Cryptsetup resize example

Using --offset will shift the IV calculcation by the same negative amount. Hence, if --offset n , sector n will be the first sector on the mapping with IV 0. Using --skip would have resulted in sector n being the first sector also, but with IV n.

This option is only relevant for luksFormat. This option is relevant evertime a password is asked, like create , luksOpen , luksFormat or luksAddKey. This option is relevant for luksFormat. See for instance the sunit and swidth options in the mkfs. By default the payload is aligned at an 8 sector byte boundary. It will processed the read material with the default hash or the hash given by --hash. After hashing it will be cropped to the key size given by -s or default bit.

From a key file : It will be cropped to the size given by -s. If there is insufficient key material in the key file, cryptsetup will quit with an error. Hence, -h is ignored. I got my eyes checked: the open action has a --size argument. Add a comment. Active Oldest Votes. It's about online resize. Now what happens when you make the LV larger? Logical volume test successfully resized. Improve this answer.

The detailed explanation is evidence of labour and concern for the welfare of one's fellow hacks. But it is not a canonical answer to the questions posed - and that is what the reward was put up for: for the definitive statement on i What is "resized" if no size information is stored? Yeah, it's a brilliant answer. I didn't know what I was talking about. I do now, however - now that I have read it again. Ah, I see - you edited it. Well I'm certainly wiser for it now. Thank you. I did the resize2fs on my partiion, my lvdisplay and pvdisplay shows the shrinked size?

How can I make the volume smaller now? My volume is a VirtualBox. I don't know. Thanks — Mathieu J. Sign up or log in Sign up using Google. Sign up using Facebook. Arbitrary mappings are supported. This option is only relevant for the create action. Use --offset, --size and --skip to specify the mapped area.

Specifying 0 as parameter selects the compiled-in default. If the -y option is not specified, this option also switches off the passphrase verification for luksFormat. The number of seconds to wait before timeout on passphrase input via terminal. It is relevant every time a passphrase is asked, for example for create , luksOpen , luksFormat or luksAddKey.

It has no effect if used in conjunction with --key-file. This option is useful when the system should not stall if the user does not input a passphrase, e. The default is a value of 0 seconds, which means to wait forever.

How often the input of the passphrase shall be retried. This option is relevant every time a passphrase is asked, for example for create , luksOpen , luksFormat or luksAddKey. The default is 3 tries. Align payload at a boundary of value byte sectors.

This option is relevant for luksFormat. If not specified, cryptsetup tries to use the topology info provided by kernel for the underlying device to get optimal alignment. If not available or the calculated value is a multiple of the default data is by default aligned to a 1MiB boundary i. For a detached LUKS header this option specifies the offset on the data device.

See also the --header option. Allow the use of discard TRIM requests for device. This option is only relevant for create , luksOpen and loopaesOpen.

WARNING: This command can have a negative security impact because it can make filesystem-level operations visible on the physical device. For example, information leaking filesystem type, used space, etc. If in doubt, do no use it. Use a detached separated metadata device or file where the LUKS header is stored. This options allows to store ciphertext and LUKS header on different devices. For luksFormat with a file name as argument to --header, it has to exist and be large enough to contain the LUKS header.

See the cryptsetup FAQ for header size calculation. For other commands that change the LUKS header e. If used with luksFormat , the --align-payload option is taken as absolute sector alignment on ciphertext device and can be zero. In fact you can specify an arbitrary device as the ciphertext device for luksOpen with the --header option. Use with care. This is free software; see the source for copying conditions.

The reload action is no longer supported. Please use dmsetup 8 if you need to directly manipulate with the device mapping table. LUKS checks for a valid passphrase when an encrypted partition is unlocked. The behavior of plain dm-crypt is different. It will always decrypt with the passphrase given. If the given passphrase is wrong, the device mapped by plain dm-crypt will essentially still contain encrypted data and will be unreadable. It adds a standardized header at the start of the device, a key-slot area directly behind the header and the bulk data area behind that.

For most purposes both terms can be used interchangeably. LUKS can manage multiple passphrases that can be individually revoked or changed and that can be securely scrubbed from persistent media due to the use of anti-forensic stripes.

Passphrases are protected against brute-force and dictionary attacks by PBKDF2, which implements hash iteration and salting in one function. Each passphrase, also called a key in this document, is associated with one of 8 key-slots.

Key operations that do not specify a slot affect the first slot that matches the supplied passphrase or the first empty slot if a new passphrase is added. Note that if the second argument is present, then the passphrase is taken from the file given there, without the need to use the --key-file option. If the passphrase is not supplied via --key-file, the command prompts for it interactively. Suspends an active device all IO operations will blocked and accesses to the device will wait indefinitely and wipes the encryption key from kernel memory.

Needs kernel 2. After this operation you have to use luksResume to reinstate the encryption key and unblock the device or luksClose to remove the mapped device.

Resumes a suspended device and reinstates the encryption key. Prompts interactively for a passphrase if --key-file is not given. An existing passphrase must be supplied interactively or via --key-file.

The new passphrase to be added can be specified interactively or read from the file given as positional argument. Removes the supplied passphrase from the LUKS device. The passphrase to be removed can be specified interactively, as positional argument or via --key-file.

Removing the last passphrase makes the LUKS container permanently inaccessible. Changes an existing passphrase. The passphrase to be changed must be supplied interactively or via --key-file. The new passphrase can be supplied interactively or in a file given as positional argument. If a key-slot is specified via --key-slot , the passphrase for that key-slot must be given and the new passphrase will overwrite the specified key-slot.

If no key-slot is specified and there is still a free key-slot, then the new passphrase will be put into a free key-slot before the key-slot containing the old passphrase is purged. If there is no free key-slot, then the key-slot with the old passphrase is overwritten directly. A remaining passphrase must be supplied, either interactively or via --key-file. This command can remove the last remaining key-slot, but requires an interactive confirmation when doing so.

Removing the last passphrase makes a LUKS container permanently inaccessible. Use option -v to get human-readable feedback. If the --dump-master-key option is used, the LUKS device master key is dumped instead of the keyslot info. Beware that the master key cannot be changed and can be used to decrypt the data stored in the LUKS container without a passphrase and even without the LUKS header.

This means that if the master key is compromised, the whole device has to be erased to prevent further access. Use this option carefully. In order to dump the master key, a passphrase has to be supplied, either interactively or via --key-file. Stores a binary backup of the LUKS header and keyslot area. Also note that with a header backup you lose the ability to securely wipe the LUKS device by just overwriting the header and key-slots.