.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "GRML-CRYPT" 8 "" "" "" .SH NAME grml-crypt \- Wrapper around cryptsetup/losetup/mkfs/mount .SH "SYNOPSIS" \fBgrml\-crypt\fR [OPTIONS] \fIaction\fR \fI[mountpoint]\fR .SH "DESCRIPTION" \fBgrml\-crypt\fR is a program that provides an easy wrapper around cryptsetup, mkfs, losetup and mount\&. You could create a loopback mountet crypted filesystem with only one command, but grml\-crypt works for normal devices also\&. .SH "ACTIONS" .TP \fBformat [mountpoint]\fR This command "formats" a device/file\&. If the second parameter is not a blockdevice grml\-crypt assumes that it should operate in file modus\&. If the file does not already exist it will be created with the given size\&. The first 2MB of a device (luks header) are initialised with /dev/urandom, the other space is initialised with the given initialisation\&. If grml\-crypt is in file modus the first 2MB of the loop file are also initialised with /dev/urandom except where the file already exist (with \-f vor overwriting)\&. Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup luksOpen, [dd], mkfs, [mount] .TP \fBstart \fR This command starts a encrypted device/file and mounts it to the given mountpoint\&. Commands: [losetup], cryptsetup luksOpen, mount .TP \fBstop \fR This command stops a encrypted filesystem mountet at mountpoint\&. Even the loopdevice gets destroyed with this command\&. Commands: mount, dmsetup info, cryptsetup status, umount, cryptsetup luksClose, [losetup \-d] .TP \fBhelp\fR Show the help message\&. .SH "OPTIONS" .TP \fB\-h, help\fR Show summary of options\&. .TP \fB\-v\fR Show what is going on (more v => more out)\&. .TP \fB\-s (in MB, default=10)\fR Give the size of loopfilesystem grml\-crypt should create\&. .TP \fB\-t (default=vfat)\fR Give the type of the filesystem grml\-crypt should create\&. /sbin/mkfs\&. should exist\&. .TP \fB\-r\fR Read\-only mode\&. The device mapping AND the mountpoint will be made read\-only\&. In format mode only the mountpoint could be made read\-only\&. .TP \fB\-z\fR Insecure initialisation mode .TP \fB\-o\fR Optimized initialisation mode .TP \fB\-y\fR Verifies the password by asking for it twice during creation\&. .TP \fB\-f\fR Force overwriting and/or disable confirmation dialog\&. If the second parameter to format is an existing file and force is given, then the file will be used for the encrypted loop filesystem\&. ATTENTION: the file should be bigger than 2MB for LUKS only + the constraints from the filesystems itself (eg\&. xfs needs a minimum of 4096 blocks)\&. .TP \fB\-m\fR Additional arguments passed through to mount\&. Could be like "\fI\-o noatime\fR"\&. .SH "CRYPTSETUP FORMAT OPTIONS" .TP \fB\-S (in bits, default=128)\fR Cipher size used for the encryption\&. Usually 128, 192 or 256 (but higher maybe also possible) .TP \fB\-C (default=aes\-cbc\-essiv:sha256)\fR Cipher mode, should be aes\-plain for pre\-2\&.6\&.10\&. Look at /proc/crypto for other ciphers\&. .TP \fB\-I (in seconds, default=1)\fR The number of seconds to spend with PBKDF2 password processing\&. This time is comsumed for every key operation (format, start)\&. .TP \fB\-A (default="")\fR Additional arguments to cryptsetup luksFormat\&. .SH "INITIALISATION MODES" .TP \fBDefault/Secure mode (no \-o or \-z given)\fR This mode is the default\&. It should be quite secure\&. The device/file gets initialised with /dev/urandom\&. Except with an already existing file and \-f, where NO initialisation will be done (all other modes behave as usual)\&. .TP \fBOptimized secure mode (\-o)\fR In this mode only the first 2MB of the device/file are initialised with /dev/urandom\&. The encryption will be initialised and then the whole encrypted device is filled with /dev/zero\&. .TP \fBInsecure mode (\-z)\fR In this mode only the first 2MB of the device/file are initialised with /dev/urandom\&. .SH "EXAMPLES" .TP \fBgrml\-crypt \-t xfs \-o format /dev/hda4 /mnt/tmp\fR Formats /dev/hda4 with xfs and apply optimized initialisation rules and mount it to /mnt/tmp .TP \fBgrml\-crypt \-t ext2 \-z format /home/user/test\&.img /mnt/tmp\fR Creates /home/user/test\&.img with 10MB and apply only insecure initialisation rules\&. Create an ext2 filesystem on it and mount it to /mnt/tmp\&. .TP \fBgrml\-crypt \-f \-S 256 \-C aes\-plain \-I 2 \-A \-\-verify\-passphrase \-m '\-o noatime' \-vvv format img /mnt/tmp\fR Reuses the image img with no initialisation\&. The encryption is established with aes\-plain with 256 bit keysize and an iteration time of 2 seconds\&. Cryptsetup is advised to verify the password by asking for it twice\&. Mount it to /mnt/tmp with \fI\-o noatime\fR\&. And print what is going on (\-vvv)\&. .SH "ENCRYPT AN USBSTICK" .TP \fBgrml\-crypt \-t ext2 \-z format /dev/external1\fR This command formats your usbstick which hopely is at /dev/external1 (please verify!!) with ext2 and nearly no initialisation\&. You could als give the format action a mountpoint\&. In this case your crypto\-partition gets also mounted on this mountpoint\&. .TP \fBgrml\-crypt start /dev/external1 /mnt/tmp\fR This command asks you for the right passphrase for your crypto\-partition and tries to mount it to /mnt/tmp\&. .TP \fBgrml\-crypt stop /mnt/tmp\fR This command removes your crypto\-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup \-d])\&. .SH "ENCRYPTED LOOPFILESYSTEM ON USBSTICK" .TP \fBmount /mnt/external1\fR To mount your usb\-stick on /mnt/external1 (please verify!!)\&. .TP \fBgrml\-crypt \-o \-t vfat \-s 50 /mnt/external1/secure\&.img /mnt/tmp\fR This command creates a 50MB big file, encrypted with the default options and with vfat (also known as fat32)\&. The optimized initialisation mode will be used for this file (without \-o this could take REALLY LONG)\&. This command _also_ starts your cryptofile and mounts it on /mnt/tmp .TP \fBgrml\-crypt stop /mnt/tmp\fR This command removes your crypto\-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup \-d])\&. .TP \fBumount /mnt/external1\fR Guess what ;)? .SH "SEE ALSO" cryptsetup(8) .SH "AUTHOR" grml\-crypt was written by Michael Gebetsroither \&. This manual page was written by Michael Gebetsroither \&.