Cryptsetup hints¶
The cryptsetup action to set up a new dm-crypt device in LUKS encryption mode is luksFormat:
cryptsetup -v --cipher aes-xts-plain64 --key-size 256 --hash sha 256 --iter-time 2000 --use-urandom --verify-passphrase luksFormat crypt --batch-mode
where crypt
is the new device located to /dev/mapper/crypt
.
To open and mount to /export
an encrypted device:
cryptsetup luksOpen /dev/vdb crypt
mount /dev/mapper/crypt /export
To show LUKS device info:
dmsetup info /dev/mapper/crypt
To umount and close an encrypted device:
umount /export
cryptsetup close crypt
To force LUKS volume removal:
dmsetup remove /dev/mapper/crypt
Note
Run as root.
Change LUKS password¶
LUKS provides 8 slots for passwords or key files. First, check, which of them are used:
cryptsetup luksDump /dev/<device> | grep Slot
where the output, for example, looks like:
Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Then you can add, change or delete chosen keys:
cryptsetup luksAddKey /dev/<device> (/path/to/<additionalkeyfile>)
cryptsetup luksChangeKey /dev/<device> -S 6
As for deleting keys, you have 2 options:
delete any key that matches your entered password:
cryptsetup luksRemoveKey /dev/<device>
delete a key in specified slot:
cryptsetup luksKillSlot /dev/<device> 6