pmt-ehd(8) [suse man page]

pmt-ehd(8)							     pam_mount								pmt-ehd(8)

Name
       pmt-ehd - create an encrypted disk image

Syntax
       pmt-ehd [-DFx] [-c fscipher] [-h digest] [-i cipher] [-k fscipher_keybits] [-t fstype] -f container_path -p fskey_path -s size_in_mb

Options
       Mandatory options that are absent are inquired interactively, and pmt-ehd will exit if stdin is not a terminal.

       -D     Turn on debugging strings.

       -F     Force operation that would otherwise ask for interactive confirmation. Multiple -F can be specified to apply more force.

       -c cipher
	      The  cipher  to  be  used for the filesystem. This can take any value that cryptsetup(8) recognizes, usually in the form of "cipher-
	      mode[-extras]".  Recommended are aes-cbc-essiv:sha256 (this is the default) or blowfish-cbc-essiv:sha256.

       -f path
	      Store the new disk image at path. If the file already exists, pmt-ehd will prompt before overwriting unless -F  is  given.  If  path
	      refers to a symlink, pmt-ehd will act even more cautious.

       -h digest
	      Digest used for fskey derivation from the password. This can take any value that OpenSSL recognizes. The default is sha1.

       -i cipher
	      Cipher  used  for the filesystem key (not the encrypted filesystem itself). This can take any value that OpenSSL recognizes, usually
	      in the form of "cipher-keysize-mode". Recommended is aes-256-cbc (this is the default).

       -k keybits
	      The keysize for the cipher specified with -c. Some ciphers support multiple keysizes, AES for example is available with at least the
	      keysizes 192 and 256.  Example: -c aes-cbc-essiv:sha256 -k 192. The default is 256.

       -p path
	      Store  the filesystem key at path. The filesystem key is the ultimate key to open the encrypted filesystem, and the fs key itself is
	      encrypted with your password.

       -s size
	      The initial size of the encrypted filesystem, in megabytes. This option is ignored when the filesystem is created on a block device.

       -t fstype
	      Filesystem to use for the encrypted filesystem. Defaults to xfs.

       -u user
	      Give the container and fskey files to user (because the program is usually runs as root, and the files would otherwise  retain  root
	      ownership).

       -x     Do not initialize the container with random bytes. This may impact secrecy.

   Description
       pmt-ehd	can  be used to create a new encrypted container, and replaces the previous mkehd script as well as any HOWTOs that explain how to
       do it manually.	Without any arguments, pmt-ehd will interactively ask for all missing parameters. To create a container with a size of 256
       MB, use:

       pmt-ehd -f /home/user.key -p /home/user.enc -s 256

pam_mount							    2008-09-16								pmt-ehd(8)

mount.crypt(8)							     pam_mount							    mount.crypt(8)

Name
       mount.crypt - mount a dm-crypt encrypted volume

Syntax
       mount.crypt [-nrv] [-o options] device directory

Options
       -o options
	      Set further mount options. mount.crypt will take out its own options it recognizes and passes any remaining options on to the under-
	      lying mount program. See below for possible options.

       -n     Do not update /etc/mtab. Note that this makes it impossible to unmount the volume by naming the container - you will  have  to  pass
	      the mountpoint to umount.crypt.

       -r     Set  up  the loop device (if necessary) and crypto device in read-only mode.  (The mount itself will necessarily also be read-only.)
	      Note that doing a remount using `mount /mnt -o remount,rw` will not make the mount readwrite. The crypto and loop devices will  have
	      to be disassociated first.

       -v     Turn on debugging and be a bit more verbose.

Mount options
       cipher The  cryptsetup  cipher used for the encrypted volume. This option is mandatory for PLAIN (non-LUKS) volumes. pmt-ehd(8) defaults to
	      creating volumes with "aes-cbc-essiv:sha256" as a cipher.

       crypto_name
	      Select the name for the crypto device (optional). This option is currently only usable with dm-crypt systems.

       fsck   Run fsck on the container before mounting it.

       fsk_cipher
	      The OpenSSL cipher used for the filesystem key. The special keyword "none" can be used to bypass decryption and pass the	file  con-
	      tents directly to libcryptsetup.

       fsk_hash
	      The OpenSSL hash used for producing key and IV.

       fstype The exact type of filesystem in the encrypted container. The default is to let the kernel autodetect.

       hash   The  cryptsetup  hash  used for the encrypted volume. This defaults to no hashing, because pam_mount assumes EHD volumes with strong
	      and simple fskey generation.

       keyfile
	      The path to the key file. This option is mandatory for "normal" crypto volumes and should not be used for LUKS volumes.

       remount
	      Causes the filesystem to be remounted with new options. Note that mount.crypt cannot switch the underlying loop device (if  applies)
	      or the crypto device between read-only and read-write once it is created; only the actual filesystem mount can be changed, with lim-
	      its. If the loop device is read-only, the crypto device will be read-only, and changing the mount to read-write is impossible.  Sim-
	      ilarly,  going from rw to ro will only mark the mount read-only, but not the crypto or loop device, thus making it impossible to set
	      the filesystem the crypto container is located on to read-only.

       ro     Same as the -r option.

       verbose
	      Same as the -v option.

Obsolete mount options
       This section is provided for reference.

       loop   This option used to set up a loop device, because cryptsetup(8) expects a block device. The option is  ignored  because  mount.crypt
	      can figure this out on its own.

pam_mount							    2011-12-15							    mount.crypt(8)