Generating cryptsetup commands for encrypted volumes

Use the zkey cryptsetup command to generate cryptsetup plainOpen, cryptsetup luksOpen, or cryptsetup luksFormat commands for volumes that are associated with secure keys contained in the secure key repository.

For LUKS2 volumes, the zkey cryptsetup command generates cryptsetup luksFormat commands.
With option --open, the command generates cryptsetup luksOpen commands for LUKS2 volumes or cryptsetup plainOpen for plain mode volumes (same as without --open option).
For plain mode volumes, this command only generates cryptsetup plainOpen commands.
With the --format option, you can limit the generated commands to only generate cryptsetup luksFormat commands for LUKS2 volumes, and skip plain mode volumes. Without the --format and --volume-type options, zkey cryptsetup generates the commands dependent from the detected volume type:
- For PLAIN volumes, a cryptsetup plainOpen command is generated.
- For LUKS2 volumes, a cryptsetup luksFormat command is generated.

Specify the --volumes option to limit the list of volumes where cryptsetup commands are generated for. You can use wildcards. When wildcards are used you must quote the value. The device-mapper name of an associated volume can be omitted. If it is specified, then only those volumes with the specified volume and device-mapper name are selected. Specify the --volume-type option to generate cryptsetup commands for the specified volume type only. Specify the --run option to run the generated cryptsetup commands.

For LUKS2 volumes, a passphrase is required. You are prompted for the passphrase when running the generated commands, unless option --key-file is specified. Option --tries specifies how often a passphrase can be reentered. When option --key-file is specified, the passphrase is read from the specified file. You can specify options --keyfile-offset and --keyfile-size to control which part of the key file is used as passphrase. These options are only available if zkey has been compiled with LUKS2 support enabled.

To avoid cryptsetup confirmation questions, you can specify the --batch-mode option.

All these options are passed to the generated cryptsetup command(s) and behave in the same way as with using cryptsetup originally.

Examples:

- for volume type LUKS2


# zkey cryptsetup
# zkey cryptsetup --volumes /dev/mapper/disk1
# zkey cryptsetup --volume-type luks2

cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 \
                      --master-key-file '/etc/zkey/repository/secure_xtskey1.skey' \
                      --key-size 2176 --cipher paes-xts-plain64 \
                      --sector-size 4096 /dev/mapper/disk1
zkey-cryptsetup setvp /dev/mapper/disk1

- for volume type PLAIN


# zkey cryptsetup --volume-type plain

cryptsetup plainOpen --key-file '/etc/zkey/repository/secure_xtskey2.skey' \ 
                     --key-size 2176 \
                     --cipher paes-xts-plain64 /dev/mapper/disk2 enc-disk2

- for volume type LUKS2, reading the passphrase from a key file, and let the generated commands run in batch mode. The supposed content of the /etc/luks2-keys/passphrases.txt key file is:

abcdefgh ijklmnop qrstuvw xyzabcde fghijklm nopqrstu

The targeted passphrase xyzabcde starts at offset 27.


# zkey cryptsetup --volumes /dev/mapper/disk1 --key-file /etc/luks2-keys/passphrases.txt \ 
                  --keyfile-offset 27 --keyfile-size 8 --batch-mode 

cryptsetup luksFormat -q --type luks2 \
                      --master-key-file '/etc/zkey/repository/secure_xtskey1.skey' \
                      --key-size 2176 --cipher paes-xts-plain64 --pbkdf pbkdf2 \
                      --key-file '/etc/luks-keys/passphrases.txt' --keyfile-offset 27 \
                      --keyfile-size 8 --sector-size 4096 /dev/mapper/disk1

zkey-cryptsetup setvp /dev/mapper/disk1 /etc/luks-keys/passphrases.txt --keyfile-offset 27 \
                      --keyfile-size 8