forked from ports/contrib
184 lines
6.5 KiB
Groff
184 lines
6.5 KiB
Groff
.\"Generated by db2man.xsl. Don't modify this, modify the source.
|
|
.de Sh \" Subsection
|
|
.br
|
|
.if t .Sp
|
|
.ne 5
|
|
.PP
|
|
\fB\\$1\fR
|
|
.PP
|
|
..
|
|
.de Sp \" Vertical space (when we can't use .PP)
|
|
.if t .sp .5v
|
|
.if n .sp
|
|
..
|
|
.de Ip \" List item
|
|
.br
|
|
.ie \\n(.$>=3 .ne \\$3
|
|
.el .ne 3
|
|
.IP "\\$1" \\$2
|
|
..
|
|
.TH "GRML-CRYPT" 8 "" "" ""
|
|
.SH NAME
|
|
grml-crypt \- Wrapper around cryptsetup/losetup/mkfs/mount
|
|
.SH "SYNOPSIS"
|
|
|
|
|
|
\fBgrml\-crypt\fR [OPTIONS] \fIaction\fR <device/file> \fI[mountpoint]\fR
|
|
|
|
.SH "DESCRIPTION"
|
|
|
|
|
|
\fBgrml\-crypt\fR is a program that provides an easy wrapper around cryptsetup, mkfs, losetup and mount\&. You could create a loopback mountet crypted filesystem with only one command, but grml\-crypt works for normal devices also\&.
|
|
|
|
.SH "ACTIONS"
|
|
|
|
.TP
|
|
\fBformat <device/file> [mountpoint]\fR
|
|
This command "formats" a device/file\&. If the second parameter is not a blockdevice grml\-crypt assumes that it should operate in file modus\&. If the file does not already exist it will be created with the given size\&. The first 2MB of a device (luks header) are initialised with /dev/urandom, the other space is initialised with the given initialisation\&. If grml\-crypt is in file modus the first 2MB of the loop file are also initialised with /dev/urandom except where the file already exist (with \-f vor overwriting)\&. Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup luksOpen, [dd], mkfs, [mount]
|
|
|
|
.TP
|
|
\fBstart <device/file> <mountpoint>\fR
|
|
This command starts a encrypted device/file and mounts it to the given mountpoint\&. Commands: [losetup], cryptsetup luksOpen, mount
|
|
|
|
.TP
|
|
\fBstop <mountpoint>\fR
|
|
This command stops a encrypted filesystem mountet at mountpoint\&. Even the loopdevice gets destroyed with this command\&. Commands: mount, dmsetup info, cryptsetup status, umount, cryptsetup luksClose, [losetup \-d]
|
|
|
|
.TP
|
|
\fBhelp\fR
|
|
Show the help message\&.
|
|
|
|
.SH "OPTIONS"
|
|
|
|
.TP
|
|
\fB\-h, help\fR
|
|
Show summary of options\&.
|
|
|
|
.TP
|
|
\fB\-v\fR
|
|
Show what is going on (more v => more out)\&.
|
|
|
|
.TP
|
|
\fB\-s (in MB, default=10)\fR
|
|
Give the size of loopfilesystem grml\-crypt should create\&.
|
|
|
|
.TP
|
|
\fB\-t (default=vfat)\fR
|
|
Give the type of the filesystem grml\-crypt should create\&. /sbin/mkfs\&.<your choosen filesystem> should exist\&.
|
|
|
|
.TP
|
|
\fB\-r\fR
|
|
Read\-only mode\&. The device mapping AND the mountpoint will be made read\-only\&. In format mode only the mountpoint could be made read\-only\&.
|
|
|
|
.TP
|
|
\fB\-z\fR
|
|
Insecure initialisation mode
|
|
|
|
.TP
|
|
\fB\-o\fR
|
|
Optimized initialisation mode
|
|
|
|
.TP
|
|
\fB\-y\fR
|
|
Verifies the password by asking for it twice during creation\&.
|
|
|
|
.TP
|
|
\fB\-f\fR
|
|
Force overwriting and/or disable confirmation dialog\&. If the second parameter to format is an existing file and force is given, then the file will be used for the encrypted loop filesystem\&. ATTENTION: the file should be bigger than 2MB for LUKS only + the constraints from the filesystems itself (eg\&. xfs needs a minimum of 4096 blocks)\&.
|
|
|
|
.TP
|
|
\fB\-m\fR
|
|
Additional arguments passed through to mount\&. Could be like "\fI\-o noatime\fR"\&.
|
|
|
|
.SH "CRYPTSETUP FORMAT OPTIONS"
|
|
|
|
.TP
|
|
\fB\-S (in bits, default=128)\fR
|
|
Cipher size used for the encryption\&. Usually 128, 192 or 256 (but higher maybe also possible)
|
|
|
|
.TP
|
|
\fB\-C (default=aes\-cbc\-essiv:sha256)\fR
|
|
Cipher mode, should be aes\-plain for pre\-2\&.6\&.10\&. Look at /proc/crypto for other ciphers\&.
|
|
|
|
.TP
|
|
\fB\-I (in seconds, default=1)\fR
|
|
The number of seconds to spend with PBKDF2 password processing\&. This time is comsumed for every key operation (format, start)\&.
|
|
|
|
.TP
|
|
\fB\-A (default="")\fR
|
|
Additional arguments to cryptsetup luksFormat\&.
|
|
|
|
.SH "INITIALISATION MODES"
|
|
|
|
.TP
|
|
\fBDefault/Secure mode (no \-o or \-z given)\fR
|
|
This mode is the default\&. It should be quite secure\&. The device/file gets initialised with /dev/urandom\&. Except with an already existing file and \-f, where NO initialisation will be done (all other modes behave as usual)\&.
|
|
|
|
.TP
|
|
\fBOptimized secure mode (\-o)\fR
|
|
In this mode only the first 2MB of the device/file are initialised with /dev/urandom\&. The encryption will be initialised and then the whole encrypted device is filled with /dev/zero\&.
|
|
|
|
.TP
|
|
\fBInsecure mode (\-z)\fR
|
|
In this mode only the first 2MB of the device/file are initialised with /dev/urandom\&.
|
|
|
|
.SH "EXAMPLES"
|
|
|
|
.TP
|
|
\fBgrml\-crypt \-t xfs \-o format /dev/hda4 /mnt/tmp\fR
|
|
Formats /dev/hda4 with xfs and apply optimized initialisation rules and mount it to /mnt/tmp
|
|
|
|
.TP
|
|
\fBgrml\-crypt \-t ext2 \-z format /home/user/test\&.img /mnt/tmp\fR
|
|
Creates /home/user/test\&.img with 10MB and apply only insecure initialisation rules\&. Create an ext2 filesystem on it and mount it to /mnt/tmp\&.
|
|
|
|
.TP
|
|
\fBgrml\-crypt \-f \-S 256 \-C aes\-plain \-I 2 \-A \-\-verify\-passphrase \-m '\-o noatime' \-vvv format img /mnt/tmp\fR
|
|
Reuses the image img with no initialisation\&. The encryption is established with aes\-plain with 256 bit keysize and an iteration time of 2 seconds\&. Cryptsetup is advised to verify the password by asking for it twice\&. Mount it to /mnt/tmp with \fI\-o noatime\fR\&. And print what is going on (\-vvv)\&.
|
|
|
|
.SH "ENCRYPT AN USBSTICK"
|
|
|
|
.TP
|
|
\fBgrml\-crypt \-t ext2 \-z format /dev/external1\fR
|
|
This command formats your usbstick which hopely is at /dev/external1 (please verify!!) with ext2 and nearly no initialisation\&. You could als give the format action a mountpoint\&. In this case your crypto\-partition gets also mounted on this mountpoint\&.
|
|
|
|
.TP
|
|
\fBgrml\-crypt start /dev/external1 /mnt/tmp\fR
|
|
This command asks you for the right passphrase for your crypto\-partition and tries to mount it to /mnt/tmp\&.
|
|
|
|
.TP
|
|
\fBgrml\-crypt stop /mnt/tmp\fR
|
|
This command removes your crypto\-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup \-d])\&.
|
|
|
|
.SH "ENCRYPTED LOOPFILESYSTEM ON USBSTICK"
|
|
|
|
.TP
|
|
\fBmount /mnt/external1\fR
|
|
To mount your usb\-stick on /mnt/external1 (please verify!!)\&.
|
|
|
|
.TP
|
|
\fBgrml\-crypt \-o \-t vfat \-s 50 /mnt/external1/secure\&.img /mnt/tmp\fR
|
|
This command creates a 50MB big file, encrypted with the default options and with vfat (also known as fat32)\&. The optimized initialisation mode will be used for this file (without \-o this could take REALLY LONG)\&. This command _also_ starts your cryptofile and mounts it on /mnt/tmp
|
|
|
|
.TP
|
|
\fBgrml\-crypt stop /mnt/tmp\fR
|
|
This command removes your crypto\-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup \-d])\&.
|
|
|
|
.TP
|
|
\fBumount /mnt/external1\fR
|
|
Guess what ;)?
|
|
|
|
.SH "SEE ALSO"
|
|
|
|
|
|
cryptsetup(8)
|
|
|
|
.SH "AUTHOR"
|
|
|
|
|
|
grml\-crypt was written by Michael Gebetsroither <michael\&.geb@gmx\&.at>\&.
|
|
|
|
|
|
This manual page was written by Michael Gebetsroither <gebi@grml\&.org>\&.
|
|
|