summaryrefslogtreecommitdiffstats
path: root/man/integritysetup.8.adoc
blob: e89b0f76bc642ee878d095aa28de629a74f6a699 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
= integritysetup(8)
:doctype: manpage
:manmanual: Maintenance Commands
:mansource: integritysetup {release-version}
:man-linkstyle: pass:[blue R < >]

== NAME

integritysetup - manage dm-integrity (block level integrity) volumes

== SYNOPSIS

*integritysetup <action> [<options>] <action args>*

== DESCRIPTION

Integritysetup is used to configure dm-integrity managed device-mapper
mappings.

Device-mapper integrity target provides read-write transparent integrity
checking of block devices. The dm-integrity target emulates an additional
data integrity field per-sector. You can use this additional field
directly with integritysetup utility, or indirectly (for authenticated
encryption) through cryptsetup.

== BASIC ACTIONS

Integritysetup supports these operations:

=== FORMAT
*format <device>*

Formats <device> (calculates space and dm-integrity superblock and wipes
the device).

*<options>* can be [--data-device, --batch-mode, --no-wipe,
--journal-size, --interleave-sectors, --tag-size, --integrity,
--integrity-key-size, --integrity-key-file, --sector-size,
--progress-frequency, --progress-json].

=== OPEN
*open <device> <name>* +
create <name> <device> (*OBSOLETE syntax*)

Open a mapping with <name> backed by device <device>.

If the integrity algorithm of the device is non-default,
then the algorithm should be specified with the *--integrity* option.
This will not be detected from the device.

*<options>* can be [--data-device, --batch-mode, --journal-watermark,
--journal-commit-time, --buffer-sectors, --integrity,
--integrity-key-size, --integrity-key-file, --integrity-no-journal,
--integrity-recalculate,
--integrity-recalculate-reset,--integrity-recovery-mode,
--allow-discards].

=== CLOSE
*close <name>* +
remove <name> (*OBSOLETE syntax*)

Removes existing mapping <name>.

*<options>* can be [--deferred] or [--cancel-deferred]

=== STATUS
*status <name>*

Reports status for the active integrity mapping <name>.

=== DUMP
*dump <device>*

Reports parameters from on-disk stored superblock.

=== RESIZE
*resize <name>*

Resizes an active mapping <name>.

If --size (in 512-bytes sectors) or --device-size are not specified, the
size is computed from the underlying device. After resize, the
*recalculating* flag is set. If --wipe flag is set and the size of the
device is increased, the newly added section will be wiped.

Increasing the size of integrity volumes is available since the Linux
kernel version 5.7, shrinking should work on older kernels too.

*<options>* can be [--size, --device-size, --wipe].

== OPTIONS
*--progress-frequency <seconds>*::
Print separate line every <seconds> with wipe progress.

*--progress-json*::
Prints wipe progress data in json format suitable mostly for machine
processing. It prints separate line every half second (or based on
--progress-frequency value). The JSON output looks as follows during
wipe progress (except it's compact single line):
+
....
{
  "device":"/dev/sda"       // backing device or file
  "device_bytes":"8192",    // bytes wiped so far
  "device_size":"44040192", // total bytes to wipe
  "speed":"126877696",      // calculated speed in bytes per second (based on progress so far)
  "eta_ms":"2520012"        // estimated time to finish wipe in milliseconds
  "time_ms":"5561235"       // total time spent wiping device in milliseconds
}
....
+
Note on numbers in JSON output: Due to JSON parsers limitations all
numbers are represented in a string format due to need of full 64bit
unsigned integers.

*--no-wipe*::
Do not wipe the device after format. A device that is not initially
wiped will contain invalid checksums.

*--wipe*::
Wipe the newly allocated area after resize to bigger size. If this
flag is not set, checksums will be calculated for the data previously
stored in the newly allocated area.

*--journal-size, -j BYTES*::
Size of the journal.

*--interleave-sectors SECTORS*::
The number of interleaved sectors.

*--integrity-recalculate*::
Automatically recalculate integrity tags in kernel on activation. The
device can be used during automatic integrity recalculation but
becomes fully integrity protected only after the background operation
is finished. This option is available since the Linux kernel version
4.19.

*--integrity-recalculate-reset*::
Restart recalculation from the beginning of the device. It can be used
to change the integrity checksum function. Note it does not change the
tag length. This option is available since the Linux kernel version
5.13.

*--journal-watermark PERCENT*::
Journal watermark in percents. When the size of the journal exceeds
this watermark, the journal flush will be started.

*--journal-commit-time MS*::
Commit time in milliseconds. When this time passes (and no explicit
flush operation was issued), the journal is written.

*--tag-size, -t BYTES*::
Size of the integrity tag per-sector (here the integrity function will
store authentication tag).
+
*NOTE:* The size can be smaller that output size of the hash function,
in that case only part of the hash will be stored.

*--data-device <data_device>*::
Specify a separate data device that contains existing data. The
<device> then will contain calculated integrity tags and journal for
data on <data_device>.
+
*NOTE:* To not wipe the data device after initial format, also specify
--no-wipe option and activate with --integrity-recalculate to
automatically recalculate integrity tags.

*--sector-size, -s BYTES*::
Sector size (power of two: 512, 1024, 2048, 4096).

*--buffer-sectors SECTORS*::
The number of sectors in one buffer.
+
The tag area is accessed using buffers, the large buffer size means that
the I/O size will be larger, but there could be less I/Os issued.

*--integrity, -I ALGORITHM*::
Use internal integrity calculation (standalone mode). The integrity
algorithm can be CRC (crc32c/crc32), non-cryptographic hash function
(xxhash64) or hash function (sha1, sha256).
+
For HMAC (hmac-sha256) you have also to specify an integrity key and its
size.

*--integrity-key-size BYTES*::
The size of the data integrity key. Maximum is 4096 bytes.

*--integrity-key-file FILE*::
The file with the integrity key.

*--integrity-no-journal, -D*::
Disable journal for integrity device.

*--integrity-bitmap-mode. -B*::
Use alternate bitmap mode (available since Linux kernel 5.2) where
dm-integrity uses bitmap instead of a journal. If a bit in the bitmap
is 1, the corresponding region's data and integrity tags are not
synchronized - if the machine crashes, the unsynchronized regions will
be recalculated. The bitmap mode is faster than the journal mode,
because we don't have to write the data twice, but it is also less
reliable, because if data corruption happens when the machine crashes,
it may not be detected.

*--bitmap-sectors-per-bit SECTORS*::
Number of 512-byte sectors per bitmap bit, the value must be power of
two.

*--bitmap-flush-time MS*::
Bitmap flush time in milliseconds.
+
*WARNING:*::
In case of a crash, it is possible that the data and integrity tag
doesn't match if the journal is disabled.

*--integrity-recovery-mode. -R*::
Recovery mode (no journal, no tag checking).

*NOTE:* The following options are intended for testing purposes only.:
Using journal encryption does not make sense without encryption the
data, these options are internally used in authenticated disk
encryption with *cryptsetup(8)*.

*--journal-integrity ALGORITHM*::
Integrity algorithm for journal area. See --integrity option for
detailed specification.

*--journal-integrity-key-size BYTES*::
The size of the journal integrity key. Maximum is 4096 bytes.

*--journal-integrity-key-file FILE*::
The file with the integrity key.

*--journal-crypt ALGORITHM*::
Encryption algorithm for journal data area. You can use a block cipher
here such as cbc-aes or a stream cipher, for example, chacha20 or
ctr-aes.

*--journal-crypt-key-size BYTES*::
The size of the journal encryption key. Maximum is 4096 bytes.

*--journal-crypt-key-file FILE*::
The file with the journal encryption key.

*--allow-discards*::
Allow the use of discard (TRIM) requests for the device. This option
is available since the Linux kernel version 5.7.

*--deferred*::
Defers device removal in *close* command until the last user closes
it.

*--cancel-deferred*::
Removes a previously configured deferred device removal in *close*
command.

*--verbose, -v*::
Print more information on command execution.

*--debug*::
Run in debug mode with full diagnostic logs. Debug output lines are
always prefixed by *#*.

*--version, -V*::
Show the program version.

*--batch-mode, -q*::
Do not ask for confirmation.

*--usage*::
Show short option help.

*--help, -?*::
Show help text and default parameters.

== LEGACY COMPATIBILITY OPTIONS

*WARNING:*::
Do not use these options until you need compatibility with specific
old kernel.

*--integrity-legacy-padding*::
Use inefficient legacy padding.

*--integrity-legacy-hmac*::
Use old flawed HMAC calculation (also does not protect superblock).

*--integrity-legacy-recalculate*::
Allow insecure recalculating of volumes with HMAC keys (recalculation
offset in superblock is not protected).

== RETURN CODES

Integritysetup returns *0* on success and a non-zero value on error.

Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory,
*4* wrong device specified, *5* device already exists or device is busy.

== NOTES
The dm-integrity target is available since Linux kernel version 4.12.

Format and activation of an integrity device always require superuser
privilege because the superblock is calculated and handled in
dm-integrity kernel target.

== EXAMPLES

Format the device with default standalone mode (CRC32C):

*integritysetup format <device>*

Open the device with default parameters:

*integritysetup open <device> test*

Format the device in standalone mode for use with HMAC(SHA256):

*integritysetup format <device> --tag-size 32 --integrity hmac-sha256
--integrity-key-file <keyfile> --integrity-key-size <key_bytes>*

Open (activate) the device with HMAC(SHA256) and HMAC key in file:

*integritysetup open <device> test --integrity hmac-sha256
--integrity-key-file <keyfile> --integrity-key-size <key_bytes>*

Dump dm-integrity superblock information:

*integritysetup dump <device>*

== DM-INTEGRITY ON-DISK FORMAT

The on-disk format specification available at
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity[*DMIntegrity*] page.

== AUTHORS

The integritysetup tool is written by mailto:gmazyland@gmail.com[Milan Broz].

include::man/common_footer.adoc[]