56819864c0
Due to internal retry-overengineering in libdevmapper, some dm-ioctl failures can disappear. One such case is when there is a device creation race and DM device is created but reload fails. this can heppen because some block device used in table mapping is already claimed (it needs exclusive access for bdev_open in kernel). The kernel ioctl properly returns EBUSY, this errno is lost in libdevmapper (dm_task_get_errno returns 0). While this should be solved by libdevampper, we need some reliable way on older systems to properly report "busy" error instead of overloaded "invalid" error. With modified reproducer (see check_concurrent in very compat test), this situation can happen quite often. This patch modifies dm_create_device to return ENODEV only if dm-ioctl also reports no device (ENXIO); following dm status reports ENODEV and also some referenced device is no longer accesible through stat(). In all other cases we return EBUSY. Command line translates EBUSY and EEXIST to the same return vaules, for API users it now returns EBUSY instead of generic EINVAL. IOW, if device activation returns EEXIST or EBUSY, device-mapper cannot create the device because it already exits (EEXIST) or some referenced device is claimed by other subystem (EBUSY) and mapping table cannot be created.
What the ...?
Cryptsetup is an open-source utility used to conveniently set up disk encryption based on the dm-crypt kernel module.
These formats are supported:
- plain volumes,
- LUKS volumes,
- loop-AES,
- TrueCrypt (including VeraCrypt extension),
- BitLocker, and
- FileVault2.
The project also includes a veritysetup utility used to conveniently setup dm-verity block integrity checking kernel module and integritysetup to setup dm-integrity block integrity kernel module.
LUKS Design
LUKS is the standard for Linux disk encryption. By providing a standardized on-disk format, it not only facilitate compatibility among distributions, but also enables secure management of multiple user passwords. LUKS stores all necessary setup information in the partition header, which enables users to transport or migrate data seamlessly.
Specification and documentation
- The latest version of the LUKS2 format specification.
- The latest version of the LUKS1 format specification.
- Project home page.
- Frequently asked questions (FAQ)
Download
Release notes and tarballs are available at kernel.org.
The latest stable cryptsetup release version is 2.7.3
- cryptsetup-2.7.3.tar.xz
- Signature cryptsetup-2.7.3.tar.sign (You need to decompress file first to check signature.)
- Cryptsetup 2.7.3 Release Notes.
Previous versions
Source and API documentation
For development version code, please refer to the source page, with mirrors at kernel.org and GitHub.
For libcryptsetup documentation see libcryptsetup API page.
NLS PO files are maintained by TranslationProject.
Required packages
All major Linux distributions provide cryptsetup as a bundled package. If you need to compile cryptsetup yourself, various additional packages are required. Any distribution-specific build tools are preferred when manually configuring cryptsetup.
Below are the packages needed to build for certain Linux distributions:
For Fedora:
git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel
libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar
Optionally: libargon2-devel libpwquality-devel
To run the internal testsuite (make check) you also need to install
sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass
For Debian and Ubuntu:
git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev
libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar
Optionally: libargon2-0-dev libpwquality-dev
To run the internal testsuite (make check) you also need to install
sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
Note that the list may change as Linux distributions evolve.
Compilation
The cryptsetup project uses automake and autoconf system to generate all files needed to build. When building from a git snapshot,, use ./autogen.sh && ./configure && make to compile the project. When building from a release tar.xz tarball, the configure script is pre-generated (no need to run autoconf.sh). See ./configure --help and use the --disable-[feature] and --enable-[feature] options.
To run the test suite that come with the project, type make check. Note that most tests will need root user privileges and will run dangerous storage failure simulations. Do not run tests with root privilege on production systems! Some tests will need the scsi_debug kernel module to be installed.
For more details, please refer to the automake and autoconf documentation.
Help!
Documentation
Please read the following before posting questions to the mailing list so that you can ask better questions and better understand answers.
- Frequently asked questions (FAQ),
- LUKS Specifications, and
- manuals (aka man page, man pages, man-page)
The FAQ is available online and in the source code for the project. The specifications are referenced above in this document. The man pages live within the source tree and should be available after installation using standard man commands, e.g. man cryptsetup.
Mailing List
For cryptsetup and LUKS related questions, please use the cryptsetup mailing list cryptsetup@lists.linux.dev, hosted at kernel.org subspace. To subscribe send an empty email message to cryptsetup+subscribe@lists.linux.dev.
You can also browse and/or search the mailing list archive. USEnet News (NNTP), Atom feed and git access to the public inbox is available through lore.kernel.org service.
The former dm-crypt list archive is also available.