GRML-CRYPT(8)

grml-crypt - Wrapper around cryptsetup/losetup/mkfs/mount

grml-crypt [OPTIONS] action <device/file> [mountpoint]

grml-crypt is a program that provides an easy wrapper around cryptsetup, mkfs, losetup and mount. You could create a loopback mounted crypted filesystem with only one command, but grml-crypt works for normal devices as well.

format <device/file> [mountpoint]

"Formats" a <device/file>. If the second parameter is not a block device grml-crypt assumes that it should operate in file modus. If the file does not already exist it will be created with the given size. The first 2MB of a device (luks header) are initialised with /dev/urandom, the other space with the given initialisation. If grml-crypt is in file modus the first 2MB of the loop file are also initialised with /dev/urandom except where the file already exists (use -f for overwriting). Commands: [losetup], dd, cryptsetup luksFormat, cryptsetup luksOpen, [dd], mkfs, [mount]

start <device/file> <mountpoint>

Starts an encrypted <device/file> and mounts it to the given mountpoint. Commands: [losetup], cryptsetup luksOpen, mount

stop <mountpoint>

Stops an encrypted filesystem mounted at <mountpoint>. Even the loopdevice gets destroyed with this command. Commands: mount, dmsetup info, cryptsetup status, umount, cryptsetup luksClose, [losetup -d]

help

Shows the help message.

-h, help

Shows summary of options.

-v

Shows what is going on (more v => more out).

-s (in MB, default=10)

Gives the size of loop filesystem grml-crypt should create.

-t (default=vfat)

Gives the type of the filesystem grml-crypt should create. /sbin/mkfs.<your choosen filesystem> should exist.

-r

Read-only mode. The device mapping AND the mountpoint will be made read-only. In format mode only the mountpoint can be made read-only.

-z

Insecure initialisation mode

-o

Optimized initialisation mode

-y

Verifies the password by asking for it twice during creation.

-f

Forces overwriting and/or disable confirmation dialog. If the second parameter to format is an existing file and force is given, then the file will be used for the encrypted loop filesystem. ATTENTION: the file should be bigger than 2MB for LUKS only + the constraints from the filesystems itself (eg. xfs needs a minimum of 4096 blocks).

-m

Additional arguments passed through to mount. Could be like "-o noatime".

-S (in bits, default=128)

Cipher size used for encryption. Usually 128, 192 or 256 (but higher may also be possible).

-C (default=aes-cbc-essiv:sha256)

Cipher mode, should be aes-plain for pre-2.6.10. Have a look at /proc/crypto for other ciphers.

-I (in seconds, default=1)

The number of seconds to spend with PBKDF2 password processing. This time is consumed for every key operation (format, start).

-A (default="")

Additional arguments to cryptsetup's luksFormat.

Default/Secure mode (no -o or -z given)

This is the default mode. It should be quite secure. The <device/file> gets initialised with /dev/urandom. Except with an already existing file and -f, where NO initialisation will be done (all other modes behave as usual).

Optimized secure mode (-o)

Only the first 2MB of the <device/file> are initialised with /dev/urandom. The encryption will be initialised and then the whole encrypted device is filled with /dev/zero.

Insecure mode (-z)

Only the first 2MB of the <device/file> are initialised with /dev/urandom.

grml-crypt -t xfs -o format /dev/hda4 /mnt/tmp

Formats /dev/hda4 with xfs and applies optimized initialisation rules and mounts it to /mnt/tmp

grml-crypt -t ext2 -z format /home/user/test.img /mnt/tmp

Creates /home/user/test.img with 10MB and applies only insecure initialisation rules. Creates an ext2 filesystem on it and mounts it to /mnt/tmp.

grml-crypt -f -S 256 -C aes-plain -I 2 -A —verify-passphrase -m '-o noatime' -vvv format img /mnt/tmp

Reuses the image img with no initialisation. The encryption is established with aes-plain with 256 bit keysize and an iteration time of 2 seconds. Cryptsetup is advised to verify the password by asking for it twice. Mounts it to /mnt/tmp with -o noatime. And prints what is going on (-vvv).

grml-crypt -t ext2 -z format /dev/external1

Formats your usbstick which hopefully is located at /dev/external1 (please verify!) with ext2 and nearly no initialisation. You could give the format action a mountpoint too. In this case your crypto-partition gets mounted on that mountpoint as well.

grml-crypt start /dev/external1 /mnt/tmp

Asks you for the right passphrase for your crypto-partition and tries to mount it to /mnt/tmp.

grml-crypt stop /mnt/tmp

Removes your crypto-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup -d]).

mount /mnt/external1

Mounts your usb-stick on /mnt/external1 (please verify!).

grml-crypt -o -t vfat -s 50 format /mnt/external1/secure.img /mnt/tmp

Creates a 50MB big file, encrypted with the default options and vfat (also known as fat32). The optimized initialisation mode will be used for this file (without -o this could take REALLY LONG). This command _also_ starts your cryptofile and mounts it on /mnt/tmp.

grml-crypt stop /mnt/tmp

Removes your crypto-partition cleanly out of the system (umount, cryptsetup luksClose, [losetup -d]).

umount /mnt/external1

Guess what? ;)

cryptsetup(8)

grml-crypt was written by Michael Gebetsroither <michael.geb@gmx.at>.

This manual page was written by Michael Gebetsroither <gebi@grml.org>.