pmt-ehd - create an encrypted disk image
pmt-ehd [
-DFx] [
-c fscipher] [
-h
hash] [
-k fscipher_keybits] [
-t fstype] [
-H header_path]
-f container_path -s
size_in_mb
Mandatory options that are absent are inquired interactively, and pmt-ehd will
exit if stdin is not a terminal.
- -D
- Turn on debugging strings.
- -F
- Force operation that would otherwise ask for interactive
confirmation. Multiple -F can be specified to apply more
force.
-
-c cipher
- The cipher to be used for the filesystem. This can take any
value that cryptsetup(8) recognizes, usually in the form of
"cipher-mode[-extras]". Recommended are
aes-cbc-essiv:sha256 (this is the default) or
aes-xts-essiv:sha256.
-
-f path
- Store the new disk image at path. If the file
already exists, pmt-ehd will prompt before overwriting unless -F is given.
If path refers to a symlink, pmt-ehd will act even more
cautious.
-
-H path
- Store a detached (separate) metadata file with a new LUKS
header at path. If the file already exists, pmt-ehd will prompt
before overwriting unless -F is given. If path refers to a symlink,
pmt-ehd will act even more cautious. The default is to not use a detached
header. Correlates with the `cryptsetup --header` option.
-
-h hash
- Message digest/hash used for key derivation in the PBKDF2
stage. The default is sha512.
-
-i cipher
- (This option had been removed in pam_mount/pmt_ehd
2.11.)
-
-k keybits
- The keysize for the cipher specified with -c. Some ciphers
support multiple keysizes, AES for example is available with at least the
keysizes 192 and 256. Defaults to 256 (to match aes-cbc-essiv).
Note that XTS uses two keys, but drawn from the same key material, so
aes-cbc-256 is equivalent to aes-xts-512, and aes-cbc-128 is to
aes-xts-256.
-
-p path
- (This option had been removed in pam_mount/pmt_ehd
2.11.)
-
-s size
- The initial size of the encrypted filesystem, in megabytes.
This option is ignored when the filesystem is created on a block
device.
-
-t fstype
- Filesystem to use for the encrypted filesystem. Defaults to
xfs.
-
-u user
- Give the container and fskey files to user (because
the program is usually runs as root, and the files would otherwise retain
root ownership).
- -x
- Do not initialize the container with random bytes. This may
impact secrecy.
pmt-ehd can be used to create a new encrypted container, and replaces the
previous mkehd script as well as any HOWTOs that explain how to do it
manually. Without any arguments, pmt-ehd will interactively ask for all
missing parameters. To create a container with a size of 256 MB, use:
pmt-ehd -f /home/user.cont -s 256