eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
360f85dde7f6f3d9193009d3c0459d84c3d782d6
cryptsetup/man/cryptsetup-luksAddKey.8.adoc
Milan Broz 360f85dde7 man: Grammar and simple stylistic fixes. 
This is based mainly on Grammarly.

It unifies man pages to at least some level of grammar,
so later we can focus on adding more readable content.
2025-07-17 15:01:39 +02:00

62 lines
2.9 KiB
Plaintext
Raw Blame History

= cryptsetup-luksAddKey(8)
:doctype: manpage
:manmanual: Maintenance Commands
:mansource: cryptsetup {release-version}
:man-linkstyle: pass:[blue R < >]
:COMMON_OPTIONS:
:ACTION_LUKSADDKEY:
== Name
cryptsetup-luksAddKey - add a new passphrase
== SYNOPSIS
*cryptsetup _luksAddKey_ [<options>] <device> [<key file with new key>]*
== DESCRIPTION
Adds a keyslot protected by a new passphrase.
An existing passphrase must be supplied interactively, via --key-file or LUKS2 token (plugin).
Alternatively to the existing passphrase, the user may pass directly the volume key (via --volume-key-file or --volume-key-keyring).
The new passphrase to be added can be specified interactively, read from the file given as the positional argument (also via --new-keyfile parameter) or via LUKS2 token.
*NOTE:* with --unbound option the action creates new unbound LUKS2 keyslot.
The keyslot cannot be used for device activation.
If you don't pass a new key via --volume-key-file option, a new random key is generated.
The existing passphrase for any active keyslot is not required.
*NOTE:* Some parameters are effective only if used with the LUKS2 format that supports per-keyslot parameters.
For LUKS1, the PBKDF type and hash algorithm are always the same for all keyslots.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --new-keyfile, --new-keyfile-offset, --new-keyfile-size, --key-slot, --new-key-slot, --volume-key-file, --volume-key-keyring, --force-password, --hash, --header, --disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type, --keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id, --token-type, --token-only, --new-token-id, --verify-passphrase, --external-tokens-path].
include::man/common_options.adoc[]
== EXAMPLES
*NOTE*: The interactive passphrase prompt is always the default method when not specified otherwise.
Add new keyslot using interactive passphrase prompt for both existing and new passphrases:
*cryptsetup luksAddKey /dev/device*
Add a new keyslot using LUKS2 tokens to unlock the existing keyslot with an interactive passphrase prompt for the new passphrase:
*cryptsetup luksAddKey --token-only /dev/device*
Add new keyslot using LUKS2 systemd-tpm2 tokens to unlock existing keyslot with interactive passphrase prompt for new passphrase (systemd-tpm2 token plugin must be available):
*cryptsetup luksAddKey --token-type systemd-tpm2 /dev/device*
Add new keyslot using interactive passphrase prompt for existing keyslot, reading new passphrase from key_file:
*cryptsetup luksAddKey --new-keyfile key_file /dev/device* or
*cryptsetup luksAddKey /dev/device key_file*
Add new keyslot using volume stored in volume_key_file and LUKS2 token in slot 5 to get new keyslot passphrase (token in slot 5 must exist and respective token plugin must be available):
*cryptsetup luksAddKey --volume-key-file volume_key_file --new-token-id 5 /dev/device*
include::man/common_footer.adoc[]
Reference in New Issue View Git Blame Copy Permalink