GRML-CRYPT(8)

"Formats" a <device/file>. If the second parameter is not a block device grml-crypt assumes that it should operate in file modus. If the file does not already exist it will be created with the given size. The first 2MB of a device (luks header) are initialised with /dev/urandom, the other space with the given initialisation. If grml-crypt is in file modus the first 2MB of the loop file are also initialised with /dev/urandom except where the file already exists (use -f for overwriting). Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup luksOpen, [dd], mkfs, [mount]

Starts an encrypted <device/file> and mounts it to the given or a default mountpoint. Commands: [losetup], cryptsetup luksOpen, mount

Stops an encrypted filesystem mounted at <mountpoint>. Even the loopdevice gets destroyed with this command. Commands: mount, dmsetup info, cryptsetup status, umount, cryptsetup luksClose, [losetup -d]

Shows the help message.

Shows summary of options.

Shows what is going on (more v ⇒ more out).

Gives the size of loop filesystem grml-crypt should create.

Gives the type of the filesystem grml-crypt should create. /sbin/mkfs.<your choosen filesystem> should exist.

Read-only mode. The device mapping AND the mountpoint will be made read-only. In format mode only the mountpoint can be made read-only.

Insecure initialisation mode

Optimized initialisation mode

Verifies the password by asking for it twice during creation.

Forces overwriting and/or disable confirmation dialog. If the second parameter to format is an existing file and force is given, then the file will be used for the encrypted loop filesystem. ATTENTION: the file should be bigger than 2MB for LUKS only + the constraints from the filesystems itself (eg. xfs needs a minimum of 4096 blocks).

Only for action start: Run fsck on the filesystem before mounting it to the given mountpoint. If given twice, use fsck’s -f option as well.

Additional arguments passed through to mount. Could be like "-o noatime".

Cipher size used for encryption. Usually 128, 192 or 256 (but higher may also be possible).

Cipher mode, should be aes-plain for pre-2.6.10. Have a look at /proc/crypto for other ciphers.

The number of seconds to spend with PBKDF2 password processing. This time is consumed for every key operation (format, start).

Additional arguments to cryptsetup’s luksFormat.

This is the default mode. It should be quite secure. The <device/file> gets initialised with /dev/urandom. Except with an already existing file and -f, where NO initialisation will be done (all other modes behave as usual).

Only the first 2MB of the <device/file> are initialised with /dev/urandom. The encryption will be initialised and then the whole encrypted device is filled with /dev/zero.

Only the first 2MB of the <device/file> are initialised with /dev/urandom.

Formats /dev/hda4 with xfs and applies optimized initialisation rules and mounts it to /media/tmp

Creates /home/user/test.img with 10MB and applies only insecure initialisation rules. Creates an ext2 filesystem on it and mounts it to /media/tmp.

Reuses the image img with no initialisation. The encryption is established with aes-plain with 256 bit keysize and an iteration time of 2 seconds. Cryptsetup is advised to verify the password by asking for it twice. Mounts it to /media/tmp with -o noatime. And prints what is going on (-vvv).

Formats your usbstick which hopefully is located at /dev/external1 (please verify!) with ext2 and nearly no initialisation. You could give the format action a mountpoint too. In this case your crypto-partition gets mounted on that mountpoint as well.

Asks you for the right passphrase for your crypto-partition and tries to mount it to /media/tmp.

Removes your crypto-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup -d]).

Mounts your usb-stick on /media/external1 (please verify!).

Creates a 50MB big file, encrypted with the default options and vfat (also known as fat32). The optimized initialisation mode will be used for this file (without -o this could take REALLY LONG). This command also starts your cryptofile and mounts it on /media/tmp.

Removes your crypto-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup -d]).

Guess what? ;)