diff options
Diffstat (limited to 'man/cryptsetup.8.adoc')
| -rw-r--r-- | man/cryptsetup.8.adoc | 56 |
1 files changed, 44 insertions, 12 deletions
diff --git a/man/cryptsetup.8.adoc b/man/cryptsetup.8.adoc index ddd3a12..442012d 100644 --- a/man/cryptsetup.8.adoc +++ b/man/cryptsetup.8.adoc @@ -21,7 +21,8 @@ features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage. In addition, cryptsetup provides limited support for the use of loop-AES -volumes, TrueCrypt, VeraCrypt, BitLocker and FileVault2 compatible volumes. +volumes, TrueCrypt, VeraCrypt, BitLocker and FileVault2 compatible volumes, +and for hardware-based encryption on OPAL capable drives. For more information about specific cryptsetup action see *cryptsetup-<action>*(8), where *<action>* is the name of the @@ -423,15 +424,44 @@ Opens the FVAULT2 (a FileVault2-compatible) <device> (usually the second partition on the device) and sets up a mapping <name>. + See *cryptsetup-open*(8). -=== DUMP -*fvault2Dump <device>* +== SED (Self Encrypting Drive) OPAL EXTENSION + +cryptsetup supports using native hardware encryption on drives that provide an +*OPAL* interface, both nested with *dm-crypt* and standalone. Passphrases, +tokens and metadata are stored using the LUKS2 header format, and are thus +compatible with any software or system that uses LUKS2 (e.g.: tokens). + +*WARNING:* this support is new and experimental, and requires at least kernel +v6.4. Resizing devices is not supported. + +*--hw-opal* can be specified for OPAL + dm-crypt, and +*--hw-opal-only* can be specified to use OPAL only, without a dm-crypt layer. + +Opening, closing and enrolling tokens work in the same way as with LUKS2 and +dm-crypt. The new parameters are only necessary when formatting, the LUKS2 +metadata will ensure the right setup is performed when opening or closing. If +no *subsystem* is specified, it will be automatically set to *HW-OPAL* so that +it is immediately apparent when a device uses OPAL. -Dump the header information of an FVAULT2 device. + -See *cryptsetup-fvault2Dump*(8). +=== FORMAT +*luksFormat --type luks2 --hw-opal <device> [<key file>]* + +Additionally specify *--hw-opal-only* instead of *--hw-opal* to avoid the +dm-crypt layer. Other than the usual passphrase, an admin password will have +to be specified when formatting the first partition of the drive, and will have +to be re-supplied when formatting any other partition until a factory reset +is performed. + +=== ERASE +*erase <device>* -Note that cryptsetup does not use any macOS code or proprietary -specifications. Please report all problems related to this compatibility -extension to the cryptsetup project. +Securely erase a partition or device. Requires admin password. +Additionally specify *--hw-opal-factory-reset* for a FULL factory reset of the +drive, using the drive's *PSID* (typically printed on the label) instead of the +admin password. +*WARNING*: a factory reset will cause ALL data on the device to be lost, +regardless of the partition it is ran on, if any, and regardless of any LUKS2 +header backup. == MISCELLANEOUS ACTIONS @@ -671,11 +701,13 @@ The dm-crypt device then resides on top of such a dm-integrity device. All activation and deactivation of this device stack is performed by cryptsetup, there is no difference in using *luksOpen* for integrity protected devices. If you want to format LUKS2 device with data -integrity protection, use *--integrity* option. +integrity protection, use *--integrity* option (see *cryptsetup-luksFormat(8)*). -Since dm-integrity doesn't support discards (TRIM), dm-crypt device on -top of it inherits this, so integrity protection mode doesn't support -discards either. +Albeit Linux kernel 5.7 added TRIM support for standalone dm-integrity devices, +*cryptsetup(8)* can't offer support for discards (TRIM) in authenticated +encryption mode, because the underlying dm-crypt kernel module does not support +this functionality when dm-integrity is used as auth tag space allocator +(see *--allow-discards* in *cryptsetup-luksFormat(8)*). Some integrity modes requires two independent keys (key for encryption and for authentication). Both these keys are stored in one LUKS keyslot. |