Provided by: cryptsetup-bin_1.6.1-1ubuntu1_i386 bug

NAME

       cryptsetup-reencrypt - tool for offline LUKS device re-encryption

SYNOPSIS

       cryptsetup-reencrypt <options> <device>

DESCRIPTION

       Cryptsetup-reencrypt  can  be  used  to  change reencryption parameters
       which otherwise require full on-disk data change (re-encryption).

       You can regenerate volume key (the real key used in on-disk  encryption
       unclocked by passphrase), cipher, cipher mode.

       Cryptsetup-reencrypt  reencrypts  data  on LUKS device in-place. During
       reencryption process the LUKS device is marked unavailable.

       WARNING: The cryptsetup-reencrypt program is not resistant to  hardware
       or  kernel  failures during reencryption (you can lose you data in this
       case).

       ALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS TOOL.
       THIS TOOL IS EXPERIMENTAL.

       The reencryption can be temporarily suspended (by  TERM  signal  or  by
       using   ctrl+c)   but   you   need  to  retain  temporary  files  named
       LUKS-<uuid>.[log|org|new].    LUKS   device   is   unavailable    until
       reencryption is finished though.

       Current  working directory must by writable and temporary files created
       during reencryption must be present.

       For more info about LUKS see cryptsetup(8).

OPTIONS

       To start (or continue) re-encryption for <device> use:

       cryptsetup-reencrypt <device>

       <options> can be [--block-size, --cipher, --hash,  --iter-time,  --use-
       random   |  --use-urandom,  --key-file,  --key-slot,  --keyfile-offset,
       --keyfile-size, --tries, --use-directio, --use-fsync, --write-log]

       For detailed  description  of  encryption  and  key  file  options  see
       cryptsetup(8) man page.

       --verbose, -v
              Print more information on command execution.

       --debug
              Run  in debug mode with full diagnostic logs. Debug output lines
              are always prefixed by '#'.

       --cipher, -c <cipher-spec>
              Set the cipher specification string.

       --key-size, -s <bits>
              Set key size in bits. The argument has to be a multiple of  8.

              The possible key-sizes are limited by the cipher and mode used.

              If you are increasing key size, there must be  enough  space  in
              the LUKS header for enlarged keyslots (data offset must be large
              enough) or reencryption cannot be performed.

              If there is not enough space for keyslots with new key size, you
              can   destructively   shrink  device  with  --reduce-device-size
              option.

       --hash, -h <hash-spec>
              Specifies the hash used in the LUKS key setup scheme and  volume
              key digest.

       --iter-time, -i <milliseconds>
              The  number  of  milliseconds  to  spend  with PBKDF2 passphrase
              processing for the new LUKS header.

       --use-random

       --use-urandom
              Define which kernel random number  generator  will  be  used  to
              create the volume key.

       --key-file, -d name
              Read the passphrase from file.

              WARNING:  --key-file  option  can be used only if there only one
              active keyslot, or alternatively, also if --key-slot  option  is
              specified  (then all other keyslots will be disabled in new LUKS
              device).

              If this option is not used, cryptsetup-reencrypt  will  ask  for
              all active keyslot passphrases.

       --key-slot, -S <0-7>
              Specify which key slot is used.

              WARNING:  All  other keyslots will be disabled if this option is
              used.

       --keyfile-offset value
              Skip value bytes at the beginning of the key file.

       --keyfile-size, -l
              Read a maximum of value bytes from the key file.  Default is  to
              read the whole file up to the compiled-in maximum.

       --tries, -T
              Number of retries for invalid passphrase entry.

       --block-size, -B value
              Use re-encryption block size of <value> in MiB.

              Values can be between 1 and 64 MiB.

       --device-size size[units]
              Instead of real device size, use specified value.

              It  means that only specified area (from the start of the device
              to the specified size) will be reencrypted.

              WARNING: This is destructive operation.

              If no unit suffix is specified, the size is in bytes.

              Unit  suffix  can  be  S  for  512  byte  sectors,  K/M/G/T  (or
              KiB,MiB,GiB,TiB)  for  units  with  1024 base or KB/MB/GB/TB for
              1000 base (SI scale).

              WARNING: This is destructive operation.

       --reduce-device-size size[units]
              Enlarge data offset to specified value by shrinking device size.

              This means that last sectors on  the  original  device  will  be
              lost,  ciphertext  data will be effectively shifted by specified
              number of sectors.

              It can be usefull if you e.g. added  some  space  to  underlying
              partition (so last sectors contains no data).

              For units suffix see --device-size parameter description.

              WARNING:  This  is destructive operation and cannot be reverted.
              Use  with  extreme  care  -  shrinked  filesystems  are  usually
              unrecoverable.

              You cannot shrink device more than by 64 MiB (131072 sectors).

       --new, N
              Create new header (encrypt not yet encrypted device).

              This option must be used together with --reduce-device-size.

              WARNING: This is destructive operation and cannot be reverted.

       --use-directio
              Use direct-io (O_DIRECT) for all read/write data operations.

              Usefull  if  direct-io  operations  perform  better  than normal
              buffered operations (e.g. in virtual environments).

       --use-fsync
              Use fsync call after every written block.

       --write-log
              Update log file after every block  write.  This  can  slow  down
              reencryption  but  will minimize data loss in the case of system
              crash.

       --batch-mode, -q
              Suppresses all warnings and reencryption progress output.

       --version
              Show the program version.

RETURN CODES

       Cryptsetup-reencrypt returns 0 on  success  and  a  non-zero  value  on
       error.

       Error  codes are: 1 wrong parameters, 2 no permission, 3 out of memory,
       4 wrong device specified, 5 device already exists or device is busy.

EXAMPLES

       Reencrypt /dev/sdb1 (change volume key)
              cryptsetup-reencrypt /dev/sdb1

       Reencrypt and also change cipher and cipher mode
              cryptsetup-reencrypt /dev/sdb1 -c aes-xts-plain64

       Add LUKS encryption to not yet encrypted device

              First, be sure you have space added to disk.   Or  alternatively
              shrink filesystem in advance.
              Here we need 4096 512-bytes sectors (enough for 2x128 bit key).

              fdisk -u /dev/sdb # move sdb1 partition end + 4096 sectors

              cryptsetup-reencrypt /dev/sdb1 --new --reduce-device-size 4096

REPORTING BUGS

       Report  bugs,  including  ones  in the documentation, on the cryptsetup
       mailing list at <dm-crypt@saout.de> or in the 'Issues' section on  LUKS
       website.   Please  attach  the  output  of  the failed command with the
       --debug option added.

AUTHORS

       Cryptsetup-reencrypt was written by Milan Broz <gmazyland@gmail.com>.

COPYRIGHT

       Copyright © 2012 Milan Broz
       Copyright © 2012 Red Hat, Inc.

       This is free software; see the source for copying conditions.  There is
       NO  warranty;  not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
       PURPOSE.

SEE ALSO

       The project website at http://code.google.com/p/cryptsetup/