Hi, here's a small patch which fixes some typos and cosmetic issues in the manpage, as well as some content changes: * Explicitly mention all the defaults in the manpage. * Clarify that "aes-cbc-essiv:sha256" is the default. * Update date and cryptsetup version in the manpage. The patch is against the manpage from 1.0.4 rc1. A few questions: * -h says ripemd160 is the default (ditto cryptsetup.h), but further down the manpage there's this "LUKS will always use SHA1 in HMAC mode" and "Hence, -h is ignored". I'm confused. Did I miss something? * Why is 128 bits the default key length? Why not 256? See also http://blog.roothell.org/archives/241-Loechriger-Kaese.html#comments HTH, Uwe. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org
--- cryptsetup.8.bak 2006-05-19 17:10:05.000000000 +0200 +++ cryptsetup.8 2006-09-10 04:12:25.000000000 +0200 @@ -1,4 +1,4 @@ -.TH CRYPTSETUP "8" "March 2005" "cryptsetup 1.0.3" "Maintainance Commands" +.TH CRYPTSETUP "8" "September 2006" "cryptsetup 1.0.4" .SH NAME cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension) .SH SYNOPSIS @@ -15,7 +15,7 @@ \fIcreate\fR <name> <device> .IP creates a mapping with <name> backed by device <device>. -<options> can be [\-\-hash, \-\-cipher, \-\-verify-passphrase, \-\-key-file, \-\-key-size, \-\-offset, \-\-skip, \-\-readonly] +<options> can be [\-\-hash, \-\-cipher, \-\-verify-passphrase, \-\-key-file, \-\-key-size, \-\-offset, \-\-skip, \-\-readonly]. .PP \fIremove\fR <name> .IP @@ -31,7 +31,7 @@ .PP \fIresize\fR <name> .IP -resizes an active mapping <name>. <options> must include \-\-size +resizes an active mapping <name>. <options> must include \-\-size. .PP .br .SH LUKS EXTENSION @@ -42,8 +42,8 @@ \fIluksFormat\fR <device> [<key file>] .IP -initializes a LUKS partition and set the initial key, either via prompting or via <key file>. -<options> can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size] +initializes a LUKS partition and sets the initial key, either via prompting or via <key file>. +<options> can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size]. .PP \fIluksOpen\fR <device> <name> .IP @@ -75,14 +75,14 @@ dumps the header information of a LUKS partition. No options. .PP -For more information about LUKS, see \fBhttp://luks.endorphin.org\fR +For more information about LUKS, see \fBhttp://luks.endorphin.org\fR. .SH OPTIONS .TP .B "\-\-hash, \-h" specifies hash to use for password hashing. This option is only relevant for the "create" action. The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. Default is "ripemd160". .TP .B "\-\-cipher, \-c" -set cipher specification string. Usually, this is "aes-cbc-plain". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256". +set cipher specification string, for example "aes-cbc-plain". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV (recommended), use "aes-cbc-essiv:sha256". Default is "aes-cbc-essiv:sha256". .TP .B "\-\-verify-passphrase, \-y" query for passwords twice. Useful, when creating a (regular) mapping for the first time, or when running \fIluksFormat\fR. @@ -91,31 +91,31 @@ use file as key material. With LUKS, key material supplied in key files via \-d are always used for existing passphrases. If you want to set a new key via a key file, you have to use a positional arg to \fIluksFormat\fR or \fIluksAddKey\fR. .TP .B "\-\-key-size, \-s" -set key size in bits. Usually, this is 128, 192 or 256. Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will ignore this flag, as the key-size is specified by the partition header. Default is 0. +set key size in bits. Usually, this is 128, 192 or 256. Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will ignore this flag, as the key-size is specified by the partition header. Default is 128. .TP .B "\-\-size, \-b" -force the size of the underlaying device in sectors. +force the size of the underlying device in sectors. .TP .B "\-\-offset, \-o" start offset in the backend device. .TP .B "\-\-skip, \-p" -how many sectors of the encrypted data to skip at the beginning. This is different from the \-\-offset options with respect to IV calculations. Using \-\-offset will shift the IV calculcation by the same negative amount. Hence, if \-\-offset \fIn\fR, sector \fIn\fR will be the first sector on the mapping with IV \fI0\fR. Using \-\-skip would have resulted in sector \fIn\fR being the first sector also, but with IV \fIn\fR. +how many sectors of the encrypted data to skip at the beginning. This is different from the \-\-offset options with respect to IV calculations. Using \-\-offset will shift the IV calculation by the same negative amount. Hence, if \-\-offset \fIn\fR, sector \fIn\fR will be the first sector on the mapping with IV \fI0\fR. Using \-\-skip would have resulted in sector \fIn\fR being the first sector also, but with IV \fIn\fR. .TP .B "\-\-readonly" setup a read-only mapping. .TP .B "\-\-iter-time, \-i" -The number of microseconds to spend with PBKDF2 password processing. This options is only relevant to LUKS key setting operations as \fIluksFormat\fR or \fIluksAddKey\fR. +The number of microseconds to spend with PBKDF2 password processing. This options is only relevant to LUKS key setting operations as \fIluksFormat\fR or \fIluksAddKey\fR. Default is 1000 (one second). .TP .B "\-\-batch-mode, \-q" Do not ask for confirmation. This option is only relevant for \fIluksFormat\fR. .TP .B "\-\-timeout, \-t" -The number of seconds to wait before timeout. This option is relevant evertime a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. +The number of seconds to wait before timeout. This option is relevant everytime a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. .TP .B "\-\-tries, \-T" -How often the input of the passphrase shall be retried. This option is relevant evertime a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. The default is 3 tries. +How often the input of the passphrase shall be retried. This option is relevant everytime a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. The default is 3 tries. .TP .B "\-\-align-payload=\fIvalue\fR" Align payload at a boundary of \fIvalue\fR 512-byte sectors. This option is relevant for \fIluksFormat\fR. If your block device lives on a RAID it is @@ -126,7 +126,7 @@ Show the version. .SH NOTES ON PASSWORD PROCESSING FOR REGULAR MAPPINGS -\fIFrom a file descriptor or a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will processed the read material with the default hash or the hash given by \-\-hash. After hashing it will be cropped to the key size given by \-s (or default 256bit). +\fIFrom a file descriptor or a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will process the read material with the default hash or the hash given by \-\-hash. After hashing it will be cropped to the key size given by \-s (or default 256bit). \fIFrom a key file\fR: It will be cropped to the size given by \-s. If there is insufficient key material in the key file, cryptsetup will quit with an error. .SH NOTES ON PASSWORD PROCESSING FOR LUKS @@ -134,18 +134,18 @@ LUKS will always use SHA1 in HMAC mode, and no other mode is supported at the moment. Hence, \-h is ignored. -LUKS will always do an exhaustive password reading. Hence, password can not be read from /dev/random, /dev/zero or any other stream, that does not terminate. +LUKS will always do an exhaustive password reading. Hence, passwords can not be read from /dev/random, /dev/zero or any other stream, that does not terminate. LUKS saves the processing options when a password is set to the respective key slot. -Therefore, no options can be given to luksOpen. -For any password creation action (luksAddKey, or luksFormat), the user specify, how much the time the password processing should consume. -Increasing the time will lead to a more secure password, but also will take luksOpen longer to complete. The default setting of one second is sufficient for good security. +Therefore, no options need to be given to \fIluksOpen\fR. +For any password creation action (\fIluksAddKey\fR, or \fIluksFormat\fR), the user specify, how much the time the password processing should consume. +Increasing the time will lead to a more secure password, but also will take \fIluksOpen\fR longer to complete. The default setting of one second (\fI\-i 1000\fR) is sufficient for good security. .SH NOTES ON PASSWORDS -Mathematic can't be bribed. Make sure you keep your passwords save. There are a few nice tricks for constructing a fallback, when suddely out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords. +Mathematic can't be bribed. Make sure you keep your passwords safe. There are a few nice tricks for constructing a fallback, when suddenly out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords. .SH AUTHORS -cryptsetup is written by Christophe Saout <christophe@xxxxxxxx> +cryptsetup is written by Christophe Saout <christophe@xxxxxxxx>. .br -LUKS extensions, and man page by Clemens Fruhwirth <clemens@xxxxxxxxxxxxx> +LUKS extensions, and man page by Clemens Fruhwirth <clemens@xxxxxxxxxxxxx>. .SH "REPORTING BUGS" Report bugs to <dm-crypt@xxxxxxxx>. .SH COPYRIGHT
Attachment:
signature.asc
Description: Digital signature
