6 grml-crypt - Wrapper around cryptsetup/losetup/mkfs/mount
11 *grml-crypt* [OPTIONS] 'action' <device/file> '[mountpoint]'
16 *grml-crypt* is a program that
17 provides an easy wrapper around cryptsetup, mkfs, losetup and mount. You
18 could create a loopback mounted crypted filesystem with only one command, but
19 grml-crypt works for normal devices as well.
24 *format <device/file> [mountpoint]*::
25 "Formats" a <device/file>. If the second parameter is not a
26 block device grml-crypt assumes that it should operate in file modus. If the
27 file does not already exist it will be created with the given size. The
28 first 2MB of a device (luks header) are initialised with /dev/urandom, the
29 other space with the given initialisation. If grml-crypt is in file modus
30 the first 2MB of the loop file are also initialised with /dev/urandom except
31 where the file already exists (use -f for overwriting).
32 Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup
33 luksOpen, [dd], mkfs, [mount]
35 *start <device/file> [mountpoint]*::
36 Starts an encrypted <device/file> and mounts it to the given
37 or a default mountpoint. Commands: [losetup], cryptsetup luksOpen, mount
40 Stops an encrypted filesystem mounted at <mountpoint>. Even the
41 loopdevice gets destroyed with this command. Commands: mount, dmsetup info,
42 cryptsetup status, umount, cryptsetup luksClose, [losetup -d]
45 Shows the help message.
51 Shows summary of options.
54 Shows what is going on (more v => more out).
56 *-s (in MB, default=10)*::
57 Gives the size of loop filesystem grml-crypt should create.
60 Gives the type of the filesystem grml-crypt should create. /sbin/mkfs.<your
61 choosen filesystem> should exist.
64 Read-only mode. The device mapping AND the mountpoint will be made
65 read-only. In format mode only the mountpoint can be made read-only.
68 Insecure initialisation mode
71 Optimized initialisation mode
74 Verifies the password by asking for it twice during creation.
77 Forces overwriting and/or disable confirmation dialog. If the second
78 parameter to format is an existing file and force is given, then the file
79 will be used for the encrypted loop filesystem. ATTENTION: the file should
80 be bigger than 2MB for LUKS only + the constraints from the filesystems
81 itself (eg. xfs needs a minimum of 4096 blocks).
84 Only for action start: Run fsck on the filesystem before mounting it to
85 the given mountpoint. If given twice, use fsck's -f option as well.
88 Additional arguments passed through to mount. Could be like "'-o noatime'".
91 CRYPTSETUP FORMAT OPTIONS
92 -------------------------
94 *-S (in bits, default=128)*::
95 Cipher size used for encryption. Usually 128, 192 or 256 (but higher
96 may also be possible).
98 *-C (default=aes-cbc-essiv:sha256)*::
99 Cipher mode, should be aes-plain for pre-2.6.10. Have a look at /proc/crypto for
102 *-I (in seconds, default=1)*::
103 The number of seconds to spend with PBKDF2 password processing. This time
104 is consumed for every key operation (format, start).
107 Additional arguments to cryptsetup's luksFormat.
113 *Default/Secure mode (no -o or -z given)*::
114 This is the default mode. It should be quite secure. The <device/file> gets
115 initialised with /dev/urandom. Except with an already existing file and
116 -f, where NO initialisation will be done (all other modes behave as usual).
118 *Optimized secure mode (-o)*::
119 Only the first 2MB of the <device/file> are initialised with
120 /dev/urandom. The encryption will be initialised and then the whole
121 encrypted device is filled with /dev/zero.
123 *Insecure mode (-z)*::
124 Only the first 2MB of the <device/file> are initialised with
131 *grml-crypt -t xfs -o format /dev/hda4 /media/tmp*::
132 Formats /dev/hda4 with xfs and applies optimized initialisation rules and
133 mounts it to /media/tmp
135 *grml-crypt -t ext2 -z format /home/user/test.img /media/tmp*::
136 Creates /home/user/test.img with 10MB and applies only insecure
137 initialisation rules. Creates an ext2 filesystem on it and mounts it to
140 *grml-crypt -f -S 256 -C aes-plain -I 2 -A --verify-passphrase -m \'-o noatime\' -vvv format img /media/tmp*::
141 Reuses the image img with no initialisation. The encryption is established
142 with aes-plain with 256 bit keysize and an iteration time of 2 seconds.
143 Cryptsetup is advised to verify the password by asking for it twice. Mounts
144 it to /media/tmp with '-o noatime'. And prints what is going on (-vvv).
150 *grml-crypt -t ext2 -z format /dev/external1*::
151 Formats your usbstick which hopefully is located at
152 /dev/external1 (please verify!) with ext2 and nearly no initialisation. You
153 could give the format action a mountpoint too. In this case your
154 crypto-partition gets mounted on that mountpoint as well.
156 *grml-crypt start /dev/external1 /media/tmp*::
157 Asks you for the right passphrase for your crypto-partition
158 and tries to mount it to /media/tmp.
160 *grml-crypt stop /media/tmp*::
161 Removes your crypto-partition cleanly out of the system
162 (umount, cryptsetup luksClose, [losetup -d]).
165 ENCRYPTED LOOPFILESYSTEM ON USBSTICK
166 ------------------------------------
168 *mount /media/external1*::
169 Mounts your usb-stick on /media/external1 (please verify!).
171 *grml-crypt -o -t vfat -s 50 format /media/external1/secure.img /media/tmp*::
172 Creates a 50MB big file, encrypted with the default options
173 and vfat (also known as fat32). The optimized initialisation mode will
174 be used for this file (without -o this could take REALLY LONG). This
175 command _also_ starts your cryptofile and mounts it on /media/tmp.
177 *grml-crypt stop /media/tmp*::
178 Removes your crypto-partition cleanly out of the system
179 (umount, cryptsetup luksClose, [losetup -d]).
181 *umount /media/external1*::
192 grml-crypt was written by Michael Gebetsroither <michael.geb@gmx.at>.
194 This manual page was written by Michael Gebetsroither <gebi@grml.org>.