Cryptsetup is an open-source tool for full disk encryption on Linux systems, using LUKS format with customizable encryption settings and key management.
Cryptsetup is a powerful security tool designed to help protect sensitive data stored on Linux systems. This open-source software provides full disk encryption capabilities, ensuring that your data is safe and secure from prying eyes.
With Cryptsetup, you can encrypt entire partitions, including the root partition, as well as external storage devices, such as USB drives and external hard drives. The tool uses the widely trusted Linux Unified Key Setup (LUKS) format, which provides robust security for your data.
Cryptsetup is easy to use, with a simple command-line interface that allows you to set up encryption on your Linux system quickly. The tool also includes a range of features that enable you to customize your encryption settings to meet your specific needs.
One of the most significant benefits of using Cryptsetup is the added layer of security it provides for your data. Encrypted data is useless to unauthorized users, making it an ideal tool for protecting sensitive information, such as financial records, personal information, and confidential business data.
In addition to its encryption capabilities, Cryptsetup also includes a range of features designed to enhance your system's security. For example, the tool allows you to set up a strong passphrase to protect your encryption key, making it much more difficult for unauthorized users to gain access to your data. Cryptsetup also provides a feature called "key-slot management," which enables you to manage multiple encryption keys and revoke access to specific users or devices as needed.
Cryptsetup is a highly customizable tool, allowing you to tailor your encryption settings to meet your specific requirements. You can choose from a range of encryption algorithms and key sizes, depending on the level of security you require. You can also configure advanced settings, such as the number of iterations used in the encryption process, to further enhance your system's security.
Overall, Cryptsetup is an essential tool for anyone looking to protect their sensitive data on Linux systems. Its robust encryption capabilities, combined with its user-friendly interface and advanced features, make it an excellent choice for both individuals and businesses looking to secure their valuable data.
Packages and Binaries:
cryptsetup
Cryptsetup is backwards compatible with the on-disk format of cryptoloop, but also supports more secure formats. This package includes support for automatically configuring encrypted devices at boot time via the config file /etc/crypttab. Additional features are cryptoroot support through initramfs-tools and several supported ways to read a passphrase or key.
This package provides the cryptdisks_start and _stop wrappers, as well as luksformat.
Installed size:409 KBHow to install:sudo apt install cryptsetup
Dependencies:
cryptsetup-bin
debconf | debconf-2.0
dmsetup
libc6
cryptdisks_start
Wrapper around cryptsetup that parses /etc/crypttab.
:~# cryptdisks_start -h
Usage: /usr/sbin/cryptdisks_start [-r|--readonly] <name> [.. <name>]
reads /etc/crypttab and starts the mapping corresponding to <name>
cryptdisks_stop
Wrapper around cryptsetup that parses /etc/crypttab.
:~# luksformat -h
luksformat - Create and format an encrypted LUKS device
Usage: luksformat [-t <file system>] <device> [ mkfs options ]
cryptsetup-bin
Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support.
This package provides the cryptsetup, integritysetup and veritysetup utilities.
Installed size:2.27 MBHow to install:sudo apt install cryptsetup-bin
Dependencies:
libblkid1
libc6
libcryptsetup12
libpopt0
libuuid1
cryptsetup
Manage plain dm-crypt, LUKS, and other encrypted volumes
:~# cryptsetup --help
cryptsetup 2.6.1 flags: UDEV BLKID KEYRING KERNEL_CAPI
Usage: cryptsetup [OPTION...] <action> <action-specific>
Help options:
-?, --help Show this help message
--usage Display brief usage
-V, --version Print package version
--active-name=STRING Override device autodetection of dm
device to be reencrypted
--align-payload=SECTORS Align payload at <n> sector boundaries
- for luksFormat
--allow-discards Allow discards (aka TRIM) requests for
device
-q, --batch-mode Do not ask for confirmation
--cancel-deferred Cancel a previously set deferred
device removal
-c, --cipher=STRING The cipher used to encrypt the disk
(see /proc/crypto)
--debug Show debug messages
--debug-json Show debug messages including JSON
metadata
--deferred Device removal is deferred until the
last user closes it
--device-size=bytes Use only specified device size (ignore
rest of device). DANGEROUS!
--decrypt Decrypt LUKS2 device (remove
encryption).
--disable-external-tokens Disable loading of external LUKS2
token plugins
--disable-keyring Disable loading volume keys via kernel
keyring
--disable-locks Disable locking of on-disk metadata
--disable-veracrypt Do not scan for VeraCrypt compatible
device
--dump-json-metadata Dump info in JSON format (LUKS2 only)
--dump-volume-key Dump volume key instead of keyslots
info
--encrypt Encrypt LUKS2 device (in-place
encryption).
--force-password Disable password quality check (if
enabled)
--force-offline-reencrypt Force offline LUKS2 reencryption and
bypass active device detection.
-h, --hash=STRING The hash used to create the encryption
key from the passphrase
--header=STRING Device or file with separated LUKS
header
--header-backup-file=STRING File with LUKS header and keyslots
backup
--hotzone-size=bytes Maximal reencryption hotzone size.
--init-only Initialize LUKS2 reencryption in
metadata only.
-I, --integrity=STRING Data integrity algorithm (LUKS2 only)
--integrity-legacy-padding Use inefficient legacy padding (old
kernels)
--integrity-no-journal Disable journal for integrity device
--integrity-no-wipe Do not wipe device after format
-i, --iter-time=msecs PBKDF iteration time for LUKS (in ms)
--iv-large-sectors Use IV counted in sector size (not in
512 bytes)
--json-file=STRING Read or write the json from or to a
file
--keep-key Do not change volume key.
--key-description=STRING Key description
-d, --key-file=STRING Read the key from a file
-s, --key-size=BITS The size of the encryption key
-S, --key-slot=INT Slot number for new key (default is
first free)
--keyfile-offset=bytes Number of bytes to skip in keyfile
-l, --keyfile-size=bytes Limits the read from keyfile
--keyslot-cipher=STRING LUKS2 keyslot: The cipher used for
keyslot encryption
--keyslot-key-size=BITS LUKS2 keyslot: The size of the
encryption key
--label=STRING Set label for the LUKS2 device
--luks2-keyslots-size=bytes LUKS2 header keyslots area size
--luks2-metadata-size=bytes LUKS2 header metadata area size
--volume-key-file=STRING Use the volume key from file.
--new-keyfile=STRING Read the key for a new slot from a file
--new-key-slot=INT Slot number for new key (default is
first free)
--new-keyfile-offset=bytes Number of bytes to skip in newly added
keyfile
--new-keyfile-size=bytes Limits the read from newly added
keyfile
--new-token-id=INT Token number (default: any)
-o, --offset=SECTORS The start offset in the backend device
--pbkdf=STRING PBKDF algorithm (for LUKS2): argon2i,
argon2id, pbkdf2
--pbkdf-force-iterations=LONG PBKDF iterations cost (forced,
disables benchmark)
--pbkdf-memory=kilobytes PBKDF memory cost limit
--pbkdf-parallel=threads PBKDF parallel cost
--perf-no_read_workqueue Bypass dm-crypt workqueue and process
read requests synchronously
--perf-no_write_workqueue Bypass dm-crypt workqueue and process
write requests synchronously
--perf-same_cpu_crypt Use dm-crypt same_cpu_crypt
performance compatibility option
--perf-submit_from_crypt_cpus Use dm-crypt submit_from_crypt_cpus
performance compatibility option
--persistent Set activation flags persistent for
device
--priority=STRING Keyslot priority: ignore, normal,
prefer
--progress-json Print progress data in json format
(suitable for machine processing)
--progress-frequency=secs Progress line update (in seconds)
-r, --readonly Create a readonly mapping
--reduce-device-size=bytes Reduce data device size (move data
offset). DANGEROUS!
--refresh Refresh (reactivate) device with new
parameters
--resilience=STRING Reencryption hotzone resilience type
(checksum,journal,none)
--resilience-hash=STRING Reencryption hotzone checksums hash
--resume-only Resume initialized LUKS2 reencryption
only.
--sector-size=INT Encryption sector size (default: 512
bytes)
--serialize-memory-hard-pbkdf Use global lock to serialize memory
hard PBKDF (OOM workaround)
--shared Share device with another
non-overlapping crypt segment
-b, --size=SECTORS The size of the device
-p, --skip=SECTORS How many sectors of the encrypted data
to skip at the beginning
--subsystem=STRING Set subsystem label for the LUKS2
device
--tcrypt-backup Use backup (secondary) TCRYPT header
--tcrypt-hidden Use hidden header (hidden TCRYPT
device)
--tcrypt-system Device is system TCRYPT drive (with
bootloader)
--test-args Do not run action, just validate all
command line parameters
--test-passphrase Do not activate device, just check
passphrase
-t, --timeout=secs Timeout for interactive passphrase
prompt (in seconds)
--token-id=INT Token number (default: any)
--token-only Do not ask for passphrase if
activation by token fails
--token-replace Replace the current token
--token-type=STRING Restrict allowed token types used to
retrieve LUKS2 key
-T, --tries=INT How often the input of the passphrase
can be retried
-M, --type=STRING Type of device metadata: luks, luks1,
luks2, plain, loopaes, tcrypt, bitlk
--unbound Create or dump unbound LUKS2 keyslot
(unassigned to data segment) or LUKS2
token (unassigned to keyslot)
--use-random Use /dev/random for generating volume
key
--use-urandom Use /dev/urandom for generating volume
key
--uuid=STRING UUID for device to use
--veracrypt Scan also for VeraCrypt compatible
device
--veracrypt-pim=INT Personal Iteration Multiplier for
VeraCrypt compatible device
--veracrypt-query-pim Query Personal Iteration Multiplier
for VeraCrypt compatible device
-v, --verbose Shows more detailed error messages
-y, --verify-passphrase Verifies the passphrase by asking for
it twice
-B, --block-size=MiB Reencryption block size
-N, --new Create new header on not encrypted
device
--use-directio Use direct-io when accessing devices
--use-fsync Use fsync after each block
--write-log Update log file after every block
--dump-master-key Alias for --dump-volume-key
--master-key-file=STRING Alias for --dump-volume-key-file
<action> is one of:
open <device> [--type <type>] [<name>] - open device as <name>
close <name> - close device (remove mapping)
resize <name> - resize active device
status <name> - show device status
benchmark [--cipher <cipher>] - benchmark cipher
repair <device> - try to repair on-disk metadata
reencrypt <device> - reencrypt LUKS2 device
erase <device> - erase all keyslots (remove encryption key)
convert <device> - convert LUKS from/to LUKS2 format
config <device> - set permanent configuration options for LUKS2
luksFormat <device> [<new key file>] - formats a LUKS device
luksAddKey <device> [<new key file>] - add key to LUKS device
luksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS device
luksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS device
luksConvertKey <device> [<key file>] - converts a key to new pbkdf parameters
luksKillSlot <device> <key slot> - wipes key with number <key slot> from LUKS device
luksUUID <device> - print UUID of LUKS device
isLuks <device> - tests <device> for LUKS partition header
luksDump <device> - dump LUKS partition information
tcryptDump <device> - dump TCRYPT device information
bitlkDump <device> - dump BITLK device information
fvault2Dump <device> - dump FVAULT2 device information
luksSuspend <device> - Suspend LUKS device and wipe key (all IOs are frozen)
luksResume <device> - Resume suspended LUKS device
luksHeaderBackup <device> - Backup LUKS device header and keyslots
luksHeaderRestore <device> - Restore LUKS device header and keyslots
token <add|remove|import|export> <device> - Manipulate LUKS2 tokens
You can also use old <action> syntax aliases:
open: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open
close: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close
<name> is the device to create under /dev/mapper
<device> is the encrypted device
<key slot> is the LUKS key slot number to modify
<key file> optional key file for the new key for luksAddKey action
Default compiled-in metadata format is LUKS2 (for luksFormat action).
LUKS2 external token plugin support is compiled-in.
LUKS2 external token plugin path: /lib/x86_64-linux-gnu/cryptsetup.
Default compiled-in key and passphrase parameters:
Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2: argon2id
Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4
Default compiled-in device cipher parameters:
loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
LUKS: Default keysize with XTS mode (two internal keys) will be doubled.
:~# integritysetup --help
integritysetup 2.6.1 flags: UDEV BLKID KEYRING KERNEL_CAPI
Usage: integritysetup [OPTION...] <action> <action-specific>
Help options:
-?, --help Show this help message
--usage Display brief usage
-V, --version Print package version
--allow-discards Allow discards (aka TRIM)
requests for device
-q, --batch-mode Do not ask for confirmation
--buffer-sectors=SECTORS Buffers size
--bitmap-flush-time=ms Bitmap mode flush time
--bitmap-sectors-per-bit=INT Number of 512-byte sectors per
bit (bitmap mode).
--cancel-deferred Cancel a previously set deferred
device removal
--data-device=path Path to data device (if
separated)
--debug Show debug messages
--deferred Device removal is deferred until
the last user closes it
-I, --integrity=STRING Data integrity algorithm
--integrity-key-file=STRING Read the integrity key from a
file
--integrity-key-size=BITS The size of the data integrity
key
--integrity-legacy-padding Use inefficient legacy padding
(old kernels)
--integrity-legacy-hmac Do not protect superblock with
HMAC (old kernels)
--integrity-legacy-recalculate Allow recalculating of volumes
with HMAC keys (old kernels)
-D, --integrity-no-journal Disable journal for integrity
device
--interleave-sectors=SECTORS Interleave sectors
--journal-commit-time=ms Journal commit time
--journal-integrity=STRING Journal integrity algorithm
--journal-integrity-key-size=BITS The size of the journal
integrity key
--journal-integrity-key-file=STRING Read the journal integrity key
from a file
--journal-crypt=STRING Journal encryption algorithm
--journal-crypt-key-file=STRING Read the journal encryption key
from a file
--journal-crypt-key-size=BITS The size of the journal
encryption key
-j, --journal-size=bytes Journal size
--journal-watermark=percent Journal watermark
--no-wipe Do not wipe device after format
--wipe Wipe the end of the device after
resize
--progress-frequency=secs Progress line update (in seconds)
--progress-json Print wipe progress data in json
format (suitable for machine
processing)
-B, --integrity-bitmap-mode Use bitmap to track changes and
disable journal for integrity
device
--integrity-recalculate Recalculate initial tags
automatically.
--integrity-recalculate-reset Reset automatic recalculate
position.
-R, --integrity-recovery-mode Recovery mode (no journal, no
tag checking)
-s, --sector-size=bytes Sector size
-t, --tag-size=bytes Tag size (per-sector)
-v, --verbose Shows more detailed error
messages
--device-size=bytes Use only specified device size
(ignore rest of device).
DANGEROUS!
-b, --size=SECTORS The size of the device
<action> is one of:
format <integrity_device> - format device
open <integrity_device> <name> - open device as <name>
close <name> - close device (remove mapping)
status <name> - show active device status
dump <integrity_device> - show on-disk information
resize <name> - resize active device
<name> is the device to create under /dev/mapper
<integrity_device> is the device containing data with integrity tags
Default compiled-in dm-integrity parameters:
Checksum algorithm: crc32c
Maximum keyfile size: 4kB
:~# veritysetup --help
veritysetup 2.6.1 flags: UDEV BLKID KEYRING KERNEL_CAPI
Usage: veritysetup [OPTION...] <action> <action-specific>
Help options:
-?, --help Show this help message
--usage Display brief usage
-V, --version Print package version
--cancel-deferred Cancel a previously set deferred device
removal
--check-at-most-once Verify data block only the first time
it is read
--data-block-size=bytes Block size on the data device
--data-blocks=blocks The number of blocks in the data file
--debug Show debug messages
--deferred Device removal is deferred until the
last user closes it
--fec-device=path Path to device with error correction
data
--fec-offset=bytes Starting offset on the FEC device
--fec-roots=bytes FEC parity bytes
--format=number Format type (1 - normal, 0 - original
Chrome OS)
-h, --hash=string Hash algorithm
--hash-block-size=bytes Block size on the hash device
--hash-offset=bytes Starting offset on the hash device
--ignore-corruption Ignore corruption, log it only
--ignore-zero-blocks Do not verify zeroed blocks
--no-superblock Do not use verity superblock
--panic-on-corruption Panic kernel if corruption is detected
--restart-on-corruption Restart kernel if corruption is detected
--root-hash-file=STRING Path to root hash file
--root-hash-signature=STRING Path to root hash signature file
-s, --salt=hex string Salt
--use-tasklets Use kernel tasklets for performance
--uuid=STRING UUID for device to use
-v, --verbose Shows more detailed error messages
<action> is one of:
format <data_device> <hash_device> - format device
verify <data_device> <hash_device> [<root_hash>] - verify device
open <data_device> <name> <hash_device> [<root_hash>] - open device as <name>
close <name> - close device (remove mapping)
status <name> - show active device status
dump <hash_device> - show on-disk information
<name> is the device to create under /dev/mapper
<data_device> is the data device
<hash_device> is the device containing verification data
<root_hash> hash of the root node on <hash_device>
Default compiled-in dm-verity parameters:
Hash: sha256, Data block (bytes): 4096, Hash block (bytes): 4096, Salt size: 32, Hash format: 1
cryptsetup-initramfs
Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support.
This package provides initramfs integration for cryptsetup.
Installed size:105 KBHow to install:sudo apt install cryptsetup-initramfs
Dependencies:
busybox | busybox-static
cryptsetup
debconf | debconf-2.0
initramfs-tools | linux-initramfs-tool
cryptsetup-run
This is a transitional dummy package to get upgrading systems to install the cryptsetup package. It can safely be removed once no other package depends on it.
Installed size:33 KBHow to install:sudo apt install cryptsetup-run
Dependencies:
cryptsetup
cryptsetup-ssh
Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support.
This package provides the cryptsetup-ssh(8) utility and an SSH token plugin which can be used to unlock LUKS2 devices using a remote keyfile hosted on a system accessible through SSH. This is currently an experimental feature and mostly serves as a demonstration of the plugin interface API.
Installed size:100 KBHow to install:sudo apt install cryptsetup-ssh
Dependencies:
libc6
libcryptsetup12
libjson-c5
libpopt0
libssh-4
cryptsetup-ssh
Manage LUKS2 SSH token
:~# cryptsetup-ssh --help
Usage: cryptsetup-ssh [OPTION...] <action> <device>
Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected
to an SSH server
Options for the 'add' action:
--key-slot=NUM Keyslot to assign the token to. If not specified,
token will be assigned to the first keyslot
matching provided passphrase.
--ssh-keypath=STRING Path to the SSH key for connecting to the remote
server
--ssh-path=STRING Path to the key file on the remote server
--ssh-server=STRING IP address/URL of the remote server for this token
--ssh-user=STRING Username used for the remote server
Generic options:
--debug Show debug messages
--debug-json Show debug messages including JSON metadata
-v, --verbose Shows more detailed error messages
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
This plugin currently allows only adding a token to an existing key slot.
Specified SSH server must contain a key file on the specified path with a
passphrase for an existing key slot on the device.
Provided credentials will be used by cryptsetup to get the password when
opening the device using the token.
Note: The information provided when adding the token (SSH server address, user
and paths) will be stored in the LUKS2 header in plaintext.
cryptsetup-suspend
Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support.
This package provides suspend mode integration for cryptsetup. It takes care of removing LUKS master key from memory before system suspend.
Please note that the suspend mode integration is limited to LUKS devices and requires systemd. Moreover, this is an early implementation and may not be as mature as the other cryptsetup-* packages yet.
Installed size:82 KBHow to install:sudo apt install cryptsetup-suspend
Dependencies:
cryptsetup-initramfs
initramfs-tools-core
kbd
libc6
libcryptsetup12
systemd
libcryptsetup-dev
Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support.
This package provides the libcryptsetup development files.
Installed size:149 KBHow to install:sudo apt install libcryptsetup-dev
Dependencies:
libargon2-dev
libblkid-dev
libcryptsetup12
libdevmapper-dev
libjson-c-dev
libssl-dev
uuid-dev
libcryptsetup12
Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support.
This package provides the libcryptsetup shared library.
Installed size:562 KBHow to install:sudo apt install libcryptsetup12
