Provided by: luksmeta_8-3build1_amd64 
NAME
luksmeta - Utility for storing metadata in a LUKSv1 header
SYNOPSIS
luksmeta test -d DEVICE
luksmeta nuke -d DEVICE [-f]
luksmeta init -d DEVICE [-f] [-n]
luksmeta show -d DEVICE [-s SLOT]
luksmeta save -d DEVICE [-s SLOT] -u UUID DATA
luksmeta load -d DEVICE -s SLOT [-u UUID] DATA
luksmeta wipe -d DEVICE -s SLOT [-u UUID] [-f]
OVERVIEW
The luksmeta utility enables an administrator to store metadata in the gap between the end
of the LUKSv1 header and the start of the encrypted data. This is useful for storing data
that is available before the volume is unlocked, usually for use during the volume unlock
process.
The metadata is stored in a series of UUID-typed slots, allowing multiple blocks of
metadata. Although the luksmeta slots are inspired by the LUKS slots, they are
functionally independent and share only a casual relationship. Slots merely provide a hint
that a given chunk of metadata is associated with a specific LUKSv1 password (in a slot
with the same number). However, luksmeta itself is indifferent to the relationship between
a LUKSv1 slot and the correspondly numbered luksmeta slot, with one exception (detailed
below).
After a LUKSv1 volume is initialized using cryptsetup(8), it must also be initialized for
metadata storage by luksmeta init. Once this is complete, the device is ready to store
medata.
Data can be written to a slot using luksmeta save or read from a slot using luksmeta load.
You can also erase the data in an existing slot using luksmeta wipe or query the slots
using luksmeta show.
UUID GENERATION
It is often presumed that saving metadata to a slot requires a specific UUID or that there
is an official registry of UUID types. This is incorrect.
UUID stands for Universally Unique IDentifier. UUIDs are a standardized, widely-used data
type used for identification without a central registry. For the relevant standards, see
ISO 9834-8:2005 and RFC 4122.
UUIDs are large enough that collision is practically impossible. So if your application
wants to store data in a luksmeta slot, just generate your own UUID and use it
consistently to refer to your type of data. If you have multiple types of data, feel free
to generate multiple UUIDs.
The easiest way to generate a UUID is to use uuidgen(1). However, any compliant UUID
generator will suffice.
INITIALIZATION
Before reading or writing metadata, the LUKSv1 block device must be initialized for
metadata storage. Three commands help with this process: luksmeta test, luksmeta nuke and
luksmeta init.
The luksmeta test command simply checks an existing block device to see if it is
initialized for metadata storage. This command does not provide any output, so be sure to
check its return code (see below).
The luksmeta nuke command will zero (erase) the entire LUKSv1 header gap. Since this
operation is destructive, user confirmation will be required before clearing the gap
unless the -f option is supplied.
The luksmeta init command initializes the LUKSv1 block device for metadata storage. This
process will wipe out any data in the LUKSv1 header gap. For this reason, this command
will require user confirmation before any data is written unless the -f option is
supplied. Note that this command succeeds without any modification if the device is
already initialized. If you would like to force the creation of clean initialization
state, you can specify the -n option to nuke the LUKSv1 header gap before initialization
(but after user confirmation).
METADATA STATE
The luksmeta show command displays the current state of slots on the LUKSv1 block device.
If no slot is specified, it prints a table consisting of the slot number, the
corresponding LUKSv1 slot state and the UUID of the data stored in the luksmeta slot (or
"empty" if no data is stored). If a slot is specified, this command simply prints out the
UUID of the data in the slot. If the slot does not contain data, it prints nothing.
MANAGING METADATA
Managing the metadata in the slots is performed with three commands: luksmeta save,
luksmeta load and luksmeta wipe. These commands write metadata to a slot, read metadata
from a slot and erase metadata in a slot, respectively.
The luksmeta save command reads metadata on standard input and writes it to the specified
slot using the specified UUID. If no slot is specified, luksmeta will search for the first
slot number for which the LUKSv1 slot is inactive and the luksmeta slot is empty. This
represents the only official correlation between LUKSv1 slots and luksmeta slots. In this
case, the metadata is written to the first applicable slot using the specified UUID and
the slot number is printed to standard output. In either case, this command will never
overwrite existing data. To replace data in a slot you will need to execute luksmeta wipe
before luksmeta save.
The luksmeta load command reads data from the specified slot and writes it to standard
output. If a UUID is specified, the command will verify that the UUID associated with the
metadata in the slot matches the specified UUID. This type check helps to ensure that you
always receive the type of data you are expecting as output. If the UUIDs do not match,
the command will fail.
The luksmeta wipe command erases the data from the given slot. If a UUID is specified, the
command will verify that the UUID associated with the metadata in the slot matches the
specified UUID. This type check helps to ensure that you only erase the data you intended
to erase. Because this is a destructive operation, this command will require user
confirmation before any data is erased, unless the -f option is supplied. Note that this
command succeeds if you attempt to wipe a slot that is already empty.
CAVEATS
The amount of storage in the LUKSv1 header gap is extremely limited. It also varies based
upon the configuration used by LUKSv1 at device initialization time. In some LUKSv1
configurations, there is not even enough space for all the metadata slots even at the
smallest possible slot size.
During the design of this utility, we considered it likely that users would want to reduce
the number of usable slots in exchange for more storage space in the slots used. In order
to provide this flexibility, the amount of storage available per-slot is dynamic. Put
simply, slots are not a fixed size. This means that it is possible (and even somewhat
likely) to encounter an error during luksmeta save indicating that there is insufficient
space.
This error is not a programming bug. If you encounter this error it likely means that
either all space is being consumed by the already-written slots or that the metadata you
are attempting to write simply does not fit.
You can attempt to resolve this problem by calling luksmeta wipe on slots that are no
longer in use. This will release the storage space for use by other slots. Note that
luksmeta does not, however, currently perform defragmentation since the number of usable
blocks is rather limited. You can attempt to manually get around this by extracting all
slot data, wiping the slots and reloading them in order. However, this operation is
potentially dangerous and should be undertaken with great care.
OPTIONS
-d DEVICE, --device=DEVICE
The device on which to perform the operation.
-s SLOT, --slot=SLOT
The slot number on which to perform the operation.
-u UUID, --uuid=UUID
The UUID to associate with the operation.
-f, --force
Forcibly suppress all user prompting.
RETURN VALUES
This command uses the return values as defined by sysexit.h. The following are general
errors whose meaning is shared by all luksmeta commands:
• EX_OK : The operation was successful.
• EX_OSERR : An undefined operating system error occurred.
• EX_USAGE : The program was called with invalid parameters.
• EX_IOERR : An IO error occurred when writing to the device.
• EX_OSFILE : The device is not initialized or is corrupted.
• EX_NOPERM : The user did not grant permission during confirmation.
• EX_NOINPUT : An error occurred while reading from standard input.
• EX_DATAERR : The specified UUID does not match the slot UUID.
• EX_CANTCREAT : There is insufficient space in LUKSv1 header.
Additionally, luksmeta save will return EX_UNAVAILABLE when you attempt to save data into
a slot that is already used. Likewise, luksmeta load will return EX_UNAVAILABLE when you
attempt to read from an empty slot.
EXAMPLES
Destroy all data (including LUKSMeta data) in the LUKSv1 header gap and initialize the gap
for LUKSMeta storage:
$ luksmeta init -n -f -d /dev/sdz
If already initialized, do nothing. Otherwise, destroy all non-LUKSMeta data in the LUKSv1
header gap and initialize the gap for LUKSMeta storage:
$ luksmeta init -f -d /dev/sdz
Write some data to a slot:
$ UUID=`uuidgen`
$ echo $UUID
31c25e3b-b8e2-4eaa-a427-23aa882feef2
$ echo "Hello, World" | luksmeta save -d /dev/sdz -s 0 -u $UUID
Read the data back:
$ luksmeta load -d /dev/sdz -s 0 -u $UUID
Hello, World
Wipe the data from the slot:
$ luksmeta wipe -d /dev/sdz -s 0 -u $UUID
Erase all trace of LUKSMeta:
$ luksmeta nuke -f -d /dev/sdz
AUTHOR
Nathaniel McCallum <npmccallum@redhat.com>
SEE ALSO
cryptsetup(8), uuidgen(1)
October 2017 LUKSMETA(8)