From 435fbf74bfdf383db1238633326be558ef2d3ff2 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 10:38:45 +0200 Subject: Merging upstream version 2:2.7.2. Signed-off-by: Daniel Baumann --- man/common_options.adoc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'man') diff --git a/man/common_options.adoc b/man/common_options.adoc index 5c11309..841929b 100644 --- a/man/common_options.adoc +++ b/man/common_options.adoc @@ -332,11 +332,26 @@ Format LUKS2 device with dm-crypt encryption stacked on top HW based encryption on SED OPAL locking range. This option enables both SW and HW based data encryption. endif::[] +ifdef::ACTION_ERASE[] +*--hw-opal-factory-reset*:: +Erase *ALL* data on the OPAL self-encrypted device, regardless of the partition it is ran on, if any, +and does not require a valid LUKS2 header to be present on the device to run. After providing +correct PSID via interactive prompt or via *--key-file* parameter the device is erased. +endif::[] + ifdef::ACTION_LUKSFORMAT[] *--hw-opal-only*:: Format LUKS2 device with HW based encryption configured on SED OPAL locking range only. LUKS2 format only manages locking range unlock key. This option enables HW based data encryption managed by SED OPAL drive only. ++ +*NOTE*: Please note that with OPAL-only (--hw-opal-only) encryption, +the configured OPAL administrator PIN (passphrase) allows unlocking +all configured locking ranges without LUKS keyslot decryption +(without knowledge of LUKS passphrase). +Because of many observed problems with compatibility, cryptsetup +currently DOES NOT use OPAL single-user mode, which would allow such +decoupling of OPAL admin PIN access. endif::[] ifdef::ACTION_REENCRYPT[] -- cgit v1.2.3