diff --git a/man/common_options.adoc b/man/common_options.adoc index 2a142d86..68ae6a1e 100644 --- a/man/common_options.adoc +++ b/man/common_options.adoc @@ -287,7 +287,7 @@ Later on, the decryption operation continues as if the ordinary detached header It would cause a deadlock. endif::[] ifdef::ACTION_ERASE[] -Use to specify a detached LUKS2 header when erasing HW OPAL-enabled data device. +Use to specify a detached LUKS2 header when erasing OPAL self-encrypting drive. endif::[] endif::[] @@ -318,14 +318,14 @@ endif::[] ifdef::ACTION_ERASE[] *--hw-opal-factory-reset*:: -Erase *ALL* data on the OPAL self-encrypted device. +Erase *ALL* data on the OPAL self-encrypting drive. The option does not require a valid LUKS2 header to be present on the device to run. After providing the correct PSID via interactive prompt or via --key-file parameter the device is erased. + -PSID is usually printed on the OPAL device label (either directly or as a QR code). +PSID is usually printed on the OPAL drive label (either directly or as a QR code). PSID must be entered without any dashes, spaces or underscores. + -*NOTE*: PSID should be treated as sensitive information as it allows anyone with remote access to the OPAL device to destroy data even if the device is locked. +*NOTE*: PSID should be treated as sensitive information as it allows anyone with remote access to the OPAL drive to destroy data even if the device is locked. Be sure you do not leak PSID through transparent packaging during transport or images of the drive posted online. endif::[] diff --git a/man/cryptsetup-erase.8.adoc b/man/cryptsetup-erase.8.adoc index 7caf9889..c03e0e4b 100644 --- a/man/cryptsetup-erase.8.adoc +++ b/man/cryptsetup-erase.8.adoc @@ -17,12 +17,18 @@ cryptsetup-erase, cryptsetup-luksErase - erase all keyslots == DESCRIPTION -Erase all keyslots and make the LUKS container permanently inaccessible. -Unless the device is configured with HW OPAL support, you do not need to provide any password for this operation. +Erase all keyslots, removing the volume key. +Unless the device is configured with OPAL self-encrypting drive support, you do not need to provide any password for this operation. -*WARNING:* This operation is irreversible. +This operation is irreversible. +Unless you have a header backup, all old encrypted data in the container will be permanently irretrievable. +Header backup cannot be used to recover data from OPAL self-encrypting drives, as the keys are permanently removed from hardware. -*WARNING:* with --hw-opal-factory-reset ALL data is lost on the device, regardless of the partition it is run on, if any, and regardless of any LUKS2 header backup, and does not require a valid LUKS2 header to be present on the device to run. +The *erase* does not wipe or overwrite the data area. +It only removes all active keyslots from the LUKS device. +See the cryptsetup FAQ for more information on how to wipe the whole device, including encrypted data. + +Note that the --hw-opal-factory-reset option for OPAL self-encrypting drive will erase ALL data on the drive, regardless of the partition it is run on. ** can be [--header, --disable-locks, --hw-opal-factory-reset, --key-file]. diff --git a/man/cryptsetup-luksFormat.8.adoc b/man/cryptsetup-luksFormat.8.adoc index b0887d62..755daef1 100644 --- a/man/cryptsetup-luksFormat.8.adoc +++ b/man/cryptsetup-luksFormat.8.adoc @@ -16,24 +16,29 @@ cryptsetup-luksFormat - initialize a LUKS partition and set the initial passphra == DESCRIPTION -Initializes a LUKS partition and sets the initial passphrase (for keyslot 0) via prompting or . +Initializes a LUKS partition and sets the passphrase via prompting or . Note that if the second argument is present, the passphrase is taken from the file given there, without using the --key-file option. Also note that for both forms of reading the passphrase from a file, you can give '-' as a file name, which results in the passphrase being read from stdin and the safety question being skipped. You cannot call luksFormat on a device or filesystem that is mapped or in use, e.g., a mounted filesystem, used in LVM, active RAID member, etc. The device or filesystem has to be unmounted in order to call luksFormat. -To use a specific version of LUKS format, use _--type luks1_ or _type luks2_. +To enforce a specific version of LUKS format, use _--type luks1_ or _type luks2_. +The default format is LUKS2. -To use OPAL hardware encryption on a self-encrypting drive, use --hw-opal or --hw-opal-only. +To use hardware encryption on an OPAL self-encrypting drive, use --hw-opal or --hw-opal-only. Note that some OPAL drives can require a PSID reset (with deletion of data) before using the LUKS format with OPAL options. See --hw-opal-factory-reset option in cryptsetup _erase_ command. +Doing a luksFormat on an existing LUKS container will regenerate the volume key. +Unless you have a header backup, all old encrypted data in the container will be permanently irretrievable. +Note that luksFormat does not wipe or overwrite the data area. +It only creates a new LUKS header with fresh keyslots. +See cryptsetup FAQ for more info on how to wipe the whole device, including encrypted data. + ** can be [--hash, --cipher, --verify-passphrase, --key-size, --key-slot, --key-file (takes precedence over optional second argument), --keyfile-offset, --keyfile-size, --use-random, --use-urandom, --uuid, --volume-key-file, --iter-time, --header, --pbkdf-force-iterations, --force-password, --disable-locks, --timeout, --type, --offset, --align-payload (DEPRECATED)]. For LUKS2, additional ** can be [--integrity, --integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf, --pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring, --luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher, --keyslot-key-size, --integrity-legacy-padding, --hw-opal, --hw-opal-only]. -*WARNING:* Doing a luksFormat on an existing LUKS container will make all data in the old container permanently irretrievable unless you have a header backup. - include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/man/cryptsetup-luksKillSlot.8.adoc b/man/cryptsetup-luksKillSlot.8.adoc index ef1778bc..4dcf72e4 100644 --- a/man/cryptsetup-luksKillSlot.8.adoc +++ b/man/cryptsetup-luksKillSlot.8.adoc @@ -17,16 +17,19 @@ cryptsetup-luksKillSlot - wipe a keyslot from the LUKS device == DESCRIPTION Wipe the keyslot with the number from the LUKS device. + Except running in batch-mode (-q), a remaining passphrase must be supplied, either interactively or via --key-file. This command can remove the last remaining keyslot, but requires an interactive confirmation when doing so. Removing the last passphrase makes a LUKS container permanently inaccessible. -** can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type, --verify-passphrase, --timeout]. - -*WARNING:* If you read the passphrase from stdin (without further argument or with '-' as an argument to --key-file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container. +If you read the passphrase from stdin (without further argument or with '-' as an argument to --key-file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container. Removing the last passphrase makes the LUKS container permanently inaccessible. -*NOTE:* If no passphrase is provided (on stdin or through --key-file argument) and batch-mode (-q) is active, the keyslot is removed without any other warning. +If no passphrase is provided (on stdin or through --key-file argument) and batch-mode (-q) is active, the keyslot is removed without any other warning. + +This operation removes only the key in a particular keyslot; it does not wipe any encrypted data. + +** can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type, --verify-passphrase, --timeout]. include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/man/cryptsetup-luksRemoveKey.8.adoc b/man/cryptsetup-luksRemoveKey.8.adoc index 3fe666af..3f0315c6 100644 --- a/man/cryptsetup-luksRemoveKey.8.adoc +++ b/man/cryptsetup-luksRemoveKey.8.adoc @@ -19,10 +19,12 @@ cryptsetup-luksRemoveKey - remove the supplied passphrase from the LUKS device Removes the supplied passphrase from the LUKS device. The passphrase to be removed can be specified interactively, as the positional argument or via --key-file. -** can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type, --timeout, --verify-passphrase]. - -*WARNING:* If you read the passphrase from stdin (without further argument or with '-' as an argument to --key-file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container. +If you read the passphrase from stdin (without further argument or with '-' as an argument to --key-file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container. Removing the last passphrase makes the LUKS container permanently inaccessible. +This operation removes only the key in a particular keyslot; it does not wipe any encrypted data. + +** can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type, --timeout, --verify-passphrase]. + include::man/common_options.adoc[] include::man/common_footer.adoc[]