompting or via <key file>. Note that if the
|
|
second argument is present, then the passphrase is taken from the file
|
|
given there, without the need to use the --key-file option. Also note
|
|
that for both forms of reading the passphrase from a file you can give
|
|
'-' as file name, which results in the passphrase being read from stdin
|
|
and the safety-question being skipped.
|
|
|
|
You cannot call luksFormat on a device or filesystem that is mapped or
|
|
in use, e.g., mounted filesystem, used in LVM, active RAID member, etc. The
|
|
device or filesystem has to be un-mounted in order to call luksFormat.
|
|
|
|
To use specific version of LUKS format, use _--type luks1_ or _type luks2_.
|
|
|
|
To use OPAL hardware encryption on a self-encrypting drive, use
|
|
_--hw-opal_ or _--hw-opal-only_. Note that some OPAL drives can require
|
|
a PSID reset (with possible deletion of data) before using the LUKS format
|
|
with OPAL options.
|
|
See _--hw-opal-factory-reset_ option in cryptsetup _erase_ command.
|
|
|
|
*<options>* can be [--hash, --cipher, --verify-passphrase, --key-size,
|
|
--key-slot, --key-file (takes precedence over optional second argument),
|
|
--keyfile-offset, --keyfile-size, --use-random, --use-urandom, --uuid,
|
|
--volume-key-file, --iter-time, --header, --pbkdf-force-iterations,
|
|
--force-password, --disable-locks, --timeout, --type, --offset,
|
|
--align-payload (deprecated)].
|
|
|
|
For LUKS2, additional *<options>* can be [--integrity,
|
|
--integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf,
|
|
--pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring,
|
|
--luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher,
|
|
--keyslot-key-size, --integrity-legacy-padding, --hw-opal, --hw-opal-only].
|
|
|
|
*WARNING:* Doing a luksFormat on an existing LUKS container will make
|
|
all data in the old container permanently irretrievable unless you have a
|
|
header backup.
|
|
|
|
include::man/common_options.adoc[]
|
|
include::man/common_footer.adoc[]
|