kernel module. These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt compatible format.
| integritysetup.8 (cryptsetup-2.3.6.tar.xz) | : | integritysetup.8 (cryptsetup-2.4.0.tar.xz) |
|---|
| | |
| skipping to change at line 34 | | skipping to change at line 34 |
|---|
| --tag-size, --integrity, --integrity-key-size, --integrity-key-
file, --sector-size, --progress- | | --tag-size, --integrity, --integrity-key-size, --integrity-key-
file, --sector-size, --progress- |
| frequency] | | frequency] |
| | |
| open <device> <name> | | open <device> <name> |
| create <name> <device> (OBSOLETE syntax) | | create <name> <device> (OBSOLETE syntax) |
| | |
| Open a mapping with <name> backed by device <device>. | | Open a mapping with <name> backed by device <device>. |
| | |
| <options> can be [--data-device, --batch-mode, --journal-watermark
, --journal-commit-time, --buf- | | <options> can be [--data-device, --batch-mode, --journal-watermark
, --journal-commit-time, --buf- |
| fer-sectors, --integrity, --integrity-key-size, --integrity-ke
y-file, --integrity-no-journal, | | fer-sectors, --integrity, --integrity-key-size, --integrity-ke
y-file, --integrity-no-journal, |
|
| --integrity-recalculate, --integrity-recovery-mode, --allow-discar | | --integrity-recalculate, --integrity-recalculate-reset,--integri |
| ds] | | ty-recovery-mode, --allow-dis- |
| | cards] |
| | |
| close <name> | | close <name> |
| | |
| Removes existing mapping <name>. | | Removes existing mapping <name>. |
| | |
| For backward compatibility, there is remove command alias for the
close command. | | For backward compatibility, there is remove command alias for the
close command. |
| | |
|
| | <options> can be [--deferred] or [--cancel-deferred] |
| | |
| status <name> | | status <name> |
| | |
| Reports status for the active integrity mapping <name>. | | Reports status for the active integrity mapping <name>. |
| | |
| dump <device> | | dump <device> |
| | |
| Reports parameters from on-disk stored superblock. | | Reports parameters from on-disk stored superblock. |
| | |
| OPTIONS | | OPTIONS |
| --verbose, -v | | --verbose, -v |
| | |
| skipping to change at line 67 | | skipping to change at line 70 |
|---|
| --version | | --version |
| Show the program version. | | Show the program version. |
| | |
| --batch-mode | | --batch-mode |
| Do not ask for confirmation. | | Do not ask for confirmation. |
| | |
| --progress-frequency <seconds> | | --progress-frequency <seconds> |
| Print separate line every <seconds> with wipe progress. | | Print separate line every <seconds> with wipe progress. |
| | |
| --no-wipe | | --no-wipe |
|
| Do not wipe the device after format. A device that is not initiall
y wiped will contain invalid | | Do not wipe the device after format. A device that is not init
ially wiped will contain invalid |
| checksums. | | checksums. |
| | |
| --journal-size, -j BYTES | | --journal-size, -j BYTES |
| Size of the journal. | | Size of the journal. |
| | |
| --interleave-sectors SECTORS | | --interleave-sectors SECTORS |
| The number of interleaved sectors. | | The number of interleaved sectors. |
| | |
| --integrity-recalculate | | --integrity-recalculate |
|
| Automatically recalculate integrity tags in kernel on activation | | Automatically recalculate integrity tags in kernel on activation. |
| . The device can be used during | | The device can be used during |
| automatic integrity recalculation but becomes fully integrity prot | | automatic integrity recalculation but becomes fully integrity pro |
| ected only after the background | | tected only after the background |
| operation is finished. This option is available since the Linux k
ernel version 4.19. | | operation is finished. This option is available since the Linux k
ernel version 4.19. |
| | |
|
| | --integrity-recalculate-reset |
| | Restart recalculation from the beginning of the device. It can be |
| | used to change the integrity |
| | checksum function. Note it does not change the tag length. Th |
| | is option is available since the |
| | Linux kernel version 5.13. |
| | |
| --journal-watermark PERCENT | | --journal-watermark PERCENT |
|
| Journal watermark in percents. When the size of the journal exc
eeds this watermark, the journal | | Journal watermark in percents. When the size of the journal exceed
s this watermark, the journal |
| flush will be started. | | flush will be started. |
| | |
| --journal-commit-time MS | | --journal-commit-time MS |
|
| Commit time in milliseconds. When this time passes (and no explici
t flush operation was issued), | | Commit time in milliseconds. When this time passes (and no expli
cit flush operation was issued), |
| the journal is written. | | the journal is written. |
| | |
| --tag-size, -t BYTES | | --tag-size, -t BYTES |
| Size of the integrity tag per-sector (here the integrity function
will store authentication tag). | | Size of the integrity tag per-sector (here the integrity function
will store authentication tag). |
| | |
| NOTE: The size can be smaller that output size of the hash functio
n, in that case only part of the | | NOTE: The size can be smaller that output size of the hash functio
n, in that case only part of the |
| hash will be stored. | | hash will be stored. |
| | |
| --data-device | | --data-device |
|
| Specify a separate data device that contains existing data. The <d
evice> then will contain calcu- | | Specify a separate data device that contains existing data. The <
device> then will contain calcu- |
| lated integrity tags and journal for this data device. | | lated integrity tags and journal for this data device. |
| | |
| --sector-size, -s BYTES | | --sector-size, -s BYTES |
| Sector size (power of two: 512, 1024, 2048, 4096). | | Sector size (power of two: 512, 1024, 2048, 4096). |
| | |
| --buffer-sectors SECTORS | | --buffer-sectors SECTORS |
| The number of sectors in one buffer. | | The number of sectors in one buffer. |
| | |
|
| The tag area is accessed using buffers, the large buffer size
means that the I/O size will be | | The tag area is accessed using buffers, the large buffer size mean
s that the I/O size will be |
| larger, but there could be less I/Os issued. | | larger, but there could be less I/Os issued. |
| | |
| --integrity, -I ALGORITHM | | --integrity, -I ALGORITHM |
|
| Use internal integrity calculation (standalone mode). The in
tegrity algorithm can be CRC | | Use internal integrity calculation (standalone mode). The
integrity algorithm can be CRC |
| (crc32c/crc32) or hash function (sha1, sha256). | | (crc32c/crc32) or hash function (sha1, sha256). |
| | |
| For HMAC (hmac-sha256) you have also to specify an integrity key a
nd its size. | | For HMAC (hmac-sha256) you have also to specify an integrity key a
nd its size. |
| | |
| --integrity-key-size BYTES | | --integrity-key-size BYTES |
| The size of the data integrity key. Maximum is 4096 bytes. | | The size of the data integrity key. Maximum is 4096 bytes. |
| | |
| --integrity-key-file FILE | | --integrity-key-file FILE |
| The file with the integrity key. | | The file with the integrity key. |
| | |
| --integrity-no-journal, -D | | --integrity-no-journal, -D |
| Disable journal for integrity device. | | Disable journal for integrity device. |
| | |
| --integrity-bitmap-mode. -B | | --integrity-bitmap-mode. -B |
|
| Use alternate bitmap mode (available since Linux kernel 5.2) | | Use alternate bitmap mode (available since Linux kernel 5.2) w |
| where dm-integrity uses bitmap | | here dm-integrity uses bitmap |
| instead of a journal. If a bit in the bitmap is 1, the correspondi | | instead of a journal. If a bit in the bitmap is 1, the correspon |
| ng region's data and integrity | | ding region's data and integrity |
| tags are not synchronized - if the machine crashes, the unsynch | | tags are not synchronized - if the machine crashes, the unsynchron |
| ronized regions will be recalcu- | | ized regions will be recalcu- |
| lated. The bitmap mode is faster than the journal mode, because w | | lated. The bitmap mode is faster than the journal mode, because |
| e don't have to write the data | | we don't have to write the data |
| twice, but it is also less reliable, because if data corruption h | | twice, but it is also less reliable, because if data corruption ha |
| appens when the machine crashes, | | ppens when the machine crashes, |
| it may not be detected. | | it may not be detected. |
| | |
| --bitmap-sectors-per-bit SECTORS | | --bitmap-sectors-per-bit SECTORS |
| Number of 512-byte sectors per bitmap bit, the value must be power
of two. | | Number of 512-byte sectors per bitmap bit, the value must be power
of two. |
| | |
| --bitmap-flush-time MS | | --bitmap-flush-time MS |
| Bitmap flush time in milliseconds. | | Bitmap flush time in milliseconds. |
| | |
| WARNING: | | WARNING: |
| In case of a crash, it is possible that the data and integrity tag
doesn't match if the journal is | | In case of a crash, it is possible that the data and integrity tag
doesn't match if the journal is |
| | |
| skipping to change at line 158 | | skipping to change at line 166 |
|---|
| --journal-integrity ALGORITHM | | --journal-integrity ALGORITHM |
| Integrity algorithm for journal area. See --integrity option for
detailed specification. | | Integrity algorithm for journal area. See --integrity option for
detailed specification. |
| | |
| --journal-integrity-key-size BYTES | | --journal-integrity-key-size BYTES |
| The size of the journal integrity key. Maximum is 4096 bytes. | | The size of the journal integrity key. Maximum is 4096 bytes. |
| | |
| --journal-integrity-key-file FILE | | --journal-integrity-key-file FILE |
| The file with the integrity key. | | The file with the integrity key. |
| | |
| --journal-crypt ALGORITHM | | --journal-crypt ALGORITHM |
|
| Encryption algorithm for journal data area. You can use a block c
ipher here such as cbc-aes or a | | Encryption algorithm for journal data area. You can use a block
cipher here such as cbc-aes or a |
| stream cipher, for example, chacha20 or ctr-aes. | | stream cipher, for example, chacha20 or ctr-aes. |
| | |
| --journal-crypt-key-size BYTES | | --journal-crypt-key-size BYTES |
| The size of the journal encryption key. Maximum is 4096 bytes. | | The size of the journal encryption key. Maximum is 4096 bytes. |
| | |
| --journal-crypt-key-file FILE | | --journal-crypt-key-file FILE |
| The file with the journal encryption key. | | The file with the journal encryption key. |
| | |
| --allow-discards | | --allow-discards |
| Allow the use of discard (TRIM) requests for the device. This opt
ion is available since the Linux | | Allow the use of discard (TRIM) requests for the device. This opt
ion is available since the Linux |
| kernel version 5.7. | | kernel version 5.7. |
| | |
|
| | --deferred |
| | Defers device removal in close command until the last user closes |
| | it. |
| | |
| | --cancel-deferred |
| | Removes a previously configured deferred device removal in close c |
| | ommand. |
| | |
| The dm-integrity target is available since Linux kernel version 4.12. | | The dm-integrity target is available since Linux kernel version 4.12. |
| | |
|
| NOTE: Format and activation of an integrity device always require su
peruser privilege because the | | NOTE: Format and activation of an integrity device always require
superuser privilege because the |
| superblock is calculated and handled in dm-integrity kernel target
. | | superblock is calculated and handled in dm-integrity kernel target
. |
| | |
| LEGACY COMPATIBILITY OPTIONS | | LEGACY COMPATIBILITY OPTIONS |
| WARNING: | | WARNING: |
| Do not use these options until you need compatibility with specifi
c old kernel. | | Do not use these options until you need compatibility with specifi
c old kernel. |
| | |
| --integrity-legacy-padding | | --integrity-legacy-padding |
| Use inefficient legacy padding. | | Use inefficient legacy padding. |
| | |
| --integrity-legacy-hmac | | --integrity-legacy-hmac |
| Use old flawed HMAC calclation (also does not protect superblock). | | Use old flawed HMAC calclation (also does not protect superblock). |
| | |
| --integrity-legacy-recalculate | | --integrity-legacy-recalculate |
|
| Allow insecure recalculating of volumes with HMAC keys (recalcual
tion offset in superblock is not | | Allow insecure recalculating of volumes with HMAC keys (recalcualt
ion offset in superblock is not |
| protected). | | protected). |
| | |
| RETURN CODES | | RETURN CODES |
| Integritysetup returns 0 on success and a non-zero value on error. | | Integritysetup returns 0 on success and a non-zero value on error. |
| | |
| Error codes are: | | Error codes are: |
| 1 wrong parameters | | 1 wrong parameters |
| 2 no permission | | 2 no permission |
| 3 out of memory | | 3 out of memory |
| 4 wrong device specified | | 4 wrong device specified |
| | |
| skipping to change at line 211 | | skipping to change at line 225 |
|---|
| Format the device with default standalone mode (CRC32C): | | Format the device with default standalone mode (CRC32C): |
| | |
| integritysetup format <device> | | integritysetup format <device> |
| | |
| Open the device with default parameters: | | Open the device with default parameters: |
| | |
| integritysetup open <device> test | | integritysetup open <device> test |
| | |
| Format the device in standalone mode for use with HMAC(SHA256): | | Format the device in standalone mode for use with HMAC(SHA256): |
| | |
|
| integritysetup format <device> --tag-size 32 --integrity hmac-sha256
--integrity-key-file <keyfile> | | integritysetup format <device> --tag-size 32 --integrity hmac-sha25
6 --integrity-key-file <keyfile> |
| --integrity-key-size <key_bytes> | | --integrity-key-size <key_bytes> |
| | |
| Open (activate) the device with HMAC(SHA256) and HMAC key in file: | | Open (activate) the device with HMAC(SHA256) and HMAC key in file: |
| | |
|
| integritysetup open <device> test --integrity hmac-sha256
--integrity-key-file <keyfile> | | integritysetup open <device> test --integrity hmac-sha256 -
-integrity-key-file <keyfile> |
| --integrity-key-size <key_bytes> | | --integrity-key-size <key_bytes> |
| | |
| Dump dm-integrity superblock information: | | Dump dm-integrity superblock information: |
| | |
| integritysetup dump <device> | | integritysetup dump <device> |
| | |
| REPORTING BUGS | | REPORTING BUGS |
|
| Report bugs, including ones in the documentation, on the cryptsetup maili | | Report bugs, including ones in the documentation, on the cryptsetup mai |
| ng list at <dm-crypt@saout.de> | | ling list at <dm-crypt@saout.de> |
| or in the 'Issues' section on LUKS website. Please attach the outpu | | or in the 'Issues' section on LUKS website. Please attach the output of |
| t of the failed command with the | | the failed command with the |
| --debug option added. | | --debug option added. |
| | |
| AUTHORS | | AUTHORS |
|
| The integritysetup tool is written by Milan Broz <gmazyland@gmail.com> an
d is part of the cryptsetup | | The integritysetup tool is written by Milan Broz <gmazyland@gmail.co
m> and is part of the cryptsetup |
| project. | | project. |
| | |
| COPYRIGHT | | COPYRIGHT |
| Copyright © 2016-2021 Red Hat, Inc. | | Copyright © 2016-2021 Red Hat, Inc. |
| Copyright © 2016-2021 Milan Broz | | Copyright © 2016-2021 Milan Broz |
| | |
|
| This is free software; see the source for copying conditions. There i
s NO warranty; not even for MER- | | This is free software; see the source for copying conditions. There is N
O warranty; not even for MER- |
| CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
| | |
| SEE ALSO | | SEE ALSO |
| The project website at https://gitlab.com/cryptsetup/cryptsetup | | The project website at https://gitlab.com/cryptsetup/cryptsetup |
| | |
|
| The integrity on-disk format specification available at http
s://gitlab.com/cryptsetup/crypt- | | The integrity on-disk format specification available at http
s://gitlab.com/cryptsetup/crypt- |
| setup/wikis/DMIntegrity | | setup/wikis/DMIntegrity |
| | |
| integritysetup January 2021
INTEGRITYSETUP(8) | | integritysetup January 2021
INTEGRITYSETUP(8) |
| | | |
| End of changes. 21 change blocks. |
|---|
| 34 lines changed or deleted | | 52 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 