Sorry, sent wrong patch. Here is the good one.
Sorry again. -- Bruno Barrera Yever LP ID: www.launchpad.net/~bbyever
--- cryptsetup.8 2007-05-01 12:28:00.000000000 -0500 +++ cryptsetup.8.new 2008-04-08 20:07:23.000000000 -0500 @@ -1,4 +1,4 @@ -.TH CRYPTSETUP "8" "March 2005" "cryptsetup 1.0.3" "Maintainance Commands" +.TH CRYPTSETUP "8" "March 2005" "cryptsetup 1.0.3" "Maintenance Commands" .SH NAME cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension) .SH SYNOPSIS @@ -88,34 +88,36 @@ set cipher specification string. Usually query for passwords twice. Useful, when creating a (regular) mapping for the first time, or when running \fIluksFormat\fR. .TP .B "\-\-key-file, \-d" -use file as key material. With LUKS, key material supplied in key files via \-d are always used for existing passphrases. If you want to set a new key via a key file, you have to use a positional arg to \fIluksFormat\fR or \fIluksAddKey\fR. If the key file is "-", stdin will be used. +use file as key material. With LUKS, key material supplied in key files via \-d are always used for existing passphrases. If you want to set a new key via a key file, you have to use a positional arg to \fIluksFormat\fR or \fIluksAddKey\fR. + +If the key file is "-", stdin will be used. This is different from how cryptsetup usually reads from stdin. See section \fBNOTES ON PASSWORD PROCESSING\fR for more information. .TP .B "\-\-key-size, \-s" -set key size in bits. Has to be a multiple of 8 bits. The key size is limited by the used cipher. See output of /proc/crypto for more information. Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will ignore this flag, as the key-size is specified by the partition header. Default is 128. +set key size in bits. Has to be a multiple of 8 bits. The key size is limited by the used cipher. See output of /proc/crypto for more information. Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will ignore this flag, as the key-size is specified by the partition header. Default is 128 for \fIluksFormat\fR and 256 for \fIcreate\fR. .TP .B "\-\-size, \-b" -force the size of the underlaying device in sectors. +force the size of the underlying device in sectors. .TP .B "\-\-offset, \-o" -start offset in the backend device. +start offset in the back-end device. .TP .B "\-\-skip, \-p" -how many sectors of the encrypted data to skip at the beginning. This is different from the \-\-offset options with respect to IV calculations. Using \-\-offset will shift the IV calculcation by the same negative amount. Hence, if \-\-offset \fIn\fR, sector \fIn\fR will be the first sector on the mapping with IV \fI0\fR. Using \-\-skip would have resulted in sector \fIn\fR being the first sector also, but with IV \fIn\fR. +how many sectors of the encrypted data to skip at the beginning. This is different from the \-\-offset options with respect to IV calculations. Using \-\-offset will shift the IV calculation by the same negative amount. Hence, if \-\-offset \fIn\fR, sector \fIn\fR will be the first sector on the mapping with IV \fI0\fR. Using \-\-skip would have resulted in sector \fIn\fR being the first sector also, but with IV \fIn\fR. .TP .B "\-\-readonly" setup a read-only mapping. .TP .B "\-\-iter-time, \-i" -The number of microseconds to spend with PBKDF2 password processing. This options is only relevant to LUKS key setting operations as \fIluksFormat\fR or \fIluksAddKey\fR. +The number of microseconds to spend with PBKDF2 password processing. This option is only relevant to LUKS key setting operations as \fIluksFormat\fR or \fIluksAddKey\fR. .TP .B "\-\-batch-mode, \-q" Do not ask for confirmation. This option is only relevant for \fIluksFormat\fR. .TP .B "\-\-timeout, \-t" -The number of seconds to wait before timeout. This option is relevant evertime a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. +The number of seconds to wait before timeout. This option is relevant every time a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. It has no effect if used in conjunction with \-\-key-file. .TP .B "\-\-tries, \-T" -How often the input of the passphrase shall be retried. This option is relevant evertime a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. The default is 3 tries. +How often the input of the passphrase shall be retried. This option is relevant every time a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. The default is 3 tries. .TP .B "\-\-align-payload=\fIvalue\fR" Align payload at a boundary of \fIvalue\fR 512-byte sectors. This option is relevant for \fIluksFormat\fR. If your block device lives on a RAID it is @@ -125,14 +127,16 @@ in the mkfs.xfs manual page. By default .B "\-\-version" Show the version. -.SH NOTES ON PASSWORD PROCESSING FOR REGULAR MAPPINGS -\fIFrom a file descriptor or a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will processed the read material with the default hash or the hash given by \-\-hash. After hashing it will be cropped to the key size given by \-s (default 256 bits). +.SH NOTES ON PASSWORD PROCESSING +\fIFrom a file descriptor or a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will processed the read material (without newline) with the default hash or the hash given by \-\-hash. After hashing it will be cropped to the key size given by \-s. -\fIFrom stdin\fR: Reading will continue until EOF (so using e.g. /dev/random as stdin will not work). After that the read data will be hashed with the default hash or the hash given by \-\-hash and the result will be cropped to the keysize given by \-s (default 256 bits). If "plain" is used as an argument to the hash option, the input data will not be hashed. Instead it will be zero padded (if shorter than the keysize) or truncated (if longer than the keysize) and used directly as the key. No warning will be given if the amount of data read from stdin is less than the keysize. +\fIFrom stdin\fR: Reading will continue until EOF (so using e.g. /dev/random as stdin will not work), with the trailing newline stripped. After that the read data will be hashed with the default hash or the hash given by \-\-hash and the result will be cropped to the keysize given by \-s. If "plain" is used as an argument to the hash option, the input data will not be hashed. Instead it will be zero padded (if shorter than the keysize) or truncated (if longer than the keysize) and used directly as the key. No warning will be given if the amount of data read from stdin is less than the keysize. \fIFrom a key file\fR: It will be cropped to the size given by \-s. If there is insufficient key material in the key file, cryptsetup will quit with an error. + +If \-\-key-file=- is used for reading the key from stdin, no trailing newline is stripped from the input. Without that option, cryptsetup strips trailing newlines from stdin input. .SH NOTES ON PASSWORD PROCESSING FOR LUKS -Password processing is totally different for LUKS. LUKS uses PBKDF2 to protect against dictionary attacks (see RFC 2898). +LUKS uses PBKDF2 to protect against dictionary attacks (see RFC 2898). LUKS will always use SHA1 in HMAC mode, and no other mode is supported at the moment. Hence, \-h is ignored. @@ -143,15 +147,15 @@ Therefore, no options can be given to lu For any password creation action (luksAddKey, or luksFormat), the user specify, how much the time the password processing should consume. Increasing the time will lead to a more secure password, but also will take luksOpen longer to complete. The default setting of one second is sufficient for good security. .SH NOTES ON PASSWORDS -Mathematic can't be bribed. Make sure you keep your passwords safe. There are a few nice tricks for constructing a fallback, when suddely out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords. +Mathematics can't be bribed. Make sure you keep your passwords safe. There are a few nice tricks for constructing a fallback, when suddnely out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords. .SH AUTHORS cryptsetup is written by Christophe Saout <[EMAIL PROTECTED]> .br LUKS extensions, and man page by Clemens Fruhwirth <[EMAIL PROTECTED]> -.SH "COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS" -To read images created with SuSE Linux 9.2's loop_fish2 use --cipher -twofish-cbc-null -s 256 -h sha512, for images created with even -older SuSE Linux use --cipher twofish-cbc-null -s 192 -h +.SH "COMPATIBILITY WITH OLD SUSE TWOFISH PARTITIONS" +To read images created with SuSE Linux 9.2's loop_fish2 use \-\-cipher +twofish-cbc-null \-s 256 \-h sha512, for images created with even +older SuSE Linux use \-\-cipher twofish-cbc-null \-s 192 \-h ripemd160:20 .SH "REPORTING BUGS" Report bugs to <[EMAIL PROTECTED]>.
