Provided by: cryptsetup-bin_1.6.6-5ubuntu2.1_amd64 bug


       veritysetup - manage dm-verity (block level verification) volumes


       veritysetup <options> <action> <action args>


       Veritysetup is used to configure dm-verity managed device-mapper mappings.

       Device-mapper  verity  target  provides  read-only transparent integrity checking of block
       devices using kernel crypto API.

       The dm-verity devices are always read-only.

       Veritysetup supports these operations:

       format <data_device> <hash_device>

              Calculates and permanently stores hash verification  data  for  data_device.   Hash
              area  can  be  located  on the same device after data if specified by --hash-offset

              Note you need to provide root hash string for device  verification  or  activation.
              Root hash must be trusted.

              The data or hash device argument can be block device or file image.  If hash device
              path doesn't exist, it will be created as file.

              <options> can be [--hash,  --no-superblock,  --format,  --data-block-size,  --hash-
              block-size, --data-blocks, --hash-offset, --salt, --uuid]

       create <name> <data_device> <hash_device> <root_hash>

              Creates   a   mapping   with  <name>  backed  by  device  <data_device>  and  using
              <hash_device> for in-kernel verification.

              The <root_hash> is a hexadecimal string.

              <options> can be [--hash-offset, --no-superblock]

              If option --no-superblock is used, you have to  use  as  the  same  options  as  in
              initial format operation.

       verify <data_device> <hash_device> <root_hash>

              Verifies data on data_device with use of hash blocks stored on hash_device.

              This command performs userspace verification, no kernel device is created.

              The <root_hash> is a hexadecimal string.

              <options> can be [--hash-offset, --no-superblock]

              If  option  --no-superblock  is  used,  you  have  to use as the same options as in
              initial format operation.

       remove <name>

              Removes existing mapping <name>.

       status <name>

              Reports status for the active verity mapping <name>.

       dump <hash_device>

              Reports parameters of verity device from on-disk stored superblock.

              <options> can be [--no-superblock]


       --verbose, -v
              Print more information on command execution.

              Run in debug mode with full diagnostic logs. Debug output lines are always prefixed
              by '#'.

              Create or use dm-verity without permanent on-disk superblock.

              Specifies  the  hash  version  type.   Format  type 0 is original Chrome OS verion.
              Format type 1 is current version.

              Used block size for the data device.   (Note  kernel  supports  only  page-size  as
              maximum here.)

              Used  block  size  for  the  hash  device.  (Note kernel supports only page-size as
              maximum here.)

              Size of data device used in verification.  If not specified, the  whole  device  is

              Offset  of  hash  area/superblock  on  hash_device.   Value must be aligned to disk
              sector offset.

       --salt=hex string
              Salt used for format or verification.  Format is a hexadecimal string.

              Use the provided UUID for format command instead of generating new one.

              The    UUID    must    be    provided    in    standard    UUID    format,     e.g.

              Show the program version.


       Veritysetup returns 0 on success and a non-zero value on error.

       Error  codes  are:  1  wrong  parameters, 2 no permission, 3 out of memory, 4 wrong device
       specified, 5 device already exists or device is busy.


       Report bugs, including ones in the documentation, on the cryptsetup mailing list  at  <dm->  or  in the 'Issues' section on LUKS website.  Please attach the output of
       the failed command with the --debug option added.


       The first implementation of veritysetup was written by Chrome OS authors.

       This   version   is   based   on   verification   code   written   by   Mikulas    Patocka
       <> and rewritten for libcryptsetup by Milan Broz <>.


       Copyright © 2012-2013 Red Hat, Inc.
       Copyright © 2012-2014 Milan Broz

       This  is  free software; see the source for copying conditions.  There is NO warranty; not


       The project website at

       The       verity       on-disk       format       specification        available        at