Network System Access Solutions

User Tools

Site Tools





cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings. These include plain dm-crypt volumes and LUKS volumes. The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage.

Creating a crypted device

cryptsetup -q -y -c aes-xts-plain64 -s 512 -h sha512 luksFormat /dev/DEVICE

Generating a keyfile

dd if=/dev/urandom of=/root/.keyfile bs=1024 count=8

Adding a keyfile to a crypted device

cryptsetup luksAddKey /dev/DEVICE ~/.keyfile

Unlock crypted device with keyfile

cryptsetup luksOpen /dev/disk/by-id/USB-ID CRYPTDEVICE --key-file=/root/.keyfile
mount /dev/mapper/CRYPTDEVICE /mnt

Unlock crypted device with PASSWORD

cryptsetup luksOpen /dev/disk/by-id/USB-ID CRYPTDEVICE
mount /dev/mapper/CRYPTDEVICE /mnt

Lock crypted device (ready to unplug)

Remember to unmount the device first…

cryptsetup luksClose CRYPTDEVICE

Create cryptheader backup

cryptsetup luksHeaderBackup /dev/disk/by-id/USB-ID --header-backup-file /root/.USBDEVICE.luksheader

Restore cryptheader backup

cryptsetup luksHeaderRestore /dev/disk/by-id/USB-ID --header-backup-file /root/.USBDEVICE.luksheader
linux/cryptsetup.txt · Last modified: 2014/03/17 14:17 by michel.pelzer