6 grml-crypt - Wrapper around cryptsetup/losetup/mkfs/mount
11 *grml-crypt* [OPTIONS] 'action' <device/file> '[mountpoint]'
16 *grml-crypt* is a program that
17 provides an easy wrapper around cryptsetup, mkfs, losetup and mount. You
18 could create a loopback mounted crypted filesystem with only one command, but
19 grml-crypt works for normal devices as well.
24 *format <device/file> [mountpoint]*::
25 "Formats" a <device/file>. If the second parameter is not a
26 block device grml-crypt assumes that it should operate in file modus. If the
27 file does not already exist it will be created with the given size. The
28 first 2MB of a device (luks header) are initialised with /dev/urandom, the
29 other space with the given initialisation. If grml-crypt is in file modus
30 the first 2MB of the loop file are also initialised with /dev/urandom except
31 where the file already exists (use -f for overwriting).
32 Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup
33 luksOpen, [dd], mkfs, [mount]
35 *start <device/file> <mountpoint>*::
36 Starts an encrypted <device/file> and mounts it to the given
37 mountpoint. Commands: [losetup], cryptsetup luksOpen, mount
40 Stops an encrypted filesystem mounted at <mountpoint>. Even the
41 loopdevice gets destroyed with this command. Commands: mount, dmsetup info,
42 cryptsetup status, umount, cryptsetup luksClose, [losetup -d]
45 Shows the help message.
51 Shows summary of options.
54 Shows what is going on (more v => more out).
56 *-s (in MB, default=10)*::
57 Gives the size of loop filesystem grml-crypt should create.
60 Gives the type of the filesystem grml-crypt should create. /sbin/mkfs.<your
61 choosen filesystem> should exist.
64 Read-only mode. The device mapping AND the mountpoint will be made
65 read-only. In format mode only the mountpoint can be made read-only.
68 Insecure initialisation mode
71 Optimized initialisation mode
74 Verifies the password by asking for it twice during creation.
77 Forces overwriting and/or disable confirmation dialog. If the second
78 parameter to format is an existing file and force is given, then the file
79 will be used for the encrypted loop filesystem. ATTENTION: the file should
80 be bigger than 2MB for LUKS only + the constraints from the filesystems
81 itself (eg. xfs needs a minimum of 4096 blocks).
84 Additional arguments passed through to mount. Could be like "'-o noatime'".
87 CRYPTSETUP FORMAT OPTIONS
88 -------------------------
90 *-S (in bits, default=128)*::
91 Cipher size used for encryption. Usually 128, 192 or 256 (but higher
92 may also be possible).
94 *-C (default=aes-cbc-essiv:sha256)*::
95 Cipher mode, should be aes-plain for pre-2.6.10. Have a look at /proc/crypto for
98 *-I (in seconds, default=1)*::
99 The number of seconds to spend with PBKDF2 password processing. This time
100 is consumed for every key operation (format, start).
103 Additional arguments to cryptsetup's luksFormat.
109 *Default/Secure mode (no -o or -z given)*::
110 This is the default mode. It should be quite secure. The <device/file> gets
111 initialised with /dev/urandom. Except with an already existing file and
112 -f, where NO initialisation will be done (all other modes behave as usual).
114 *Optimized secure mode (-o)*::
115 Only the first 2MB of the <device/file> are initialised with
116 /dev/urandom. The encryption will be initialised and then the whole
117 encrypted device is filled with /dev/zero.
119 *Insecure mode (-z)*::
120 Only the first 2MB of the <device/file> are initialised with
127 *grml-crypt -t xfs -o format /dev/hda4 /mnt/tmp*::
128 Formats /dev/hda4 with xfs and applies optimized initialisation rules and
129 mounts it to /mnt/tmp
131 *grml-crypt -t ext2 -z format /home/user/test.img /mnt/tmp*::
132 Creates /home/user/test.img with 10MB and applies only insecure
133 initialisation rules. Creates an ext2 filesystem on it and mounts it to
136 *grml-crypt -f -S 256 -C aes-plain -I 2 -A --verify-passphrase -m \'-o noatime\' -vvv format img /mnt/tmp*::
137 Reuses the image img with no initialisation. The encryption is established
138 with aes-plain with 256 bit keysize and an iteration time of 2 seconds.
139 Cryptsetup is advised to verify the password by asking for it twice. Mounts
140 it to /mnt/tmp with '-o noatime'. And prints what is going on (-vvv).
146 *grml-crypt -t ext2 -z format /dev/external1*::
147 Formats your usbstick which hopefully is located at
148 /dev/external1 (please verify!) with ext2 and nearly no initialisation. You
149 could give the format action a mountpoint too. In this case your
150 crypto-partition gets mounted on that mountpoint as well.
152 *grml-crypt start /dev/external1 /mnt/tmp*::
153 Asks you for the right passphrase for your crypto-partition
154 and tries to mount it to /mnt/tmp.
156 *grml-crypt stop /mnt/tmp*::
157 Removes your crypto-partition cleanly out of the system
158 (umount, cryptsetup luksClose, [losetup -d]).
161 ENCRYPTED LOOPFILESYSTEM ON USBSTICK
162 ------------------------------------
164 *mount /mnt/external1*::
165 Mounts your usb-stick on /mnt/external1 (please verify!).
167 *grml-crypt -o -t vfat -s 50 format /mnt/external1/secure.img /mnt/tmp*::
168 Creates a 50MB big file, encrypted with the default options
169 and vfat (also known as fat32). The optimized initialisation mode will
170 be used for this file (without -o this could take REALLY LONG). This
171 command _also_ starts your cryptofile and mounts it on /mnt/tmp.
173 *grml-crypt stop /mnt/tmp*::
174 Removes your crypto-partition cleanly out of the system
175 (umount, cryptsetup luksClose, [losetup -d]).
177 *umount /mnt/external1*::
188 grml-crypt was written by Michael Gebetsroither <michael.geb@gmx.at>.
190 This manual page was written by Michael Gebetsroither <gebi@grml.org>.