eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
cryptsetup/man/cryptsetup-repair.8.adoc
Milan Broz c66c520e26 man: Always mention <options> as the last paragraph. 
Move all notes and warnings to description text.
Refine some small clarification.

Do not use NOTE/WARNING unless there is a serious reason (data loss).
2025-07-29 09:14:56 +02:00

53 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

= cryptsetup-repair(8)
:doctype: manpage
:manmanual: Maintenance Commands
:mansource: cryptsetup {release-version}
:man-linkstyle: pass:[blue R < >]
:COMMON_OPTIONS:
:ACTION_REPAIR:
== Name
cryptsetup-repair - repair the device metadata
== SYNOPSIS
*cryptsetup _repair_ [<options>] <device>*
== DESCRIPTION
Tries to repair the device metadata if possible.
Currently supported only for LUKS device type.
This command is useful for fixing some known benign LUKS metadata header corruptions.
Only basic corruptions of unused keyslot are fixable.
This command will only change the LUKS header, not any keyslot data.
You may enforce LUKS version by adding --type option.
It also repairs (upgrades) LUKS2 reencryption metadata by adding a metadata digest that protects it against malicious changes.
If LUKS2 reencryption was interrupted while writing the reencryption segment, the repair command can perform reencryption recovery so that reencryption can continue later.
Repairing reencryption requires verification of the reencryption keyslot, so a passphrase or keyfile is needed.
*WARNING:* Always create a binary backup of the original header before calling this command.
=== LUKS keyslots corruption detection
The repair command also checks for detectable corruption of keyslot content.
Corruption of a keyslot results in a situation where a known password is no longer accepted.
It can happen due to storage media failure or overwriting the keyslot area with other data.
Only certain corruptions, usually only a low-entropy area (like zeroed blocks), can be detected.
The detection prints only warnings.
It does not modify keyslots.
It can also print more specific offsets on the device for detailed manual inspection.
Please note that the warning can be a false positive (no real corruption happened).
Conversely, if the keyslot is corrupted, no recovery is possible.
You have to use the LUKS header backup.
*<options>* can be [--timeout, --verify-passphrase, --disable-locks, --type, --header, --key-file, --keyfile-size, --keyfile-offset, --key-slot].
include::man/common_options.adoc[]
include::man/common_footer.adoc[]
Reference in New Issue View Git Blame Copy Permalink