eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-13 11:50:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
50803ebacb996ef1f937f28b62b0cf7db9efce45
cryptsetup/man/cryptsetup-luksAddKey.8.adoc
Ondrej Kozina 5fce0c2ad1 Extend luksAddKey action options via crypt_keyslot_add_by_keyslot_context API. 
In practice luksAddKey action does two operations. It unlocks existing
device volume key and stores unlocked volume key in a new keyslot.
Previously the options were limited to key files and passphrases.
With this patch user may combine freely following options:

To unlock keyslot with volume key user may:
- provide existing passphrase via interactive prompt (default method)
- use --key-file option to provide file with a valid passphrase to existing keyslot
- provide volume key directly via --volume-key-file
- unlock keyslot via all available LUKS2 tokens by --token-only
- unlock keyslot via specific token with --token-id
- unlock keyslot via specific token type by --token-type

To provide the passphrase for a new keyslot user may:
- provide existing passphrase via interactive prompt (default method)
- use --new-keyfile parameter or positional parameter to read the
  passphrase from file.
- use --new-token-id to select specific LUKS2 token to get passphrase
  for new keyslot. New keyslot is assigned to selected token id if
  operation is succesfull.

Fixes: #725.
2022-09-29 17:31:29 +02:00

72 lines
2.8 KiB
Plaintext
Raw Blame History

= cryptsetup-luksAddKey(8)
:doctype: manpage
:manmanual: Maintenance Commands
:mansource: cryptsetup {release-version}
:man-linkstyle: pass:[blue R < >]
:COMMON_OPTIONS:
:ACTION_LUKSADDKEY:
== Name
cryptsetup-luksAddKey - add a new passphrase
== SYNOPSIS
*cryptsetup _luksAddKey_ [<options>] <device> [<key file with new key>]*
== DESCRIPTION
Adds a keyslot protected by a new passphrase. An existing passphrase
must be supplied interactively, via --key-file or LUKS2 token (plugin).
Alternatively to existing passphrase user may pass directly volume key
(via --volume-key-file). The new passphrase to be added can be specified
interactively, read from the file given as the positional argument (also
via --new-keyfile parameter) or via LUKS2 token.
*NOTE:* with --unbound option the action creates new unbound LUKS2
keyslot. The keyslot cannot be used for device activation. If you don't
pass new key via --volume-key-file option, new random key is generated.
Existing passphrase for any active keyslot is not required.
*NOTE:* some parameters are effective only if used with LUKS2 format
that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
algorithm is always the same for all keyslots.
*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
--new-keyfile, --new-keyfile-offset, --new-keyfile-size, --key-slot,
--new-key-slot, --volume-key-file, --force-password, --hash, --header,
--disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations,
--pbkdf-memory, --pbkdf-parallel, --unbound, --type, --keyslot-cipher,
--keyslot-key-size, --key-size, --timeout, --token-id, --token-type,
--token-only, --new-token-id, --verify-passphrase].
include::man/common_options.adoc[]
== EXAMPLES
*NOTE*: When not specified otherwise interactive passphrase prompt is always default method.
Add new keyslot using interactive passphrase promtp for both existing and new passphrase:
*cryptsetup luksAddKey /dev/device*
Add new keyslot using LUKS2 tokens to unlock existing keyslot with interactive passphrase promtp for new passphrase:
*cryptsetup luksAddKey --token-only /dev/device*
Add new keyslot using LUKS2 systemd-tpm2 tokens to unlock existing keyslot with interactive passphrase promtp for new passphrase (systemd-tpm2 token plugin must be available):
*cryptsetup luksAddKey --token-type systemd-tpm2 /dev/device*
Add new keyslot using interactive passphrase promtp for existing keyslot, reading new passphrase from key_file:
*cryptsetup luksAddKey --new-keyfile key_file /dev/device* or
*cryptsetup luksAddKey /dev/device key_file*
Add new keyslot using volume stored in volume_key_file and LUKS2 token in slot 5 to get new keyslot passphrase (token in slot 5 must exist
and respective token plugin must be available):
*cryptsetup luksAddKey --volume-key-file volume_key_file --new-token-id 5 /dev/device*
include::man/common_footer.adoc[]
Reference in New Issue View Git Blame Copy Permalink