Provided by: cryptsetup-bin_1.6.1-1ubuntu1_amd64 bug

NAME
       cryptsetup-reencrypt - tool for offline LUKS device re-encryption


SYNOPSIS
       cryptsetup-reencrypt <options> <device>


DESCRIPTION
       Cryptsetup-reencrypt  can  be used to change reencryption parameters which otherwise require full on-disk
       data change (re-encryption).

       You can regenerate volume key (the real key used in on-disk encryption unclocked by passphrase),  cipher,
       cipher mode.

       Cryptsetup-reencrypt reencrypts data on LUKS device in-place. During reencryption process the LUKS device
       is marked unavailable.

       WARNING:  The  cryptsetup-reencrypt  program  is  not  resistant  to  hardware  or kernel failures during
       reencryption (you can lose you data in this case).

       ALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS TOOL.
       THIS TOOL IS EXPERIMENTAL.

       The reencryption can be temporarily suspended (by TERM signal or by using ctrl+c) but you need to  retain
       temporary  files  named  LUKS-<uuid>.[log|org|new].   LUKS  device  is  unavailable until reencryption is
       finished though.

       Current working directory must by writable and  temporary  files  created  during  reencryption  must  be
       present.

       For more info about LUKS see cryptsetup(8).


OPTIONS
       To start (or continue) re-encryption for <device> use:

       cryptsetup-reencrypt <device>

       <options>  can be [--block-size, --cipher, --hash, --iter-time, --use-random | --use-urandom, --key-file,
       --key-slot, --keyfile-offset, --keyfile-size, --tries, --use-directio, --use-fsync, --write-log]

       For detailed description of encryption and key file options see cryptsetup(8) man page.

       --verbose, -v
              Print more information on command execution.

       --debug
              Run in debug mode with full diagnostic logs. Debug output lines are always prefixed by '#'.

       --cipher, -c <cipher-spec>
              Set the cipher specification string.

       --key-size, -s <bits>
              Set key size in bits. The argument has to be a multiple of  8.

              The possible key-sizes are limited by the cipher and mode used.

              If you are increasing key size, there must be  enough  space  in  the  LUKS  header  for  enlarged
              keyslots (data offset must be large enough) or reencryption cannot be performed.

              If  there  is not enough space for keyslots with new key size, you can destructively shrink device
              with --reduce-device-size option.

       --hash, -h <hash-spec>
              Specifies the hash used in the LUKS key setup scheme and volume key digest.

       --iter-time, -i <milliseconds>
              The number of milliseconds to spend with PBKDF2 passphrase processing for the new LUKS header.

       --use-random

       --use-urandom
              Define which kernel random number generator will be used to create the volume key.

       --key-file, -d name
              Read the passphrase from file.

              WARNING: --key-file option can be used only if there only one active  keyslot,  or  alternatively,
              also  if  --key-slot  option  is  specified  (then all other keyslots will be disabled in new LUKS
              device).

              If this option is not used, cryptsetup-reencrypt will ask for all active keyslot passphrases.

       --key-slot, -S <0-7>
              Specify which key slot is used.

              WARNING: All other keyslots will be disabled if this option is used.

       --keyfile-offset value
              Skip value bytes at the beginning of the key file.

       --keyfile-size, -l
              Read a maximum of value bytes from the key file.  Default is to read the  whole  file  up  to  the
              compiled-in maximum.

       --tries, -T
              Number of retries for invalid passphrase entry.

       --block-size, -B value
              Use re-encryption block size of <value> in MiB.

              Values can be between 1 and 64 MiB.

       --device-size size[units]
              Instead of real device size, use specified value.

              It  means  that  only  specified area (from the start of the device to the specified size) will be
              reencrypted.

              WARNING: This is destructive operation.

              If no unit suffix is specified, the size is in bytes.

              Unit suffix can be S for 512 byte sectors, K/M/G/T (or KiB,MiB,GiB,TiB) for units with  1024  base
              or KB/MB/GB/TB for 1000 base (SI scale).

              WARNING: This is destructive operation.

       --reduce-device-size size[units]
              Enlarge data offset to specified value by shrinking device size.

              This  means  that  last  sectors  on  the  original  device  will be lost, ciphertext data will be
              effectively shifted by specified number of sectors.

              It can be usefull if you e.g. added some space to underlying partition (so last  sectors  contains
              no data).

              For units suffix see --device-size parameter description.

              WARNING:  This  is destructive operation and cannot be reverted.  Use with extreme care - shrinked
              filesystems are usually unrecoverable.

              You cannot shrink device more than by 64 MiB (131072 sectors).

       --new, N
              Create new header (encrypt not yet encrypted device).

              This option must be used together with --reduce-device-size.

              WARNING: This is destructive operation and cannot be reverted.

       --use-directio
              Use direct-io (O_DIRECT) for all read/write data operations.

              Usefull if direct-io operations perform better than normal buffered operations  (e.g.  in  virtual
              environments).

       --use-fsync
              Use fsync call after every written block.

       --write-log
              Update  log  file  after every block write. This can slow down reencryption but will minimize data
              loss in the case of system crash.

       --batch-mode, -q
              Suppresses all warnings and reencryption progress output.

       --version
              Show the program version.


RETURN CODES
       Cryptsetup-reencrypt returns 0 on success and a non-zero value on error.

       Error codes are: 1 wrong parameters, 2 no permission, 3 out of memory, 4 wrong device specified, 5 device
       already exists or device is busy.


EXAMPLES
       Reencrypt /dev/sdb1 (change volume key)
              cryptsetup-reencrypt /dev/sdb1

       Reencrypt and also change cipher and cipher mode
              cryptsetup-reencrypt /dev/sdb1 -c aes-xts-plain64

       Add LUKS encryption to not yet encrypted device

              First, be sure you have space added to disk.  Or alternatively shrink filesystem in advance.
              Here we need 4096 512-bytes sectors (enough for 2x128 bit key).

              fdisk -u /dev/sdb # move sdb1 partition end + 4096 sectors

              cryptsetup-reencrypt /dev/sdb1 --new --reduce-device-size 4096


REPORTING BUGS
       Report bugs, including ones in the documentation, on the cryptsetup mailing list  at  <dm-crypt@saout.de>
       or  in  the  'Issues'  section  on LUKS website.  Please attach the output of the failed command with the
       --debug option added.


AUTHORS
       Cryptsetup-reencrypt was written by Milan Broz <gmazyland@gmail.com>.


COPYRIGHT
       Copyright © 2012 Milan Broz
       Copyright © 2012 Red Hat, Inc.

       This is free software; see the source for copying  conditions.   There  is  NO  warranty;  not  even  for
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.


SEE ALSO
       The project website at http://code.google.com/p/cryptsetup/

cryptsetup-reencrypt                                June 2012                            CRYPTSETUP-REENCRYPT(8)