336 lines
10 KiB
Text
336 lines
10 KiB
Text
= integritysetup(8)
|
|
:doctype: manpage
|
|
:manmanual: Maintenance Commands
|
|
:mansource: integritysetup {release-version}
|
|
:man-linkstyle: pass:[blue R < >]
|
|
|
|
== NAME
|
|
|
|
integritysetup - manage dm-integrity (block level integrity) volumes
|
|
|
|
== SYNOPSIS
|
|
|
|
*integritysetup <action> [<options>] <action args>*
|
|
|
|
== DESCRIPTION
|
|
|
|
Integritysetup is used to configure dm-integrity managed device-mapper
|
|
mappings.
|
|
|
|
Device-mapper integrity target provides read-write transparent integrity
|
|
checking of block devices. The dm-integrity target emulates an additional
|
|
data integrity field per-sector. You can use this additional field
|
|
directly with integritysetup utility, or indirectly (for authenticated
|
|
encryption) through cryptsetup.
|
|
|
|
== BASIC ACTIONS
|
|
|
|
Integritysetup supports these operations:
|
|
|
|
=== FORMAT
|
|
*format <device>*
|
|
|
|
Formats <device> (calculates space and dm-integrity superblock and wipes
|
|
the device).
|
|
|
|
*<options>* can be [--data-device, --batch-mode, --no-wipe,
|
|
--journal-size, --interleave-sectors, --tag-size, --integrity,
|
|
--integrity-key-size, --integrity-key-file, --sector-size,
|
|
--progress-frequency, --progress-json].
|
|
|
|
=== OPEN
|
|
*open <device> <name>* +
|
|
create <name> <device> (*OBSOLETE syntax*)
|
|
|
|
Open a mapping with <name> backed by device <device>.
|
|
|
|
If the integrity algorithm of the device is non-default,
|
|
then the algorithm should be specified with the *--integrity* option.
|
|
This will not be detected from the device.
|
|
|
|
*<options>* can be [--data-device, --batch-mode, --journal-watermark,
|
|
--journal-commit-time, --buffer-sectors, --integrity,
|
|
--integrity-key-size, --integrity-key-file, --integrity-no-journal,
|
|
--integrity-recalculate,
|
|
--integrity-recalculate-reset,--integrity-recovery-mode,
|
|
--allow-discards].
|
|
|
|
=== CLOSE
|
|
*close <name>* +
|
|
remove <name> (*OBSOLETE syntax*)
|
|
|
|
Removes existing mapping <name>.
|
|
|
|
*<options>* can be [--deferred] or [--cancel-deferred]
|
|
|
|
=== STATUS
|
|
*status <name>*
|
|
|
|
Reports status for the active integrity mapping <name>.
|
|
|
|
=== DUMP
|
|
*dump <device>*
|
|
|
|
Reports parameters from on-disk stored superblock.
|
|
|
|
=== RESIZE
|
|
*resize <name>*
|
|
|
|
Resizes an active mapping <name>.
|
|
|
|
If --size (in 512-bytes sectors) or --device-size are not specified, the
|
|
size is computed from the underlying device. After resize, the
|
|
*recalculating* flag is set. If --wipe flag is set and the size of the
|
|
device is increased, the newly added section will be wiped.
|
|
|
|
Increasing the size of integrity volumes is available since the Linux
|
|
kernel version 5.7, shrinking should work on older kernels too.
|
|
|
|
*<options>* can be [--size, --device-size, --wipe].
|
|
|
|
== OPTIONS
|
|
*--allow-discards*::
|
|
Allow the use of discard (TRIM) requests for the device. This option
|
|
is available since the Linux kernel version 5.7.
|
|
|
|
*--batch-mode, -q*::
|
|
Do not ask for confirmation.
|
|
|
|
*--bitmap-flush-time MS*::
|
|
Bitmap flush time in milliseconds.
|
|
+
|
|
*WARNING:*
|
|
In case of a crash, it is possible that the data and integrity tag
|
|
doesn't match if the journal is disabled.
|
|
|
|
*--bitmap-sectors-per-bit SECTORS*::
|
|
Number of 512-byte sectors per bitmap bit, the value must be power of
|
|
two.
|
|
|
|
*--buffer-sectors SECTORS*::
|
|
The number of sectors in one buffer.
|
|
+
|
|
The tag area is accessed using buffers, the large buffer size means that
|
|
the I/O size will be larger, but there could be less I/Os issued.
|
|
|
|
*--cancel-deferred*::
|
|
Removes a previously configured deferred device removal in *close*
|
|
command.
|
|
|
|
*--data-device <data_device>*::
|
|
Specify a separate data device that contains existing data. The
|
|
<device> then will contain calculated integrity tags and journal for
|
|
data on <data_device>.
|
|
+
|
|
*NOTE:* To not wipe the data device after initial format, also specify
|
|
--no-wipe option and activate with --integrity-recalculate to
|
|
automatically recalculate integrity tags.
|
|
|
|
*--debug*::
|
|
Run in debug mode with full diagnostic logs. Debug output lines are
|
|
always prefixed by *#*.
|
|
|
|
*--deferred*::
|
|
Defers device removal in *close* command until the last user closes
|
|
it.
|
|
|
|
*--help, -?*::
|
|
Show help text and default parameters.
|
|
|
|
*--integrity, -I ALGORITHM*::
|
|
Use internal integrity calculation (standalone mode). The integrity
|
|
algorithm can be CRC (crc32c/crc32), non-cryptographic hash function
|
|
(xxhash64) or hash function (sha1, sha256).
|
|
+
|
|
For HMAC (hmac-sha256) you have also to specify an integrity key and its
|
|
size.
|
|
|
|
*--integrity-bitmap-mode. -B*::
|
|
Use alternate bitmap mode (available since Linux kernel 5.2) where
|
|
dm-integrity uses bitmap instead of a journal. If a bit in the bitmap
|
|
is 1, the corresponding region's data and integrity tags are not
|
|
synchronized - if the machine crashes, the unsynchronized regions will
|
|
be recalculated. The bitmap mode is faster than the journal mode,
|
|
because we don't have to write the data twice, but it is also less
|
|
reliable, because if data corruption happens when the machine crashes,
|
|
it may not be detected.
|
|
|
|
*--integrity-key-file FILE*::
|
|
The file with the integrity key.
|
|
|
|
*--integrity-key-size BYTES*::
|
|
The size of the data integrity key. Maximum is 4096 bytes.
|
|
|
|
*--integrity-no-journal, -D*::
|
|
Disable journal for integrity device.
|
|
|
|
*--integrity-recalculate*::
|
|
Automatically recalculate integrity tags in kernel on activation. The
|
|
device can be used during automatic integrity recalculation but
|
|
becomes fully integrity protected only after the background operation
|
|
is finished. This option is available since the Linux kernel version
|
|
4.19.
|
|
|
|
*--integrity-recalculate-reset*::
|
|
Restart recalculation from the beginning of the device. It can be used
|
|
to change the integrity checksum function. Note it does not change the
|
|
tag length. This option is available since the Linux kernel version
|
|
5.13.
|
|
|
|
*--integrity-recovery-mode. -R*::
|
|
Recovery mode (no journal, no tag checking).
|
|
|
|
*--interleave-sectors SECTORS*::
|
|
The number of interleaved sectors.
|
|
|
|
*--journal-commit-time MS*::
|
|
Commit time in milliseconds. When this time passes (and no explicit
|
|
flush operation was issued), the journal is written.
|
|
|
|
*--journal-crypt ALGORITHM*::
|
|
Encryption algorithm for journal data area. You can use a block cipher
|
|
here such as cbc-aes or a stream cipher, for example, chacha20 or
|
|
ctr-aes.
|
|
+
|
|
*NOTE:* The journal encryption options are only intended for testing.
|
|
Using journal encryption does not make sense without encryption of the data.
|
|
|
|
*--journal-crypt-key-file FILE*::
|
|
The file with the journal encryption key.
|
|
|
|
*--journal-crypt-key-size BYTES*::
|
|
The size of the journal encryption key. Maximum is 4096 bytes.
|
|
|
|
*--journal-integrity ALGORITHM*::
|
|
Integrity algorithm for journal area. See --integrity option for
|
|
detailed specification.
|
|
|
|
*--journal-integrity-key-file FILE*::
|
|
The file with the integrity key.
|
|
|
|
*--journal-integrity-key-size BYTES*::
|
|
The size of the journal integrity key. Maximum is 4096 bytes.
|
|
|
|
*--journal-size, -j BYTES*::
|
|
Size of the journal.
|
|
|
|
*--journal-watermark PERCENT*::
|
|
Journal watermark in percents. When the size of the journal exceeds
|
|
this watermark, the journal flush will be started.
|
|
|
|
*--no-wipe*::
|
|
Do not wipe the device after format. A device that is not initially
|
|
wiped will contain invalid checksums.
|
|
|
|
*--progress-frequency <seconds>*::
|
|
Print separate line every <seconds> with wipe progress.
|
|
|
|
*--progress-json*::
|
|
Prints wipe progress data in json format suitable mostly for machine
|
|
processing. It prints separate line every half second (or based on
|
|
--progress-frequency value). The JSON output looks as follows during
|
|
wipe progress (except it's compact single line):
|
|
+
|
|
....
|
|
{
|
|
"device":"/dev/sda", // backing device or file
|
|
"device_bytes":"8192", // bytes wiped so far
|
|
"device_size":"44040192", // total bytes to wipe
|
|
"speed":"126877696", // calculated speed in bytes per second (based on progress so far)
|
|
"eta_ms":"2520012", // estimated time to finish wipe in milliseconds
|
|
"time_ms":"5561235" // total time spent wiping device in milliseconds
|
|
}
|
|
....
|
|
+
|
|
Note on numbers in JSON output: Due to JSON parsers limitations all
|
|
numbers are represented in a string format due to need of full 64bit
|
|
unsigned integers.
|
|
|
|
*--sector-size, -s BYTES*::
|
|
Sector size (power of two: 512, 1024, 2048, 4096).
|
|
|
|
*--tag-size, -t BYTES*::
|
|
Size of the integrity tag per-sector (here the integrity function will
|
|
store authentication tag).
|
|
+
|
|
*NOTE:* The size can be smaller that output size of the hash function,
|
|
in that case only part of the hash will be stored.
|
|
|
|
*--usage*::
|
|
Show short option help.
|
|
|
|
*--verbose, -v*::
|
|
Print more information on command execution.
|
|
|
|
*--version, -V*::
|
|
Show the program version.
|
|
|
|
*--wipe*::
|
|
Wipe the newly allocated area after resize to bigger size. If this
|
|
flag is not set, checksums will be calculated for the data previously
|
|
stored in the newly allocated area.
|
|
|
|
== LEGACY COMPATIBILITY OPTIONS
|
|
|
|
*WARNING:*::
|
|
Do not use these options until you need compatibility with specific
|
|
old kernel.
|
|
|
|
*--integrity-legacy-padding*::
|
|
Use inefficient legacy padding.
|
|
|
|
*--integrity-legacy-hmac*::
|
|
Use old flawed HMAC calculation (also does not protect superblock).
|
|
|
|
*--integrity-legacy-recalculate*::
|
|
Allow insecure recalculating of volumes with HMAC keys (recalculation
|
|
offset in superblock is not protected).
|
|
|
|
== RETURN CODES
|
|
|
|
Integritysetup returns *0* on success and a non-zero value on error.
|
|
|
|
Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory,
|
|
*4* wrong device specified, *5* device already exists or device is busy.
|
|
|
|
== NOTES
|
|
The dm-integrity target is available since Linux kernel version 4.12.
|
|
|
|
Format and activation of an integrity device always require superuser
|
|
privilege because the superblock is calculated and handled in
|
|
dm-integrity kernel target.
|
|
|
|
== EXAMPLES
|
|
|
|
Format the device with default standalone mode (CRC32C):
|
|
|
|
*integritysetup format <device>*
|
|
|
|
Open the device with default parameters:
|
|
|
|
*integritysetup open <device> test*
|
|
|
|
Format the device in standalone mode for use with HMAC(SHA256):
|
|
|
|
*integritysetup format <device> --tag-size 32 --integrity hmac-sha256
|
|
--integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
|
|
|
|
Open (activate) the device with HMAC(SHA256) and HMAC key in file:
|
|
|
|
*integritysetup open <device> test --integrity hmac-sha256
|
|
--integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
|
|
|
|
Dump dm-integrity superblock information:
|
|
|
|
*integritysetup dump <device>*
|
|
|
|
== DM-INTEGRITY ON-DISK FORMAT
|
|
|
|
The on-disk format specification available at
|
|
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity[*DMIntegrity*] page.
|
|
|
|
== AUTHORS
|
|
|
|
The integritysetup tool is written by mailto:gmazyland@gmail.com[Milan Broz].
|
|
|
|
include::man/common_footer.adoc[]
|