oracular (8) pmt-ehd.8.gz

Provided by: libpam-mount-bin_2.20-3build2_amd64 bug

Name

       pmt-ehd - create an encrypted disk image

Syntax

       pmt-ehd  [-DFx] [-c fscipher] [-h hash] [-k fscipher_keybits] [-t fstype] [-H header_path]
       -f container_path -s size_in_mb

Options

       Mandatory options that are absent are inquired interactively, and  pmt-ehd  will  exit  if
       stdin is not a terminal.

       -D     Turn on debugging strings.

       -F     Force  operation that would otherwise ask for interactive confirmation. Multiple -F
              can be specified to apply more force.

       -c cipher
              The  cipher  to  be  used  for  the  filesystem.  This  can  take  any  value  that
              cryptsetup(8)   recognizes,   usually   in   the  form  of  "cipher-mode[-extras]".
              Recommended are aes-cbc-essiv:sha256 (this is the default) or aes-xts-essiv:sha256.

       -f path
              Store the new disk image at path. If the file already exists, pmt-ehd  will  prompt
              before  overwriting  unless  -F is given. If path refers to a symlink, pmt-ehd will
              act even more cautious.

       -H path
              Store a detached (separate) metadata file with a new LUKS header at  path.  If  the
              file already exists, pmt-ehd will prompt before overwriting unless -F is given.  If
              path refers to a symlink, pmt-ehd will act even more cautious. The  default  is  to
              not use a detached header. Correlates with the `cryptsetup --header` option.

       -h hash
              Message  digest/hash  used  for  key derivation in the PBKDF2 stage. The default is
              sha512.

       -i cipher
              (This option had been removed in pam_mount/pmt_ehd 2.11.)

       -k keybits
              The keysize for the  cipher  specified  with  -c.  Some  ciphers  support  multiple
              keysizes,  AES  for  example  is  available with at least the keysizes 192 and 256.
              Defaults to 256 (to match aes-cbc-essiv). Note that XTS uses two  keys,  but  drawn
              from  the  same key material, so aes-cbc-256 is equivalent to aes-xts-512, and aes-
              cbc-128 is to aes-xts-256.

       -p path
              (This option had been removed in pam_mount/pmt_ehd 2.11.)

       -s size
              The initial size of the encrypted filesystem, in megabytes. This option is  ignored
              when the filesystem is created on a block device.

       -t fstype
              Filesystem to use for the encrypted filesystem. Defaults to xfs.

       -u user
              Give  the container and fskey files to user (because the program is usually runs as
              root, and the files would otherwise retain root ownership).

       -x     Do not initialize the container with random bytes. This may impact secrecy.

   Description
       pmt-ehd can be used to create a new encrypted container, and replaces the  previous  mkehd
       script  as  well as any HOWTOs that explain how to do it manually.  Without any arguments,
       pmt-ehd will interactively ask for all missing parameters. To create a  container  with  a
       size of 256 MB, use:

       pmt-ehd -f /home/user.cont -s 256