1
0
forked from ports/contrib
contrib/grml-crypt/grml-crypt.8

184 lines
6.5 KiB
Groff
Raw Normal View History

2006-10-22 15:19:50 +02:00
.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "GRML-CRYPT" 8 "" "" ""
.SH NAME
grml-crypt \- Wrapper around cryptsetup/losetup/mkfs/mount
.SH "SYNOPSIS"
\fBgrml\-crypt\fR [OPTIONS] \fIaction\fR <device/file> \fI[mountpoint]\fR
.SH "DESCRIPTION"
\fBgrml\-crypt\fR is a program that provides an easy wrapper around cryptsetup, mkfs, losetup and mount\&. You could create a loopback mountet crypted filesystem with only one command, but grml\-crypt works for normal devices also\&.
.SH "ACTIONS"
.TP
\fBformat <device/file> [mountpoint]\fR
This command "formats" a device/file\&. If the second parameter is not a blockdevice grml\-crypt assumes that it should operate in file modus\&. If the file does not already exist it will be created with the given size\&. The first 2MB of a device (luks header) are initialised with /dev/urandom, the other space is initialised with the given initialisation\&. If grml\-crypt is in file modus the first 2MB of the loop file are also initialised with /dev/urandom except where the file already exist (with \-f vor overwriting)\&. Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup luksOpen, [dd], mkfs, [mount]
.TP
\fBstart <device/file> <mountpoint>\fR
This command starts a encrypted device/file and mounts it to the given mountpoint\&. Commands: [losetup], cryptsetup luksOpen, mount
.TP
\fBstop <mountpoint>\fR
This command stops a encrypted filesystem mountet at mountpoint\&. Even the loopdevice gets destroyed with this command\&. Commands: mount, dmsetup info, cryptsetup status, umount, cryptsetup luksClose, [losetup \-d]
.TP
\fBhelp\fR
Show the help message\&.
.SH "OPTIONS"
.TP
\fB\-h, help\fR
Show summary of options\&.
.TP
\fB\-v\fR
Show what is going on (more v => more out)\&.
.TP
\fB\-s (in MB, default=10)\fR
Give the size of loopfilesystem grml\-crypt should create\&.
.TP
\fB\-t (default=vfat)\fR
Give the type of the filesystem grml\-crypt should create\&. /sbin/mkfs\&.<your choosen filesystem> should exist\&.
.TP
\fB\-r\fR
Read\-only mode\&. The device mapping AND the mountpoint will be made read\-only\&. In format mode only the mountpoint could be made read\-only\&.
.TP
\fB\-z\fR
Insecure initialisation mode
.TP
\fB\-o\fR
Optimized initialisation mode
.TP
\fB\-y\fR
Verifies the password by asking for it twice during creation\&.
.TP
\fB\-f\fR
Force overwriting and/or disable confirmation dialog\&. If the second parameter to format is an existing file and force is given, then the file will be used for the encrypted loop filesystem\&. ATTENTION: the file should be bigger than 2MB for LUKS only + the constraints from the filesystems itself (eg\&. xfs needs a minimum of 4096 blocks)\&.
.TP
\fB\-m\fR
Additional arguments passed through to mount\&. Could be like "\fI\-o noatime\fR"\&.
.SH "CRYPTSETUP FORMAT OPTIONS"
.TP
\fB\-S (in bits, default=128)\fR
Cipher size used for the encryption\&. Usually 128, 192 or 256 (but higher maybe also possible)
.TP
\fB\-C (default=aes\-cbc\-essiv:sha256)\fR
Cipher mode, should be aes\-plain for pre\-2\&.6\&.10\&. Look at /proc/crypto for other ciphers\&.
.TP
\fB\-I (in seconds, default=1)\fR
The number of seconds to spend with PBKDF2 password processing\&. This time is comsumed for every key operation (format, start)\&.
.TP
\fB\-A (default="")\fR
Additional arguments to cryptsetup luksFormat\&.
.SH "INITIALISATION MODES"
.TP
\fBDefault/Secure mode (no \-o or \-z given)\fR
This mode is the default\&. It should be quite secure\&. The device/file gets initialised with /dev/urandom\&. Except with an already existing file and \-f, where NO initialisation will be done (all other modes behave as usual)\&.
.TP
\fBOptimized secure mode (\-o)\fR
In this mode only the first 2MB of the device/file are initialised with /dev/urandom\&. The encryption will be initialised and then the whole encrypted device is filled with /dev/zero\&.
.TP
\fBInsecure mode (\-z)\fR
In this mode only the first 2MB of the device/file are initialised with /dev/urandom\&.
.SH "EXAMPLES"
.TP
\fBgrml\-crypt \-t xfs \-o format /dev/hda4 /mnt/tmp\fR
Formats /dev/hda4 with xfs and apply optimized initialisation rules and mount it to /mnt/tmp
.TP
\fBgrml\-crypt \-t ext2 \-z format /home/user/test\&.img /mnt/tmp\fR
Creates /home/user/test\&.img with 10MB and apply only insecure initialisation rules\&. Create an ext2 filesystem on it and mount it to /mnt/tmp\&.
.TP
\fBgrml\-crypt \-f \-S 256 \-C aes\-plain \-I 2 \-A \-\-verify\-passphrase \-m '\-o noatime' \-vvv format img /mnt/tmp\fR
Reuses the image img with no initialisation\&. The encryption is established with aes\-plain with 256 bit keysize and an iteration time of 2 seconds\&. Cryptsetup is advised to verify the password by asking for it twice\&. Mount it to /mnt/tmp with \fI\-o noatime\fR\&. And print what is going on (\-vvv)\&.
.SH "ENCRYPT AN USBSTICK"
.TP
\fBgrml\-crypt \-t ext2 \-z format /dev/external1\fR
This command formats your usbstick which hopely is at /dev/external1 (please verify!!) with ext2 and nearly no initialisation\&. You could als give the format action a mountpoint\&. In this case your crypto\-partition gets also mounted on this mountpoint\&.
.TP
\fBgrml\-crypt start /dev/external1 /mnt/tmp\fR
This command asks you for the right passphrase for your crypto\-partition and tries to mount it to /mnt/tmp\&.
.TP
\fBgrml\-crypt stop /mnt/tmp\fR
This command removes your crypto\-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup \-d])\&.
.SH "ENCRYPTED LOOPFILESYSTEM ON USBSTICK"
.TP
\fBmount /mnt/external1\fR
To mount your usb\-stick on /mnt/external1 (please verify!!)\&.
.TP
\fBgrml\-crypt \-o \-t vfat \-s 50 /mnt/external1/secure\&.img /mnt/tmp\fR
This command creates a 50MB big file, encrypted with the default options and with vfat (also known as fat32)\&. The optimized initialisation mode will be used for this file (without \-o this could take REALLY LONG)\&. This command _also_ starts your cryptofile and mounts it on /mnt/tmp
.TP
\fBgrml\-crypt stop /mnt/tmp\fR
This command removes your crypto\-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup \-d])\&.
.TP
\fBumount /mnt/external1\fR
Guess what ;)?
.SH "SEE ALSO"
cryptsetup(8)
.SH "AUTHOR"
grml\-crypt was written by Michael Gebetsroither <michael\&.geb@gmx\&.at>\&.
This manual page was written by Michael Gebetsroither <gebi@grml\&.org>\&.