Commit 2dd46096 authored by Ondrej Kozina's avatar Ondrej Kozina Committed by Milan Broz

Implement cryptsetup refresh action (open --refresh alias).

It allows active device refresh with new activation
parameters. It's supported for LUKS1, LUKS2, crypt plain
and loop-AES devices.
parent 5c67ca01
......@@ -130,6 +130,36 @@ With LUKS2 device additional \fB<options>\fR can be [\-\-token\-id, \-\-token\-o
\-\-key\-slot, \-\-key\-file, \-\-keyfile\-size, \-\-keyfile\-offset, \-\-timeout,
\-\-disable\-locks, \-\-disable\-keyring].
\fIrefresh\fR <name>
Refreshes parameters of active mapping <name>.
Updates parameters of active device <name> without need to deactivate the device
(and umount filesystem). Currently it supports parameters refresh on following
devices: LUKS1, LUKS2 (including authenticated encryption), plain crypt
and loopaes.
Mandatory parametrs are identical to those of an open action for respective
device type.
You may change following parameters on all devices \-\-perf\-same_cpu_crypt,
\-\-perf\-submit_from_crypt_cpus and \-\-allow\-discards.
Refreshing device without any optional parameter will refresh the device
with default setting (respective to device type).
\fBLUKS2 only:\fR
\-\-integrity\-no\-journal parameter affects only LUKS2 devices with
underlying dm-integrity device.
Adding option \-\-persistent stores any combination of device parameters
above in LUKS2 metadata (only after succesfull refresh operation).
\-\-disable\-keyring parameter refreshes a device with volume key passed
in dm-crypt driver.
Plain dm-crypt encrypts the device sector-by-sector with a
single, non-salted hash of the passphrase. No checks
......@@ -148,7 +178,8 @@ Opens (creates a mapping with) <name> backed by device <device>.
\fB<options>\fR can be [\-\-hash, \-\-cipher, \-\-verify-passphrase,
\-\-sector\-size, \-\-key-file, \-\-keyfile-offset, \-\-key-size,
\-\-offset, \-\-skip, \-\-size, \-\-readonly, \-\-shared, \-\-allow\-discards]
\-\-offset, \-\-skip, \-\-size, \-\-readonly, \-\-shared, \-\-allow\-discards,
Example: 'cryptsetup open \-\-type plain /dev/sda10 e1' maps the raw
encrypted device /dev/sda10 to the mapped (decrypted) device
......@@ -244,7 +275,7 @@ the command prompts for it interactively.
\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
\-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
\-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type].
\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh].
\fIluksSuspend\fR <name>
......@@ -552,7 +583,7 @@ passphrase hashing (otherwise it is detected according to key
\fB<options>\fR can be [\-\-key\-file, \-\-key\-size, \-\-offset, \-\-skip,
\-\-hash, \-\-readonly, \-\-allow\-discards].
\-\-hash, \-\-readonly, \-\-allow\-discards, \-\-refresh].
See also section 7 of the FAQ and \fB\fR
for more information regarding loop-AES.
......@@ -1169,6 +1200,10 @@ Only \fI\-\-allow-discards\fR, \fI\-\-perf\-same_cpu_crypt\fR,
\fI\-\-perf\-submit_from_crypt_cpus\fR and \fI\-\-integrity\-no\-journal\fR
can be stored persistently.
.B "\-\-refresh"
Refreshes an active device with new set of parameters. See action \fIrefresh\fR description
for more details.
.B "\-\-label <LABEL>"
.B "\-\-subsystem <SUBSYSTEM>"
Set label and subsystem description for LUKS2 device, can be used
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment