'\" t .\" Title: cryptsetup-open .\" Author: [see the "AUTHOR(S)" section] .\" Generator: Asciidoctor 2.0.20 .\" Date: 2024-01-05 .\" Manual: Maintenance Commands .\" Source: cryptsetup 2.6.1 .\" Language: English .\" .TH "CRYPTSETUP\-OPEN" "8" "2024-01-05" "cryptsetup 2.6.1" "Maintenance Commands" .ie \n(.g .ds Aq \(aq .el .ds Aq ' .ss \n[.ss] 0 .nh .ad l .de URL \fI\\$2\fP <\\$1>\\$3 .. .als MTO URL .if \n[.g] \{\ . mso www.tmac . am URL . ad l . . . am MTO . ad l . . . LINKSTYLE blue R < > .\} .SH "NAME" cryptsetup-open, cryptsetup-create, cryptsetup-plainOpen, cryptsetup-luksOpen, cryptsetup-loopaesOpen, cryptsetup-tcryptOpen, cryptsetup-bitlkOpen, cryptsetup-fvault2Open \- open an encrypted device and create a mapping with a specified name .SH "SYNOPSIS" .sp \fBcryptsetup \fIopen\fP \-\-type [] \fP .SH "DESCRIPTION" .sp Opens (creates a mapping with) backed by device . .sp Device type can be \fIplain\fP, \fIluks\fP (default), \fIluks1\fP, \fIluks2\fP, \fIloopaes\fP or \fItcrypt\fP. .sp For backward compatibility there are \fBopen\fP command aliases: .sp \fBcreate\fP (argument\-order ): open \-\-type plain .br \fBplainOpen\fP: open \-\-type plain .br \fBluksOpen\fP: open \-\-type luks .br \fBloopaesOpen\fP: open \-\-type loopaes .br \fBtcryptOpen\fP: open \-\-type tcrypt .br \fBbitlkOpen\fP: open \-\-type bitlk .sp \fB\fP are type specific and are described below for individual device types. For \fBcreate\fP, the order of the and options is inverted for historical reasons, all other aliases use the standard \fB \fP order. .SS "PLAIN" .sp \fBopen \-\-type plain \fP .br plainOpen (\fBold syntax\fP) .br create (\fBOBSOLETE syntax\fP) .sp Opens (creates a mapping with) backed by device . .sp \fB\fP can be [\-\-hash, \-\-cipher, \-\-verify\-passphrase, \-\-sector\-size, \-\-key\-file, \-\-keyfile\-size, \-\-keyfile\-offset, \-\-key\-size, \-\-offset, \-\-skip, \-\-device\-size, \-\-size, \-\-readonly, \-\-shared, \-\-allow\-discards, \-\-refresh, \-\-timeout, \-\-verify\-passphrase, \-\-iv\-large\-sectors]. .sp Example: \*(Aqcryptsetup open \-\-type plain /dev/sda10 e1\*(Aq maps the raw encrypted device /dev/sda10 to the mapped (decrypted) device /dev/mapper/e1, which can then be mounted, fsck\-ed or have a filesystem created on it. .SS "LUKS" .sp \fBopen \fP .br open \-\-type (\fBexplicit version request\fP) .br luksOpen (\fBold syntax\fP) .sp Opens the LUKS device and sets up a mapping after successful verification of the supplied passphrase. .sp First, the passphrase is searched in LUKS2 tokens unprotected by PIN. If such token does not exist (or fails to unlock keyslot) and also the passphrase is not supplied via \-\-key\-file, the command prompts for passphrase interactively. .sp If there is valid LUKS2 token but it requires PIN to unlock assigned keyslot, it is not used unless one of following options is added: \-\-token\-only, \-\-token\-type where type matches desired PIN protected token or \-\-token\-id with id matching PIN protected token. .sp \fB\fP can be [\-\-key\-file, \-\-keyfile\-offset, \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, \-\-allow\-discards, \-\-header, \-\-key\-slot, \-\-volume\-key\-file, \-\-token\-id, \-\-token\-only, \-\-token\-type, \-\-disable\-external\-tokens, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf, \-\-unbound, \-\-tries, \-\-timeout, \-\-verify\-passphrase, \-\-persistent]. .SS "loopAES" .sp \fBopen \-\-type loopaes \-\-key\-file \fP .br loopaesOpen \-\-key\-file (\fBold syntax\fP) .sp Opens the loop\-AES and sets up a mapping . .sp If the key file is encrypted with GnuPG, then you have to use \-\-key\-file=\- and decrypt it before use, e.g., like this: .br gpg \-\-decrypt | cryptsetup loopaesOpen \-\-key\-file=\- .sp \fBWARNING:\fP The loop\-AES extension cannot use the direct input of the key file on the real terminal because the keys are separated by end\-of\-line and only part of the multi\-key file would be read. .br If you need it in script, just use the pipe redirection: .br echo $keyfile | cryptsetup loopaesOpen \-\-key\-file=\- .sp Use \fB\-\-keyfile\-size\fP to specify the proper key length if needed. .sp Use \fB\-\-offset\fP to specify device offset. Note that the units need to be specified in number of 512 byte sectors. .sp Use \fB\-\-skip\fP to specify the IV offset. If the original device used an offset and but did not use it in IV sector calculations, you have to explicitly use \fB\-\-skip 0\fP in addition to the offset parameter. .sp Use \fB\-\-hash\fP to override the default hash function for passphrase hashing (otherwise it is detected according to key size). .sp \fB\fP can be [\-\-cipher, \-\-key\-file, \-\-keyfile\-size, \-\-keyfile\-offset, \-\-key\-size, \-\-offset, \-\-skip, \-\-hash, \-\-readonly, \-\-allow\-discards, \-\-refresh]. .SS "TrueCrypt and VeraCrypt" .sp \fBopen \-\-type tcrypt \fP .br tcryptOpen (\fBold syntax\fP) .sp Opens the TCRYPT (TrueCrypt and VeraCrypt compatible) and sets up a mapping . .sp \fB\fP can be [\-\-key\-file, \-\-tcrypt\-hidden, \-\-tcrypt\-system, \-\-tcrypt\-backup, \-\-readonly, \-\-test\-passphrase, \-\-allow\-discards, \-\-veracrypt (ignored), \-\-disable\-veracrypt, \-\-veracrypt\-pim, \-\-veracrypt\-query\-pim, \-\-header, \-\-cipher, \-\-hash, \-\-tries, \-\-timeout, \-\-verify\-passphrase]. .sp The keyfile parameter allows a combination of file content with the passphrase and can be repeated. Note that using keyfiles is compatible with TCRYPT and is different from LUKS keyfile logic. .sp If \fB\-\-cipher\fP or \fB\-\-hash\fP options are used, only cipher chains or PBKDF2 variants with the specified hash algorithms are checked. This could speed up unlocking the device (but also it reveals some information about the container). .sp If you use \fB\-\-header\fP in combination with hidden or system options, the header file must contain specific headers on the same positions as the original encrypted container. .sp \fBWARNING:\fP Option \fB\-\-allow\-discards\fP cannot be combined with option \fB\-\-tcrypt\-hidden\fP. For normal mapping, it can cause the \fBdestruction of hidden volume\fP (hidden volume appears as unused space for outer volume so this space can be discarded). .SS "BitLocker" .sp \fBopen \-\-type bitlk \fP .br bitlkOpen (\fBold syntax\fP) .sp Opens the BITLK (a BitLocker compatible) and sets up a mapping . .sp \fB\fP can be [\-\-key\-file, \-\-keyfile\-offset, \-\-keyfile\-size, \-\-key\-size, \-\-readonly, \-\-test\-passphrase, \-\-allow\-discards \-\-volume\-key\-file, \-\-tries, \-\-timeout, \-\-verify\-passphrase]. .SS "FileVault2" .sp \fBopen \-\-type fvault2 \fP .br fvault2Open (\fBold syntax\fP) .sp Opens the FVAULT2 (a FileVault2 compatible) and sets up a mapping . .sp \fB\fP can be [\-\-key\-file, \-\-keyfile\-offset, \-\-keyfile\-size, \-\-key\-size, \-\-readonly, \-\-test\-passphrase, \-\-allow\-discards \-\-volume\-key\-file, \-\-tries, \-\-timeout, \-\-verify\-passphrase]. .SH "OPTIONS" .sp \fB\-\-type \fP .RS 4 Specifies required device type, for more info read \fIBASIC ACTIONS\fP section in \fBcryptsetup\fP(8). .RE .sp \fB\-\-hash, \-h\fP \fI\fP .RS 4 Specifies the passphrase hash. Applies to \fIplain\fP and \fIloopaes\fP device types only. .sp For \fItcrypt\fP device type, it restricts checked PBKDF2 variants when looking for header. .RE .sp \fB\-\-cipher, \-c\fP \fI\fP .RS 4 Set the cipher specification string for \fIplain\fP device type. .sp For \fItcrypt\fP device type it restricts checked cipher chains when looking for header. .sp \fIcryptsetup \-\-help\fP shows the compiled\-in defaults. .sp If a hash is part of the cipher specification, then it is used as part of the IV generation. For example, ESSIV needs a hash function, while "plain64" does not and hence none is specified. .sp For XTS mode you can optionally set a key size of 512 bits with the \-s option. Key size for XTS mode is twice that for other modes for the same security level. .RE .sp \fB\-\-verify\-passphrase, \-y\fP .RS 4 When interactively asking for a passphrase, ask for it twice and complain if both inputs do not match. Advised when creating a \fIplain\fP type mapping for the first time. Ignored on input from file or stdin. .RE .sp \fB\-\-key\-file, \-d\fP \fIname\fP .RS 4 Read the passphrase from file. .sp If the name given is "\-", then the passphrase will be read from stdin. In this case, reading will not stop at newline characters. .sp \fBNOTE:\fP With \fIplain\fP device type, the passphrase obtained via \-\-key\-file option is passed directly in dm\-crypt. Unlike the interactive mode (stdin) where digest (\-\-hash option) of the passphrase is passed in dm\-crypt instead. .sp See section \fINOTES ON PASSPHRASE PROCESSING\fP in \fBcryptsetup\fP(8) for more information. .RE .sp \fB\-\-keyfile\-offset\fP \fIvalue\fP .RS 4 Skip \fIvalue\fP bytes at the beginning of the key file. .RE .sp \fB\-\-keyfile\-size, \-l\fP \fIvalue\fP .RS 4 Read a maximum of \fIvalue\fP bytes from the key file. The default is to read the whole file up to the compiled\-in maximum that can be queried with \-\-help. Supplying more data than the compiled\-in maximum aborts the operation. .sp This option is useful to cut trailing newlines, for example. If \-\-keyfile\-offset is also given, the size count starts after the offset. .RE .sp \fB\-\-volume\-key\-file, \-\-master\-key\-file (OBSOLETE alias)\fP .RS 4 Use a volume key stored in a file. This allows one to open \fIluks\fP and \fIbitlk\fP device types without giving a passphrase. .br .RE .sp \fB\-\-key\-slot, \-S <0\-N>\fP .RS 4 This option selects a specific key\-slot to compare the passphrase against. If the given passphrase would only match a different key\-slot, the operation fails. .sp The maximum number of key slots depends on the LUKS version. LUKS1 can have up to 8 key slots. LUKS2 can have up to 32 key slots based on key slot area size and key size, but a valid key slot ID can always be between 0 and 31 for LUKS2. .RE .sp \fB\-\-key\-size, \-s\fP \fIbits\fP .RS 4 Sets key size in \fIbits\fP. The argument has to be a multiple of 8. The possible key\-sizes are limited by the cipher and mode used. .sp See /proc/crypto for more information. Note that key\-size in /proc/crypto is stated in bytes. .sp This option can be used for \fIplain\fP device type only. .RE .sp \fB\-\-size, \-b \fP .RS 4 Set the size of the device in sectors of 512 bytes. Usable only with \fIplain\fP device type. .RE .sp \fB\-\-offset, \-o \fP .RS 4 Start offset in the backend device in 512\-byte sectors. This option is only relevant with plain or loopaes device types. .RE .sp \fB\-\-skip, \-p \fP .RS 4 Start offset used in IV calculation in 512\-byte sectors (how many sectors of the encrypted data to skip at the beginning). This option is only relevant with plain or loopaes device types. .sp Hence, if \-\-offset \fIn\fP, and \-\-skip \fIs\fP, sector \fIn\fP (the first sector of the encrypted device) will get a sector number of \fIs\fP for the IV calculation. .RE .sp \fB\-\-device\-size\fP \fIsize[units]\fP .RS 4 Instead of real device size, use specified value. Usable only with \fIplain\fP device type. .sp If no unit suffix is specified, the size is in bytes. .sp Unit suffix can be S for 512 byte sectors, K/M/G/T (or KiB,MiB,GiB,TiB) for units with 1024 base or KB/MB/GB/TB for 1000 base (SI scale). .RE .sp \fB\-\-readonly, \-r\fP .RS 4 set up a read\-only mapping. .RE .sp \fB\-\-shared\fP .RS 4 Creates an additional mapping for one common ciphertext device. Arbitrary mappings are supported. This option is only relevant for the \fIplain\fP device type. Use \-\-offset, \-\-size and \-\-skip to specify the mapped area. .RE .sp \fB\-\-timeout, \-t \fP .RS 4 The number of seconds to wait before timeout on passphrase input via terminal. It is relevant every time a passphrase is asked. It has no effect if used in conjunction with \-\-key\-file. .sp This option is useful when the system should not stall if the user does not input a passphrase, e.g. during boot. The default is a value of 0 seconds, which means to wait forever. .RE .sp \fB\-\-tries, \-T\fP .RS 4 How often the input of the passphrase shall be retried. The default is 3 tries. .RE .sp \fB\-\-allow\-discards\fP .RS 4 Allow the use of discard (TRIM) requests for the device. This is also not supported for LUKS2 devices with data integrity protection. .sp \fBWARNING:\fP This command can have a negative security impact because it can make filesystem\-level operations visible on the physical device. For example, information leaking filesystem type, used space, etc. may be extractable from the physical device if the discarded blocks can be located later. If in doubt, do not use it. .sp A kernel version of 3.1 or later is needed. For earlier kernels, this option is ignored. .RE .sp \fB\-\-perf\-same_cpu_crypt\fP .RS 4 Perform encryption using the same cpu that IO was submitted on. The default is to use an unbound workqueue so that encryption work is automatically balanced between available CPUs. .sp \fBNOTE:\fP This option is available only for low\-level dm\-crypt performance tuning, use only if you need a change to default dm\-crypt behaviour. Needs kernel 4.0 or later. .RE .sp \fB\-\-perf\-submit_from_crypt_cpus\fP .RS 4 Disable offloading writes to a separate thread after encryption. There are some situations where offloading write bios from the encryption threads to a single thread degrades performance significantly. The default is to offload write bios to the same thread. .sp \fBNOTE:\fP This option is available only for low\-level dm\-crypt performance tuning, use only if you need a change to default dm\-crypt behaviour. Needs kernel 4.0 or later. .RE .sp \fB\-\-perf\-no_read_workqueue, \-\-perf\-no_write_workqueue\fP .RS 4 Bypass dm\-crypt internal workqueue and process read or write requests synchronously. .sp \fBNOTE:\fP These options are available only for low\-level dm\-crypt performance tuning, use only if you need a change to default dm\-crypt behaviour. Needs kernel 5.9 or later. .RE .sp \fB\-\-test\-passphrase\fP .RS 4 Do not activate the device, just verify passphrase. The device mapping name is not mandatory if this option is used. .RE .sp \fB\-\-header \fP .RS 4 Specify detached (separated) metadata device or file where the header is stored. .sp \fBWARNING:\fP There is no check whether the ciphertext device specified actually belongs to the header given. In fact, you can specify an arbitrary device as the ciphertext device with the \-\-header option. Use with care. .RE .sp \fB\-\-disable\-external\-tokens\fP .RS 4 Disable loading of plugins for external LUKS2 tokens. .RE .sp \fB\-\-disable\-locks\fP .RS 4 Disable lock protection for metadata on disk. This option is valid only for LUKS2 and ignored for other formats. .sp \fBWARNING:\fP Do not use this option unless you run cryptsetup in a restricted environment where locking is impossible to perform (where /run directory cannot be used). .RE .sp \fB\-\-disable\-keyring\fP .RS 4 Do not load volume key in kernel keyring and store it directly in the dm\-crypt target instead. This option is supported only for the LUKS2 type. .RE .sp \fB\-\-token\-id\fP .RS 4 Specify what token to use and allow token PIN prompt to take precedence over interative keyslot passphrase prompt. If omitted, all available tokens (not protected by PIN) will be checked before proceeding further with passphrase prompt. .RE .sp \fB\-\-token\-only\fP .RS 4 Do not proceed further with action if token based keyslot unlock failed. Without the option, action asks for passphrase to proceed further. .sp It allows LUKS2 tokens protected by PIN to take precedence over interactive keyslot passphrase prompt. .RE .sp \fB\-\-token\-type\fP \fItype\fP .RS 4 Restrict tokens eligible for operation to specific token \fItype\fP. Mostly useful when no \-\-token\-id is specified. .sp It allows LUKS2 \fItype\fP tokens protected by PIN to take precedence over interactive keyslot passphrase prompt. .RE .sp \fB\-\-sector\-size\fP \fIbytes\fP .RS 4 Set encryption sector size for use with \fIplain\fP device type. It must be power of two and in range 512 \- 4096 bytes. The default mode is 512 bytes. .sp Note that if sector size is higher than underlying device hardware sector, using this option can increase risk on incomplete sector writes during a power fail. .sp Increasing sector size from 512 bytes to 4096 bytes can provide better performance on most of the modern storage devices and also with some hw encryption accelerators. .RE .sp \fB\-\-iv\-large\-sectors\fP .RS 4 Count Initialization Vector (IV) in larger sector size (if set) instead of 512 bytes sectors. This option can be used only with \fIplain\fP device type. .sp \fBNOTE:\fP This option does not have any performance or security impact, use it only for accessing incompatible existing disk images from other systems that require this option. .RE .sp \fB\-\-persistent\fP .RS 4 If used with LUKS2 devices and activation commands like \fIopen\fP or \fIrefresh\fP, the specified activation flags are persistently written into metadata and used next time automatically even for normal activation. (No need to use cryptab or other system configuration files.) .sp If you need to remove a persistent flag, use \fI\-\-persistent\fP without the flag you want to remove (e.g. to disable persistently stored discard flag, use \fI\-\-persistent\fP without \fI\-\-allow\-discards\fP). .sp Only \fI\-\-allow\-discards\fP, \fI\-\-perf\-same_cpu_crypt\fP, \fI\-\-perf\-submit_from_crypt_cpus\fP, \fI\-\-perf\-no_read_workqueue\fP, \fI\-\-perf\-no_write_workqueue\fP and \fI\-\-integrity\-no\-journal\fP can be stored persistently. .RE .sp \fB\-\-refresh\fP .RS 4 Refreshes an active device with new set of parameters. See \fBcryptsetup\-refresh\fP(8) for more details. .RE .sp \fB\-\-unbound\fP .RS 4 Allowed only together with \-\-test\-passphrase parameter, it allows one to test passphrase for unbound LUKS2 keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific keyslot is selected via \-\-key\-slot parameter. .RE .sp \fB\-\-tcrypt\-hidden\fP, \fB\-\-tcrypt\-system\fP, \fB\-\-tcrypt\-backup\fP .RS 4 Specify which TrueCrypt on\-disk header will be used to open the device. See \fITCRYPT\fP section in \fBcryptsetup\fP(8) for more info. .RE .sp \fB\-\-veracrypt\fP .RS 4 This option is ignored as VeraCrypt compatible mode is supported by default. .RE .sp \fB\-\-disable\-veracrypt\fP .RS 4 This option can be used to disable VeraCrypt compatible mode (only TrueCrypt devices are recognized). Only for TCRYPT extension. See \fITCRYPT\fP section in \fBcryptsetup\fP(8) for more info. .RE .sp \fB\-\-veracrypt\-pim\fP, \fB\-\-veracrypt\-query\-pim\fP .RS 4 Use a custom Personal Iteration Multiplier (PIM) for VeraCrypt device. See \fITCRYPT\fP section in \fBcryptsetup\fP(8) for more info. .RE .sp \fB\-\-serialize\-memory\-hard\-pbkdf\fP .RS 4 Use a global lock to serialize unlocking of keyslots using memory\-hard PBKDF. .sp \fBNOTE:\fP This is (ugly) workaround for a specific situation when multiple devices are activated in parallel and system instead of reporting out of memory starts unconditionally stop processes using out\-of\-memory killer. .sp \fBDO NOT USE\fP this switch until you are implementing boot environment with parallel devices activation! .RE .sp \fB\-\-batch\-mode, \-q\fP .RS 4 Suppresses all confirmation questions. Use with care! .sp If the \-\-verify\-passphrase option is not specified, this option also switches off the passphrase verification. .RE .sp \fB\-\-debug or \-\-debug\-json\fP .RS 4 Run in debug mode with full diagnostic logs. Debug output lines are always prefixed by \fB#\fP. .sp If \-\-debug\-json is used, additional LUKS2 JSON data structures are printed. .RE .sp \fB\-\-version, \-V\fP .RS 4 Show the program version. .RE .sp \fB\-\-usage\fP .RS 4 Show short option help. .RE .sp \fB\-\-help, \-?\fP .RS 4 Show help text and default parameters. .RE .SH "REPORTING BUGS" .sp Report bugs at \c .MTO "cryptsetup\(atlists.linux.dev" "\fBcryptsetup mailing list\fP" or in \c .URL "https://gitlab.com/cryptsetup/cryptsetup/\-/issues/new" "\fBIssues project section\fP" "." .sp Please attach output of the failed command with \-\-debug option added. .SH "SEE ALSO" .sp .URL "https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions" "\fBCryptsetup FAQ\fP" "" .sp \fBcryptsetup\fP(8), \fBintegritysetup\fP(8) and \fBveritysetup\fP(8) .SH "CRYPTSETUP" .sp Part of \c .URL "https://gitlab.com/cryptsetup/cryptsetup/" "\fBcryptsetup project\fP" "."