3 Michael Gebetsroither <michael.geb@gmx.at>
8 grml-crypt - Wrapper around cryptsetup/losetup/mkfs/mount
13 *grml-crypt* [OPTIONS] 'action' <device/file> '[mountpoint]'
18 *grml-crypt* is a program that
19 provides an easy wrapper around cryptsetup, mkfs, losetup and mount. You
20 could create a loopback mounted crypted filesystem with only one command, but
21 grml-crypt works for normal devices also.
26 *format <device/file> [mountpoint]*::
27 This command "formats" a device/file. If the second parameter is not a
28 blockdevice grml-crypt assumes that it should operate in file modus. If the
29 file does not already exist it will be created with the given size. The
30 first 2MB of a device (luks header) are initialised with /dev/urandom, the
31 other space is initialised with the given initialisation. If grml-crypt is
32 in file modus the first 2MB of the loop file are also initialised with
33 /dev/urandom except where the file already exist (with -f vor
34 overwriting). Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup
35 luksOpen, [dd], mkfs, [mount]
37 *start <device/file> <mountpoint>*::
38 This command starts an encrypted device/file and mounts it to the given
39 mountpoint. Commands: [losetup], cryptsetup luksOpen, mount
42 This command stops an encrypted filesystem mounted at mountpoint. Even the
43 loopdevice gets destroyed with this command. Commands: mount, dmsetup info,
44 cryptsetup status, umount, cryptsetup luksClose, [losetup -d]
47 Show the help message.
53 Show summary of options.
56 Show what is going on (more v => more out).
58 *-s (in MB, default=10)*::
59 Give the size of loopfilesystem grml-crypt should create.
62 Give the type of the filesystem grml-crypt should create. /sbin/mkfs.<your
63 choosen filesystem> should exist.
66 Read-only mode. The device mapping AND the mountpoint will be made
67 read-only. In format mode only the mountpoint could be made read-only.
70 Insecure initialisation mode
73 Optimized initialisation mode
76 Verifies the password by asking for it twice during creation.
79 Force overwriting and/or disable confirmation dialog. If the second
80 parameter to format is an existing file and force is given, then the file
81 will be used for the encrypted loop filesystem. ATTENTION: the file should
82 be bigger than 2MB for LUKS only + the constraints from the filesystems
83 itself (eg. xfs needs a minimum of 4096 blocks).
86 Additional arguments passed through to mount. Could be like "'-o noatime'".
89 CRYPTSETUP FORMAT OPTIONS
90 -------------------------
92 *-S (in bits, default=128)*::
93 Cipher size used for the encryption. Usually 128, 192 or 256 (but higher
96 *-C (default=aes-cbc-essiv:sha256)*::
97 Cipher mode, should be aes-plain for pre-2.6.10. Look at /proc/crypto for
100 *-I (in seconds, default=1)*::
101 The number of seconds to spend with PBKDF2 password processing. This time
102 is comsumed for every key operation (format, start).
105 Additional arguments to cryptsetup luksFormat.
111 *Default/Secure mode (no -o or -z given)*::
112 This mode is the default. It should be quite secure. The device/file gets
113 initialised with /dev/urandom. Except with an already existing file and
114 -f, where NO initialisation will be done (all other modes behave as usual).
116 *Optimized secure mode (-o)*::
117 In this mode only the first 2MB of the device/file are initialised with
118 /dev/urandom. The encryption will be initialised and then the whole
119 encrypted device is filled with /dev/zero.
121 *Insecure mode (-z)*::
122 In this mode only the first 2MB of the device/file are initialised with
129 *grml-crypt -t xfs -o format /dev/hda4 /mnt/tmp*::
130 Formats /dev/hda4 with xfs and apply optimized initialisation rules and
133 *grml-crypt -t ext2 -z format /home/user/test.img /mnt/tmp*::
134 Creates /home/user/test.img with 10MB and apply only insecure
135 initialisation rules. Create an ext2 filesystem on it and mount it to
138 *grml-crypt -f -S 256 -C aes-plain -I 2 -A --verify-passphrase -m \'-o noatime\' -vvv format img /mnt/tmp*::
139 Reuses the image img with no initialisation. The encryption is established
140 with aes-plain with 256 bit keysize and an iteration time of 2 seconds.
141 Cryptsetup is advised to verify the password by asking for it twice. Mount
142 it to /mnt/tmp with '-o noatime'. And print what is going on (-vvv).
148 *grml-crypt -t ext2 -z format /dev/external1*::
149 This command formats your usbstick which hopely is at /dev/external1
150 (please verify!!) with ext2 and nearly no initialisation. You could als
151 give the format action a mountpoint. In this case your crypto-partition
152 gets also mounted on this mountpoint.
154 *grml-crypt start /dev/external1 /mnt/tmp*::
155 This command asks you for the right passphrase for your crypto-partition
156 and tries to mount it to /mnt/tmp.
158 *grml-crypt stop /mnt/tmp*::
159 This command removes your crypto-partition cleanly out of the system
160 (umount, cryptsetup luksClose, [losetup -d]).
163 ENCRYPTED LOOPFILESYSTEM ON USBSTICK
164 ------------------------------------
166 *mount /mnt/external1*::
167 To mount your usb-stick on /mnt/external1 (please verify!!).
169 *grml-crypt -o -t vfat -s 50 /mnt/external1/secure.img /mnt/tmp*::
170 This command creates a 50MB big file, encrypted with the default options
171 and with vfat (also known as fat32). The optimized initialisation mode will
172 be used for this file (without -o this could take REALLY LONG). This
173 command _also_ starts your cryptofile and mounts it on /mnt/tmp
175 *grml-crypt stop /mnt/tmp*::
176 This command removes your crypto-partition cleanly out of the system
177 (umount, cryptsetup luksClose, [losetup -d]).
179 *umount /mnt/external1*::
190 grml-crypt was written by Michael Gebetsroither <michael.geb@gmx.at>.
192 This manual page was written by Michael Gebetsroither <gebi@grml.org>.