← 返回命令列表

Linux command

dm-crypt 命令

安全

权限或系统影响较大,执行前请核对目标。

常用示例

Create LUKS encrypted volume

sudo cryptsetup luksFormat [/dev/sdX]

Open LUKS volume

sudo cryptsetup open [/dev/sdX] [name]

Close encrypted volume

sudo cryptsetup close [name]

Show LUKS header information

sudo cryptsetup luksDump [/dev/sdX]

Add a new key to LUKS volume

sudo cryptsetup luksAddKey [/dev/sdX]

Create plain dm-crypt volume

sudo cryptsetup open --type plain [/dev/sdX] [name]

Benchmark encryption algorithms

cryptsetup benchmark

说明

dm-crypt is the Linux kernel's device-mapper encryption target, providing transparent disk encryption. cryptsetup is the userspace tool to configure dm-crypt, typically using the LUKS (Linux Unified Key Setup) format. LUKS provides standardized on-disk format with multiple key slots, allowing multiple passphrases or keyfiles. It stores encryption metadata in a header, enabling key management without re-encrypting data. Plain dm-crypt provides encryption without a header, useful for plausible deniability but requiring exact parameters to be remembered. Both modes create a mapped device in /dev/mapper/ for normal filesystem operations.

参数

luksFormat _device_
Initialize LUKS partition.
open _device_ _name_
Open and map encrypted device.
close _name_
Close mapped device.
luksDump _device_
Display LUKS header information.
luksAddKey _device_
Add new passphrase/keyfile.
luksRemoveKey _device_
Remove a passphrase.
luksHeaderBackup _device_
Backup LUKS header.
luksHeaderRestore _device_
Restore LUKS header.
--type _type_
Encryption type: luks, luks2, plain.
--cipher _cipher_
Encryption cipher (aes-xts-plain64).
--key-size _bits_
Key size in bits.
--hash _hash_
Hash for key derivation.
--key-file _file_
Use keyfile instead of passphrase.

FAQ

What is the dm-crypt command used for?

dm-crypt is the Linux kernel's device-mapper encryption target, providing transparent disk encryption. cryptsetup is the userspace tool to configure dm-crypt, typically using the LUKS (Linux Unified Key Setup) format. LUKS provides standardized on-disk format with multiple key slots, allowing multiple passphrases or keyfiles. It stores encryption metadata in a header, enabling key management without re-encrypting data. Plain dm-crypt provides encryption without a header, useful for plausible deniability but requiring exact parameters to be remembered. Both modes create a mapped device in /dev/mapper/ for normal filesystem operations.

How do I run a basic dm-crypt example?

Run `sudo cryptsetup luksFormat [/dev/sdX]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does luksFormat _device_ do in dm-crypt?

Initialize LUKS partition.