Clarify that we no longer support i586 but require i686+

[grml.org.git] / online-docs / grml-crypt.8.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"\r
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">\r
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">\r
<head>\r
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />\r
<meta name="generator" content="AsciiDoc 7.1.2" />\r
<style type="text/css">\r
/* Debug borders */\r
p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {\r
/*\r
  border: 1px solid red;\r
*/\r
}\r
\r
body {\r
  margin: 1em 5% 1em 5%;\r
}\r
\r
a {\r
  color: blue;\r
  text-decoration: underline;\r
}\r
a:visited {\r
  color: fuchsia;\r
}\r
\r
em {\r
  font-style: italic;\r
}\r
\r
strong {\r
  font-weight: bold;\r
}\r
\r
tt {\r
  color: navy;\r
}\r
\r
h1, h2, h3, h4, h5, h6 {\r
  color: #527bbd;\r
  font-family: sans-serif;\r
  margin-top: 1.2em;\r
  margin-bottom: 0.5em;\r
  line-height: 1.3;\r
}\r
\r
h1 {\r
  border-bottom: 2px solid silver;\r
}\r
h2 {\r
  border-bottom: 2px solid silver;\r
  padding-top: 0.5em;\r
}\r
\r
div.sectionbody {\r
  font-family: serif;\r
  margin-left: 0;\r
}\r
\r
hr {\r
  border: 1px solid silver;\r
}\r
\r
p {\r
  margin-top: 0.5em;\r
  margin-bottom: 0.5em;\r
}\r
\r
pre {\r
  padding: 0;\r
  margin: 0;\r
}\r
\r
span#author {\r
  color: #527bbd;\r
  font-family: sans-serif;\r
  font-weight: bold;\r
  font-size: 1.2em;\r
}\r
span#email {\r
}\r
span#revision {\r
  font-family: sans-serif;\r
}\r
\r
div#footer {\r
  font-family: sans-serif;\r
  font-size: small;\r
  border-top: 2px solid silver;\r
  padding-top: 0.5em;\r
  margin-top: 4.0em;\r
}\r
div#footer-text {\r
  float: left;\r
  padding-bottom: 0.5em;\r
}\r
div#footer-badges {\r
  float: right;\r
  padding-bottom: 0.5em;\r
}\r
\r
div#preamble,\r
div.tableblock, div.imageblock, div.exampleblock, div.verseblock,\r
div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,\r
div.admonitionblock {\r
  margin-right: 10%;\r
  margin-top: 1.5em;\r
  margin-bottom: 1.5em;\r
}\r
div.admonitionblock {\r
  margin-top: 2.5em;\r
  margin-bottom: 2.5em;\r
}\r
\r
div.content { /* Block element content. */\r
  padding: 0;\r
}\r
\r
/* Block element titles. */\r
div.title, caption.title {\r
  font-family: sans-serif;\r
  font-weight: bold;\r
  text-align: left;\r
  margin-top: 1.0em;\r
  margin-bottom: 0.5em;\r
}\r
div.title + * {\r
  margin-top: 0;\r
}\r
\r
td div.title:first-child {\r
  margin-top: 0.0em;\r
}\r
div.content div.title:first-child {\r
  margin-top: 0.0em;\r
}\r
div.content + div.title {\r
  margin-top: 0.0em;\r
}\r
\r
div.sidebarblock > div.content {\r
  background: #ffffee;\r
  border: 1px solid silver;\r
  padding: 0.5em;\r
}\r
\r
div.listingblock > div.content {\r
  border: 1px solid silver;\r
  background: #f4f4f4;\r
  padding: 0.5em;\r
}\r
\r
div.quoteblock > div.content {\r
  padding-left: 2.0em;\r
}\r
\r
div.attribution {\r
  text-align: right;\r
}\r
div.verseblock + div.attribution {\r
  text-align: left;\r
}\r
\r
div.admonitionblock .icon {\r
  vertical-align: top;\r
  font-size: 1.1em;\r
  font-weight: bold;\r
  text-decoration: underline;\r
  color: #527bbd;\r
  padding-right: 0.5em;\r
}\r
div.admonitionblock td.content {\r
  padding-left: 0.5em;\r
  border-left: 2px solid silver;\r
}\r
\r
div.exampleblock > div.content {\r
  border-left: 2px solid silver;\r
  padding: 0.5em;\r
}\r
\r
div.verseblock div.content {\r
  white-space: pre;\r
}\r
\r
div.imageblock div.content { padding-left: 0; }\r
div.imageblock img { border: 1px solid silver; }\r
span.image img { border-style: none; }\r
\r
dl {\r
  margin-top: 0.8em;\r
  margin-bottom: 0.8em;\r
}\r
dt {\r
  margin-top: 0.5em;\r
  margin-bottom: 0;\r
  font-style: italic;\r
}\r
dd > *:first-child {\r
  margin-top: 0;\r
}\r
\r
ul, ol {\r
    list-style-position: outside;\r
}\r
ol.olist2 {\r
  list-style-type: lower-alpha;\r
}\r
\r
div.tableblock > table {\r
  border: 3px solid #527bbd;\r
}\r
thead {\r
  font-family: sans-serif;\r
  font-weight: bold;\r
}\r
tfoot {\r
  font-weight: bold;\r
}\r
\r
div.hlist {\r
  margin-top: 0.8em;\r
  margin-bottom: 0.8em;\r
}\r
td.hlist1 {\r
  vertical-align: top;\r
  font-style: italic;\r
  padding-right: 0.8em;\r
}\r
td.hlist2 {\r
  vertical-align: top;\r
}\r
\r
@media print {\r
  div#footer-badges { display: none; }\r
}\r
/* Workarounds for IE6's broken and incomplete CSS2. */\r
\r
div.sidebar-content {\r
  background: #ffffee;\r
  border: 1px solid silver;\r
  padding: 0.5em;\r
}\r
div.sidebar-title, div.image-title {\r
  font-family: sans-serif;\r
  font-weight: bold;\r
  margin-top: 0.0em;\r
  margin-bottom: 0.5em;\r
}\r
\r
div.listingblock div.content {\r
  border: 1px solid silver;\r
  background: #f4f4f4;\r
  padding: 0.5em;\r
}\r
\r
div.quoteblock-content {\r
  padding-left: 2.0em;\r
}\r
\r
div.exampleblock-content {\r
  border-left: 2px solid silver;\r
  padding-left: 0.5em;\r
}\r
</style>\r
<title>GRML-CRYPT(8)</title>\r
</head>\r
<body>\r
<div id="header">\r
<h1>GRML-CRYPT(8)</h1>\r
</div>\r
<h2>NAME</h2>\r
<div class="sectionbody">\r
<p>grml-crypt - Wrapper around cryptsetup/losetup/mkfs/mount</p>\r
</div>\r
<h2>SYNOPSIS</h2>\r
<div class="sectionbody">\r
<p><strong>grml-crypt</strong> [OPTIONS] <em>action</em> &lt;device/file&gt; <em>[mountpoint]</em></p>\r
</div>\r
<h2>DESCRIPTION</h2>\r
<div class="sectionbody">\r
<p><strong>grml-crypt</strong> is a program that\r
provides an easy wrapper around cryptsetup, mkfs, losetup and mount. You\r
could create a loopback mounted crypted filesystem with only one command, but\r
grml-crypt works for normal devices as well.</p>\r
</div>\r
<h2>ACTIONS</h2>\r
<div class="sectionbody">\r
<dl>\r
<dt>\r
<strong>format &lt;device/file&gt; [mountpoint]</strong>\r
</dt>\r
<dd>\r
<p>\r
    "Formats" a &lt;device/file&gt;. If the second parameter is not a\r
    block device grml-crypt assumes that it should operate in file modus. If the\r
    file does not already exist it will be created with the given size. The\r
    first 2MB of a device (luks header) are initialised with /dev/urandom, the\r
    other space with the given initialisation. If grml-crypt is in file modus\r
    the first 2MB of the loop file are also initialised with /dev/urandom except\r
    where the file already exists (use -f for overwriting).\r
    Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup\r
    luksOpen, [dd], mkfs, [mount]\r
</p>\r
</dd>\r
<dt>\r
<strong>start &lt;device/file&gt; &lt;mountpoint&gt;</strong>\r
</dt>\r
<dd>\r
<p>\r
    Starts an encrypted &lt;device/file&gt; and mounts it to the given\r
    mountpoint. Commands: [losetup], cryptsetup luksOpen, mount\r
</p>\r
</dd>\r
<dt>\r
<strong>stop &lt;mountpoint&gt;</strong>\r
</dt>\r
<dd>\r
<p>\r
    Stops an encrypted filesystem mounted at &lt;mountpoint&gt;. Even the\r
    loopdevice gets destroyed with this command. Commands: mount, dmsetup info,\r
    cryptsetup status, umount, cryptsetup luksClose, [losetup -d]\r
</p>\r
</dd>\r
<dt>\r
<strong>help</strong>\r
</dt>\r
<dd>\r
<p>\r
  Shows the help message.\r
</p>\r
</dd>\r
</dl>\r
</div>\r
<h2>OPTIONS</h2>\r
<div class="sectionbody">\r
<dl>\r
<dt>\r
<strong>-h, help</strong>\r
</dt>\r
<dd>\r
<p>\r
Shows summary of options.\r
</p>\r
</dd>\r
<dt>\r
<strong>-v</strong>\r
</dt>\r
<dd>\r
<p>\r
Shows what is going on (more v =&gt; more out).\r
</p>\r
</dd>\r
<dt>\r
<strong>-s (in MB, default=10)</strong>\r
</dt>\r
<dd>\r
<p>\r
    Gives the size of loop filesystem grml-crypt should create.\r
</p>\r
</dd>\r
<dt>\r
<strong>-t (default=vfat)</strong>\r
</dt>\r
<dd>\r
<p>\r
    Gives the type of the filesystem grml-crypt should create. /sbin/mkfs.&lt;your\r
    choosen filesystem&gt; should exist.\r
</p>\r
</dd>\r
<dt>\r
<strong>-r</strong>\r
</dt>\r
<dd>\r
<p>\r
    Read-only mode. The device mapping AND the mountpoint will be made\r
    read-only. In format mode only the mountpoint can be made read-only.\r
</p>\r
</dd>\r
<dt>\r
<strong>-z</strong>\r
</dt>\r
<dd>\r
<p>\r
    Insecure initialisation mode\r
</p>\r
</dd>\r
<dt>\r
<strong>-o</strong>\r
</dt>\r
<dd>\r
<p>\r
    Optimized initialisation mode\r
</p>\r
</dd>\r
<dt>\r
<strong>-y</strong>\r
</dt>\r
<dd>\r
<p>\r
    Verifies the password by asking for it twice during creation.\r
</p>\r
</dd>\r
<dt>\r
<strong>-f</strong>\r
</dt>\r
<dd>\r
<p>\r
    Forces overwriting and/or disable confirmation dialog. If the second\r
    parameter to format is an existing file and force is given, then the file\r
    will be used for the encrypted loop filesystem. ATTENTION: the file should\r
    be bigger than 2MB for LUKS only + the constraints from the filesystems\r
    itself (eg. xfs needs a minimum of 4096 blocks).\r
</p>\r
</dd>\r
<dt>\r
<strong>-m</strong>\r
</dt>\r
<dd>\r
<p>\r
    Additional arguments passed through to mount. Could be like "<em>-o noatime</em>".\r
</p>\r
</dd>\r
</dl>\r
</div>\r
<h2>CRYPTSETUP FORMAT OPTIONS</h2>\r
<div class="sectionbody">\r
<dl>\r
<dt>\r
<strong>-S (in bits, default=128)</strong>\r
</dt>\r
<dd>\r
<p>\r
    Cipher size used for encryption. Usually 128, 192 or 256 (but higher\r
    may also be possible).\r
</p>\r
</dd>\r
<dt>\r
<strong>-C (default=aes-cbc-essiv:sha256)</strong>\r
</dt>\r
<dd>\r
<p>\r
    Cipher mode, should be aes-plain for pre-2.6.10. Have a look at /proc/crypto for\r
    other ciphers.\r
</p>\r
</dd>\r
<dt>\r
<strong>-I (in seconds, default=1)</strong>\r
</dt>\r
<dd>\r
<p>\r
    The number of seconds to spend with PBKDF2 password processing. This time\r
    is consumed for every key operation (format, start).\r
</p>\r
</dd>\r
<dt>\r
<strong>-A (default="")</strong>\r
</dt>\r
<dd>\r
<p>\r
    Additional arguments to cryptsetup's luksFormat.\r
</p>\r
</dd>\r
</dl>\r
</div>\r
<h2>INITIALISATION MODES</h2>\r
<div class="sectionbody">\r
<dl>\r
<dt>\r
<strong>Default/Secure mode (no -o or -z given)</strong>\r
</dt>\r
<dd>\r
<p>\r
    This is the default mode. It should be quite secure. The &lt;device/file&gt; gets\r
    initialised with /dev/urandom. Except with an already existing file and\r
    -f, where NO initialisation will be done (all other modes behave as usual).\r
</p>\r
</dd>\r
<dt>\r
<strong>Optimized secure mode (-o)</strong>\r
</dt>\r
<dd>\r
<p>\r
    Only the first 2MB of the &lt;device/file&gt; are initialised with\r
    /dev/urandom. The encryption will be initialised and then the whole\r
    encrypted device is filled with /dev/zero.\r
</p>\r
</dd>\r
<dt>\r
<strong>Insecure mode (-z)</strong>\r
</dt>\r
<dd>\r
<p>\r
    Only the first 2MB of the &lt;device/file&gt; are initialised with\r
    /dev/urandom.\r
</p>\r
</dd>\r
</dl>\r
</div>\r
<h2>EXAMPLES</h2>\r
<div class="sectionbody">\r
<dl>\r
<dt>\r
<strong>grml-crypt -t xfs -o format /dev/hda4 /mnt/tmp</strong>\r
</dt>\r
<dd>\r
<p>\r
    Formats /dev/hda4 with xfs and applies optimized initialisation rules and\r
    mounts it to /mnt/tmp\r
</p>\r
</dd>\r
<dt>\r
<strong>grml-crypt -t ext2 -z format /home/user/test.img /mnt/tmp</strong>\r
</dt>\r
<dd>\r
<p>\r
    Creates /home/user/test.img with 10MB and applies only insecure\r
    initialisation rules.  Creates an ext2 filesystem on it and mounts it to\r
    /mnt/tmp.\r
</p>\r
</dd>\r
<dt>\r
<strong>grml-crypt -f -S 256 -C aes-plain -I 2 -A &#8212;verify-passphrase -m '-o noatime' -vvv format img /mnt/tmp</strong>\r
</dt>\r
<dd>\r
<p>\r
    Reuses the image img with no initialisation. The encryption is established\r
    with aes-plain with 256 bit keysize and an iteration time of 2 seconds.\r
    Cryptsetup is advised to verify the password by asking for it twice. Mounts\r
    it to /mnt/tmp with <em>-o noatime</em>. And prints what is going on (-vvv).\r
</p>\r
</dd>\r
</dl>\r
</div>\r
<h2>ENCRYPT AN USBSTICK</h2>\r
<div class="sectionbody">\r
<dl>\r
<dt>\r
<strong>grml-crypt -t ext2 -z format /dev/external1</strong>\r
</dt>\r
<dd>\r
<p>\r
    Formats your usbstick which hopefully is located at\r
    /dev/external1 (please verify!) with ext2 and nearly no initialisation. You\r
    could give the format action a mountpoint too. In this case your\r
    crypto-partition gets mounted on that mountpoint as well.\r
</p>\r
</dd>\r
<dt>\r
<strong>grml-crypt start /dev/external1 /mnt/tmp</strong>\r
</dt>\r
<dd>\r
<p>\r
    Asks you for the right passphrase for your crypto-partition\r
    and tries to mount it to /mnt/tmp.\r
</p>\r
</dd>\r
<dt>\r
<strong>grml-crypt stop /mnt/tmp</strong>\r
</dt>\r
<dd>\r
<p>\r
    Removes your crypto-partition cleanly out of the system\r
    (umount, cryptsetup luksClose, [losetup -d]).\r
</p>\r
</dd>\r
</dl>\r
</div>\r
<h2>ENCRYPTED LOOPFILESYSTEM ON USBSTICK</h2>\r
<div class="sectionbody">\r
<dl>\r
<dt>\r
<strong>mount /mnt/external1</strong>\r
</dt>\r
<dd>\r
<p>\r
    Mounts your usb-stick on /mnt/external1 (please verify!).\r
</p>\r
</dd>\r
<dt>\r
<strong>grml-crypt -o -t vfat -s 50 format /mnt/external1/secure.img /mnt/tmp</strong>\r
</dt>\r
<dd>\r
<p>\r
    Creates a 50MB big file, encrypted with the default options\r
    and vfat (also known as fat32). The optimized initialisation mode will\r
    be used for this file (without -o this could take REALLY LONG).  This\r
    command _also_ starts your cryptofile and mounts it on /mnt/tmp.\r
</p>\r
</dd>\r
<dt>\r
<strong>grml-crypt stop /mnt/tmp</strong>\r
</dt>\r
<dd>\r
<p>\r
    Removes your crypto-partition cleanly out of the system\r
    (umount, cryptsetup luksClose, [losetup -d]).\r
</p>\r
</dd>\r
<dt>\r
<strong>umount /mnt/external1</strong>\r
</dt>\r
<dd>\r
<p>\r
    Guess what? ;)\r
</p>\r
</dd>\r
</dl>\r
</div>\r
<h2>SEE ALSO</h2>\r
<div class="sectionbody">\r
<p>cryptsetup(8)</p>\r
</div>\r
<h2>AUTHOR</h2>\r
<div class="sectionbody">\r
<p>grml-crypt was written by Michael Gebetsroither &lt;michael.geb@gmx.at&gt;.</p>\r
<p>This manual page was written by Michael Gebetsroither &lt;gebi@grml.org&gt;.</p>\r
</div>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated 28-Sep-2007 04:31:25 CEST\r
</div>\r
</div>\r
</body>\r
</html>\r