summaryrefslogtreecommitdiffstats
path: root/man/common_options.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'man/common_options.adoc')
-rw-r--r--man/common_options.adoc85
1 files changed, 81 insertions, 4 deletions
diff --git a/man/common_options.adoc b/man/common_options.adoc
index 56a6e29..497d7fd 100644
--- a/man/common_options.adoc
+++ b/man/common_options.adoc
@@ -131,8 +131,14 @@ ifdef::ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY[]
The passphrase supplied via --key-file is always the passphrase for existing
keyslot requested by the command.
+
+ifdef::ACTION_LUKSADDKEY[]
If you want to set a new passphrase via key file, you have to use a
positional argument or parameter --new-keyfile.
+endif::[]
+ifdef::ACTION_LUKSCHANGEKEY[]
+If you want to set a new passphrase via key file, you have to use a
+positional argument.
+endif::[]
+
endif::[]
ifdef::ACTION_OPEN[]
@@ -153,6 +159,16 @@ If this option is not used, cryptsetup will ask for all active keyslot
passphrases.
endif::[]
endif::[]
+ifdef::ACTION_ERASE[]
+*--key-file, -d* _name_ *(LUKS2 with HW OPAL only)*::
+
+Read the Admin PIN or PSID (with --hw-opal-factory-reset) from file
+depending on options used.
++
+If the name given is "-", then the secret will be read from stdin.
+In this case, reading will not stop at newline characters.
++
+endif::[]
ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSKILLSLOT,ACTION_LUKSDUMP,ACTION_REENCRYPT,ACTION_REPAIR,ACTION_BITLKDUMP[]
*--keyfile-offset* _value_::
@@ -229,6 +245,19 @@ partially predictable volume key which will compromise security.
endif::[]
endif::[]
+ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_LUKSADDKEY[]
+*--volume-key-keyring* _<key description>_::
+Use a volume key stored in a keyring.
+This allows one to open _luks_ and device types without giving a passphrase.
+The key and associated type has to be readable from userspace so that volume
+key digest may be verified in before activation.
++
+The _<key description>_ uses keyctl-compatible syntax. This can either be a
+numeric key ID or a string name in the format _%<key type>:<key name>_. See
+also *KEY IDENTIFIERS* section of *keyctl*(1). When no _%<key type>:_ prefix
+is specified we assume the key type is _user_ (default type).
+endif::[]
+
ifdef::ACTION_LUKSDUMP[]
*--dump-json-metadata*::
For _luksDump_ (LUKS2 only) this option prints content of LUKS2 header
@@ -476,7 +505,8 @@ You can see all PBKDF parameters for particular LUKS2 keyslot with
*NOTE:* If you do not want to use benchmark and want to specify all
parameters directly, use _--pbkdf-force-iterations_ with
_--pbkdf-memory_ and _--pbkdf-parallel_. This will override the values
-without benchmarking. Note it can cause extremely long unlocking time.
+without benchmarking. Note it can cause extremely long unlocking time
+or cause out-of-memory conditions with unconditional process termination.
Use only in specific cases, for example, if you know that the formatted
device will be used on some small embedded system.
+
@@ -670,7 +700,7 @@ endif::[]
ifndef::ACTION_BENCHMARK,ACTION_BITLKDUMP[]
*--header <device or file storing the LUKS header>*::
-ifndef::ACTION_OPEN[]
+ifndef::ACTION_OPEN,ACTION_ERASE[]
Use a detached (separated) metadata device or file where the LUKS
header is stored. This option allows one to store ciphertext and LUKS
header on different devices.
@@ -693,7 +723,7 @@ FAQ for header size calculation.
The --align-payload option is taken as absolute sector alignment on ciphertext
device and can be zero.
endif::[]
-ifndef::ACTION_LUKSFORMAT,ACTION_OPEN[]
+ifndef::ACTION_LUKSFORMAT,ACTION_OPEN,ACTION_ERASE[]
For commands that change the LUKS header (e.g. _luksAddKey_),
specify the device or file with the LUKS header directly as the LUKS
device.
@@ -713,6 +743,9 @@ decryption operation continues as if the ordinary detached header was passed.
*WARNING:* Never put exported header file in a filesystem on top of device
you are about to decrypt! It would cause a deadlock.
endif::[]
+ifdef::ACTION_ERASE[]
+Use to specify detached LUKS2 header when erasing HW OPAL enabled data device.
+endif::[]
endif::[]
ifdef::ACTION_LUKSHEADERBACKUP,ACTION_LUKSHEADERRESTORE[]
@@ -720,6 +753,19 @@ ifdef::ACTION_LUKSHEADERBACKUP,ACTION_LUKSHEADERRESTORE[]
Specify file with header backup file.
endif::[]
+ifdef::ACTION_LUKSFORMAT[]
+*--hw-opal*::
+Format LUKS2 device with dm-crypt encryption stacked on top HW based encryption configured
+on SED OPAL locking range. This option enables both SW and HW based data encryption.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT[]
+*--hw-opal-only*::
+Format LUKS2 device with HW based encryption configured on SED OPAL locking range only. LUKS2
+format only manages locking range unlock key. This option enables HW based data encryption managed
+by SED OPAL drive only.
+endif::[]
+
ifdef::ACTION_REENCRYPT[]
*--force-offline-reencrypt (LUKS2 only)*::
Bypass active device auto-detection and enforce offline reencryption.
@@ -757,6 +803,11 @@ Removes a previously configured deferred device removal in _close_
command.
endif::[]
+ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+*--disable-blkid*::
+Disable use of blkid library for checking and wiping on-disk signatures.
+endif::[]
+
ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_RESIZE,ACTION_TOKEN[]
*--disable-external-tokens*::
Disable loading of plugins for external LUKS2 tokens.
@@ -789,6 +840,26 @@ ifdef::ACTION_TOKEN[]
Set key description in keyring for use with _token_ command.
endif::[]
+ifdef::ACTION_OPEN,ACTION_LUKSRESUME[]
+*--link-vk-to-keyring* _<keyring_description>::<key_description>_::
+Link volume key in a keyring with specified key name. The volume key is linked only
+if requested action is successfully finished.
++
+_<keyring_description>_ string has to contain existing kernel keyring
+description. The keyring name may be optionally prefixed with "%:" or "%keyring:" type descriptions.
+Or, the keyring may also be specified directly by numeric key id. Also special keyring notations
+starting with "@" may be used to select existing predefined kernel keyrings.
++
+The string "::" is delimiter used to separate keyring description and key description.
++
+_<key_description>_ part describes key type and key name of volume key linked in the keyring
+described in _<keyring_description>_. The type may be specified by adding "%<type_name>:" prefix in front of
+key name. If type is missing default _user_ type is applied. If the key of same name and same type already exists (already linked in the keyring)
+it will get replaced in the process.
++
+See also *KEY IDENTIFIERS* section of *keyctl*(1).
+endif::[]
+
ifdef::ACTION_CONFIG[]
*--priority <normal|prefer|ignore>*::
Set a priority for LUKS2 keyslot. The _prefer_ priority marked slots
@@ -800,7 +871,7 @@ endif::[]
ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_LUKSADDKEY[]
*--token-id*::
ifndef::ACTION_TOKEN,ACTION_LUKSADDKEY[]
-Specify what token to use and allow token PIN prompt to take precedence over interative
+Specify what token to use and allow token PIN prompt to take precedence over interactive
keyslot passphrase prompt. If omitted, all available tokens (not protected by PIN)
will be checked before proceeding further with passphrase prompt.
endif::[]
@@ -1163,6 +1234,12 @@ Enlarge data offset to specified value by shrinking device size.
You cannot shrink device more than by 64 MiB (131072 sectors).
endif::[]
+ifdef::ACTION_RESIZE,ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_LUKSRESUME,ACTION_TOKEN[]
+*--external-tokens-path* _absolute_path_::
+Override system directory path where cryptsetup searches for external token
+handlers (or token plugins). It must be absolute path (starting with '/' character).
+endif::[]
+
ifdef::COMMON_OPTIONS[]
*--batch-mode, -q*::
Suppresses all confirmation questions. Use with care!
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-07 02:50:30 +0000