summaryrefslogtreecommitdiffstats
path: root/man/cryptsetup-luksFormat.8.adoc
blob: c9c3565a1f1e376e0c36c8ca78dc90899ed148f7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
= cryptsetup-luksFormat(8)
:doctype: manpage
:manmanual: Maintenance Commands
:mansource: cryptsetup {release-version}
:man-linkstyle: pass:[blue R < >]
:COMMON_OPTIONS:
:ACTION_LUKSFORMAT:

== Name

cryptsetup-luksFormat - initialize a LUKS partition and set the initial passphrase

== SYNOPSIS

*cryptsetup _luksFormat_ [<options>] <device> [<key file>]*

== DESCRIPTION

Initializes a LUKS partition and sets the initial passphrase (for
key-slot 0), either via prompting or via <key file>. Note that if the
second argument is present, then the passphrase is taken from the file
given there, without the need to use the --key-file option. Also note
that for both forms of reading the passphrase from a file you can give
'-' as file name, which results in the passphrase being read from stdin
and the safety-question being skipped.

You cannot call luksFormat on a device or filesystem that is mapped or
in use, e.g., mounted filesystem, used in LVM, active RAID member, etc. The
device or filesystem has to be un-mounted in order to call luksFormat.

To use specific version of LUKS format, use _--type luks1_ or _type luks2_.
To use OPAL hardware encryption on a self-encrypting drive, use
_--hw-opal_ or _--hw-opal-only_.

*<options>* can be [--hash, --cipher, --verify-passphrase, --key-size,
--key-slot, --key-file (takes precedence over optional second argument),
--keyfile-offset, --keyfile-size, --use-random, --use-urandom, --uuid,
--volume-key-file, --iter-time, --header, --pbkdf-force-iterations,
--force-password, --disable-locks, --timeout, --type, --offset,
--align-payload (deprecated)].

For LUKS2, additional *<options>* can be [--integrity,
--integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf,
--pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring,
--luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher,
--keyslot-key-size, --integrity-legacy-padding, --hw-opal, --hw-opal-only].

*WARNING:* Doing a luksFormat on an existing LUKS container will make
all data in the old container permanently irretrievable unless you have a
header backup.

include::man/common_options.adoc[]
include::man/common_footer.adoc[]