Provided by: cryptsetup-bin_1.6.1-1ubuntu1_amd64 bug


       cryptsetup-reencrypt - tool for offline LUKS device re-encryption


       cryptsetup-reencrypt <options> <device>


       Cryptsetup-reencrypt can be used to change reencryption parameters which otherwise require
       full on-disk data change (re-encryption).

       You can regenerate volume key (the real  key  used  in  on-disk  encryption  unclocked  by
       passphrase), cipher, cipher mode.

       Cryptsetup-reencrypt  reencrypts data on LUKS device in-place. During reencryption process
       the LUKS device is marked unavailable.

       WARNING: The cryptsetup-reencrypt program is not resistant to hardware or kernel  failures
       during reencryption (you can lose you data in this case).


       The  reencryption can be temporarily suspended (by TERM signal or by using ctrl+c) but you
       need  to  retain  temporary  files  named  LUKS-<uuid>.[log|org|new].   LUKS   device   is
       unavailable until reencryption is finished though.

       Current working directory must by writable and temporary files created during reencryption
       must be present.

       For more info about LUKS see cryptsetup(8).


       To start (or continue) re-encryption for <device> use:

       cryptsetup-reencrypt <device>

       <options> can be [--block-size,  --cipher,  --hash,  --iter-time,  --use-random  |  --use-
       urandom,   --key-file,   --key-slot,  --keyfile-offset,  --keyfile-size,  --tries,  --use-
       directio, --use-fsync, --write-log]

       For detailed description of encryption and key file options see cryptsetup(8) man page.

       --verbose, -v
              Print more information on command execution.

              Run in debug mode with full diagnostic logs. Debug output lines are always prefixed
              by '#'.

       --cipher, -c <cipher-spec>
              Set the cipher specification string.

       --key-size, -s <bits>
              Set key size in bits. The argument has to be a multiple of  8.

              The possible key-sizes are limited by the cipher and mode used.

              If  you  are increasing key size, there must be enough space in the LUKS header for
              enlarged keyslots (data offset must be large  enough)  or  reencryption  cannot  be

              If  there is not enough space for keyslots with new key size, you can destructively
              shrink device with --reduce-device-size option.

       --hash, -h <hash-spec>
              Specifies the hash used in the LUKS key setup scheme and volume key digest.

       --iter-time, -i <milliseconds>
              The number of milliseconds to spend with PBKDF2 passphrase processing for  the  new
              LUKS header.


              Define which kernel random number generator will be used to create the volume key.

       --key-file, -d name
              Read the passphrase from file.

              WARNING:  --key-file  option  can be used only if there only one active keyslot, or
              alternatively, also if --key-slot option is specified (then all other keyslots will
              be disabled in new LUKS device).

              If  this  option  is not used, cryptsetup-reencrypt will ask for all active keyslot

       --key-slot, -S <0-7>
              Specify which key slot is used.

              WARNING: All other keyslots will be disabled if this option is used.

       --keyfile-offset value
              Skip value bytes at the beginning of the key file.

       --keyfile-size, -l
              Read a maximum of value bytes from the key file.  Default is to read the whole file
              up to the compiled-in maximum.

       --tries, -T
              Number of retries for invalid passphrase entry.

       --block-size, -B value
              Use re-encryption block size of <value> in MiB.

              Values can be between 1 and 64 MiB.

       --device-size size[units]
              Instead of real device size, use specified value.

              It  means  that  only specified area (from the start of the device to the specified
              size) will be reencrypted.

              WARNING: This is destructive operation.

              If no unit suffix is specified, the size is in bytes.

              Unit suffix can be S for 512 byte sectors, K/M/G/T (or KiB,MiB,GiB,TiB)  for  units
              with 1024 base or KB/MB/GB/TB for 1000 base (SI scale).

              WARNING: This is destructive operation.

       --reduce-device-size size[units]
              Enlarge data offset to specified value by shrinking device size.

              This  means  that last sectors on the original device will be lost, ciphertext data
              will be effectively shifted by specified number of sectors.

              It can be usefull if you e.g. added some space to  underlying  partition  (so  last
              sectors contains no data).

              For units suffix see --device-size parameter description.

              WARNING:  This  is  destructive operation and cannot be reverted.  Use with extreme
              care - shrinked filesystems are usually unrecoverable.

              You cannot shrink device more than by 64 MiB (131072 sectors).

       --new, N
              Create new header (encrypt not yet encrypted device).

              This option must be used together with --reduce-device-size.

              WARNING: This is destructive operation and cannot be reverted.

              Use direct-io (O_DIRECT) for all read/write data operations.

              Usefull if direct-io operations perform  better  than  normal  buffered  operations
              (e.g. in virtual environments).

              Use fsync call after every written block.

              Update  log  file after every block write. This can slow down reencryption but will
              minimize data loss in the case of system crash.

       --batch-mode, -q
              Suppresses all warnings and reencryption progress output.

              Show the program version.


       Cryptsetup-reencrypt returns 0 on success and a non-zero value on error.

       Error codes are: 1 wrong parameters, 2 no permission, 3 out  of  memory,  4  wrong  device
       specified, 5 device already exists or device is busy.


       Reencrypt /dev/sdb1 (change volume key)
              cryptsetup-reencrypt /dev/sdb1

       Reencrypt and also change cipher and cipher mode
              cryptsetup-reencrypt /dev/sdb1 -c aes-xts-plain64

       Add LUKS encryption to not yet encrypted device

              First, be sure you have space added to disk.  Or alternatively shrink filesystem in
              Here we need 4096 512-bytes sectors (enough for 2x128 bit key).

              fdisk -u /dev/sdb # move sdb1 partition end + 4096 sectors

              cryptsetup-reencrypt /dev/sdb1 --new --reduce-device-size 4096


       Report bugs, including ones in the documentation, on the cryptsetup mailing list  at  <dm->  or  in the 'Issues' section on LUKS website.  Please attach the output of
       the failed command with the --debug option added.


       Cryptsetup-reencrypt was written by Milan Broz <>.


       Copyright © 2012 Milan Broz
       Copyright © 2012 Red Hat, Inc.

       This is free software; see the source for copying conditions.  There is NO  warranty;  not


       The project website at