1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
\r
2 "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
\r
3 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
\r
5 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
\r
6 <meta name="generator" content="AsciiDoc 7.1.2" />
\r
7 <style type="text/css">
\r
9 p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
\r
11 border: 1px solid red;
\r
16 margin: 1em 5% 1em 5%;
\r
21 text-decoration: underline;
\r
39 h1, h2, h3, h4, h5, h6 {
\r
41 font-family: sans-serif;
\r
43 margin-bottom: 0.5em;
\r
48 border-bottom: 2px solid silver;
\r
51 border-bottom: 2px solid silver;
\r
61 border: 1px solid silver;
\r
66 margin-bottom: 0.5em;
\r
76 font-family: sans-serif;
\r
83 font-family: sans-serif;
\r
87 font-family: sans-serif;
\r
89 border-top: 2px solid silver;
\r
95 padding-bottom: 0.5em;
\r
99 padding-bottom: 0.5em;
\r
103 div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
\r
104 div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
\r
105 div.admonitionblock {
\r
108 margin-bottom: 1.5em;
\r
110 div.admonitionblock {
\r
112 margin-bottom: 2.5em;
\r
115 div.content { /* Block element content. */
\r
119 /* Block element titles. */
\r
120 div.title, caption.title {
\r
121 font-family: sans-serif;
\r
125 margin-bottom: 0.5em;
\r
131 td div.title:first-child {
\r
134 div.content div.title:first-child {
\r
137 div.content + div.title {
\r
141 div.sidebarblock > div.content {
\r
142 background: #ffffee;
\r
143 border: 1px solid silver;
\r
147 div.listingblock > div.content {
\r
148 border: 1px solid silver;
\r
149 background: #f4f4f4;
\r
153 div.quoteblock > div.content {
\r
154 padding-left: 2.0em;
\r
160 div.verseblock + div.attribution {
\r
164 div.admonitionblock .icon {
\r
165 vertical-align: top;
\r
168 text-decoration: underline;
\r
170 padding-right: 0.5em;
\r
172 div.admonitionblock td.content {
\r
173 padding-left: 0.5em;
\r
174 border-left: 2px solid silver;
\r
177 div.exampleblock > div.content {
\r
178 border-left: 2px solid silver;
\r
182 div.verseblock div.content {
\r
186 div.imageblock div.content { padding-left: 0; }
\r
187 div.imageblock img { border: 1px solid silver; }
\r
188 span.image img { border-style: none; }
\r
192 margin-bottom: 0.8em;
\r
197 font-style: italic;
\r
199 dd > *:first-child {
\r
204 list-style-position: outside;
\r
207 list-style-type: lower-alpha;
\r
210 div.tableblock > table {
\r
211 border: 3px solid #527bbd;
\r
214 font-family: sans-serif;
\r
223 margin-bottom: 0.8em;
\r
226 vertical-align: top;
\r
227 font-style: italic;
\r
228 padding-right: 0.8em;
\r
231 vertical-align: top;
\r
235 div#footer-badges { display: none; }
\r
237 /* Workarounds for IE6's broken and incomplete CSS2. */
\r
239 div.sidebar-content {
\r
240 background: #ffffee;
\r
241 border: 1px solid silver;
\r
244 div.sidebar-title, div.image-title {
\r
245 font-family: sans-serif;
\r
248 margin-bottom: 0.5em;
\r
251 div.listingblock div.content {
\r
252 border: 1px solid silver;
\r
253 background: #f4f4f4;
\r
257 div.quoteblock-content {
\r
258 padding-left: 2.0em;
\r
261 div.exampleblock-content {
\r
262 border-left: 2px solid silver;
\r
263 padding-left: 0.5em;
\r
266 <title>GRML-CRYPT(8)</title>
\r
270 <h1>GRML-CRYPT(8)</h1>
\r
273 <div class="sectionbody">
\r
274 <p>grml-crypt - Wrapper around cryptsetup/losetup/mkfs/mount</p>
\r
277 <div class="sectionbody">
\r
278 <p><strong>grml-crypt</strong> [OPTIONS] <em>action</em> <device/file> <em>[mountpoint]</em></p>
\r
280 <h2>DESCRIPTION</h2>
\r
281 <div class="sectionbody">
\r
282 <p><strong>grml-crypt</strong> is a program that
\r
283 provides an easy wrapper around cryptsetup, mkfs, losetup and mount. You
\r
284 could create a loopback mounted crypted filesystem with only one command, but
\r
285 grml-crypt works for normal devices as well.</p>
\r
288 <div class="sectionbody">
\r
291 <strong>format <device/file> [mountpoint]</strong>
\r
295 "Formats" a <device/file>. If the second parameter is not a
\r
296 block device grml-crypt assumes that it should operate in file modus. If the
\r
297 file does not already exist it will be created with the given size. The
\r
298 first 2MB of a device (luks header) are initialised with /dev/urandom, the
\r
299 other space with the given initialisation. If grml-crypt is in file modus
\r
300 the first 2MB of the loop file are also initialised with /dev/urandom except
\r
301 where the file already exists (use -f for overwriting).
\r
302 Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup
\r
303 luksOpen, [dd], mkfs, [mount]
\r
307 <strong>start <device/file> <mountpoint></strong>
\r
311 Starts an encrypted <device/file> and mounts it to the given
\r
312 mountpoint. Commands: [losetup], cryptsetup luksOpen, mount
\r
316 <strong>stop <mountpoint></strong>
\r
320 Stops an encrypted filesystem mounted at <mountpoint>. Even the
\r
321 loopdevice gets destroyed with this command. Commands: mount, dmsetup info,
\r
322 cryptsetup status, umount, cryptsetup luksClose, [losetup -d]
\r
326 <strong>help</strong>
\r
330 Shows the help message.
\r
336 <div class="sectionbody">
\r
339 <strong>-h, help</strong>
\r
343 Shows summary of options.
\r
347 <strong>-v</strong>
\r
351 Shows what is going on (more v => more out).
\r
355 <strong>-s (in MB, default=10)</strong>
\r
359 Gives the size of loop filesystem grml-crypt should create.
\r
363 <strong>-t (default=vfat)</strong>
\r
367 Gives the type of the filesystem grml-crypt should create. /sbin/mkfs.<your
\r
368 choosen filesystem> should exist.
\r
372 <strong>-r</strong>
\r
376 Read-only mode. The device mapping AND the mountpoint will be made
\r
377 read-only. In format mode only the mountpoint can be made read-only.
\r
381 <strong>-z</strong>
\r
385 Insecure initialisation mode
\r
389 <strong>-o</strong>
\r
393 Optimized initialisation mode
\r
397 <strong>-y</strong>
\r
401 Verifies the password by asking for it twice during creation.
\r
405 <strong>-f</strong>
\r
409 Forces overwriting and/or disable confirmation dialog. If the second
\r
410 parameter to format is an existing file and force is given, then the file
\r
411 will be used for the encrypted loop filesystem. ATTENTION: the file should
\r
412 be bigger than 2MB for LUKS only + the constraints from the filesystems
\r
413 itself (eg. xfs needs a minimum of 4096 blocks).
\r
417 <strong>-m</strong>
\r
421 Additional arguments passed through to mount. Could be like "<em>-o noatime</em>".
\r
426 <h2>CRYPTSETUP FORMAT OPTIONS</h2>
\r
427 <div class="sectionbody">
\r
430 <strong>-S (in bits, default=128)</strong>
\r
434 Cipher size used for encryption. Usually 128, 192 or 256 (but higher
\r
435 may also be possible).
\r
439 <strong>-C (default=aes-cbc-essiv:sha256)</strong>
\r
443 Cipher mode, should be aes-plain for pre-2.6.10. Have a look at /proc/crypto for
\r
448 <strong>-I (in seconds, default=1)</strong>
\r
452 The number of seconds to spend with PBKDF2 password processing. This time
\r
453 is consumed for every key operation (format, start).
\r
457 <strong>-A (default="")</strong>
\r
461 Additional arguments to cryptsetup's luksFormat.
\r
466 <h2>INITIALISATION MODES</h2>
\r
467 <div class="sectionbody">
\r
470 <strong>Default/Secure mode (no -o or -z given)</strong>
\r
474 This is the default mode. It should be quite secure. The <device/file> gets
\r
475 initialised with /dev/urandom. Except with an already existing file and
\r
476 -f, where NO initialisation will be done (all other modes behave as usual).
\r
480 <strong>Optimized secure mode (-o)</strong>
\r
484 Only the first 2MB of the <device/file> are initialised with
\r
485 /dev/urandom. The encryption will be initialised and then the whole
\r
486 encrypted device is filled with /dev/zero.
\r
490 <strong>Insecure mode (-z)</strong>
\r
494 Only the first 2MB of the <device/file> are initialised with
\r
501 <div class="sectionbody">
\r
504 <strong>grml-crypt -t xfs -o format /dev/hda4 /mnt/tmp</strong>
\r
508 Formats /dev/hda4 with xfs and applies optimized initialisation rules and
\r
509 mounts it to /mnt/tmp
\r
513 <strong>grml-crypt -t ext2 -z format /home/user/test.img /mnt/tmp</strong>
\r
517 Creates /home/user/test.img with 10MB and applies only insecure
\r
518 initialisation rules. Creates an ext2 filesystem on it and mounts it to
\r
523 <strong>grml-crypt -f -S 256 -C aes-plain -I 2 -A —verify-passphrase -m '-o noatime' -vvv format img /mnt/tmp</strong>
\r
527 Reuses the image img with no initialisation. The encryption is established
\r
528 with aes-plain with 256 bit keysize and an iteration time of 2 seconds.
\r
529 Cryptsetup is advised to verify the password by asking for it twice. Mounts
\r
530 it to /mnt/tmp with <em>-o noatime</em>. And prints what is going on (-vvv).
\r
535 <h2>ENCRYPT AN USBSTICK</h2>
\r
536 <div class="sectionbody">
\r
539 <strong>grml-crypt -t ext2 -z format /dev/external1</strong>
\r
543 Formats your usbstick which hopefully is located at
\r
544 /dev/external1 (please verify!) with ext2 and nearly no initialisation. You
\r
545 could give the format action a mountpoint too. In this case your
\r
546 crypto-partition gets mounted on that mountpoint as well.
\r
550 <strong>grml-crypt start /dev/external1 /mnt/tmp</strong>
\r
554 Asks you for the right passphrase for your crypto-partition
\r
555 and tries to mount it to /mnt/tmp.
\r
559 <strong>grml-crypt stop /mnt/tmp</strong>
\r
563 Removes your crypto-partition cleanly out of the system
\r
564 (umount, cryptsetup luksClose, [losetup -d]).
\r
569 <h2>ENCRYPTED LOOPFILESYSTEM ON USBSTICK</h2>
\r
570 <div class="sectionbody">
\r
573 <strong>mount /mnt/external1</strong>
\r
577 Mounts your usb-stick on /mnt/external1 (please verify!).
\r
581 <strong>grml-crypt -o -t vfat -s 50 format /mnt/external1/secure.img /mnt/tmp</strong>
\r
585 Creates a 50MB big file, encrypted with the default options
\r
586 and vfat (also known as fat32). The optimized initialisation mode will
\r
587 be used for this file (without -o this could take REALLY LONG). This
\r
588 command _also_ starts your cryptofile and mounts it on /mnt/tmp.
\r
592 <strong>grml-crypt stop /mnt/tmp</strong>
\r
596 Removes your crypto-partition cleanly out of the system
\r
597 (umount, cryptsetup luksClose, [losetup -d]).
\r
601 <strong>umount /mnt/external1</strong>
\r
611 <div class="sectionbody">
\r
612 <p>cryptsetup(8)</p>
\r
615 <div class="sectionbody">
\r
616 <p>grml-crypt was written by Michael Gebetsroither <michael.geb@gmx.at>.</p>
\r
617 <p>This manual page was written by Michael Gebetsroither <gebi@grml.org>.</p>
\r
620 <div id="footer-text">
\r
621 Last updated 28-Sep-2007 04:31:25 CEST
\r