1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
#compdef cryptsetup
local curcontext="$curcontext" ign ret=1
local -a actions state line expl
(( $#words > 2 )) && ign='!'
_arguments -s \
'(-v --verbose)'{-v,--verbose}'[enable verbose mode]' \
'--debug[show debug messages]' \
'--debug-json[show debug messages including JSON metadata]' \
'(-c --cipher)'{-c+,--cipher=}'[set cipher]:cipher specification' \
'(-h --hash)'{-h+,--hash=}'[hash algorithm]:hash algorithm' \
'(-y --verify-passphrase)'{-y,--verify-passphrase}'[query for password twice]' \
'(-d --key-file)'{-d+,--key-file=}'[set keyfile]:key file:_files' \
'--master-key-file=[set master key]:key file:_files' \
'--dump-volume-key[dump volume key instead of keyslots info]' \
'(-s --key-size)'{-s+,--key-size=}'[set key size]:size (bits)' \
'(-l --keyfile-size)'{-l+,--keyfile-size=}'[set keyfile size]:size (bytes)' \
'--keyfile-offset=[specify number of bytes to skip in keyfile]:offset (bytes)' \
'--new-keyfile-size=[set new keyfile size (luksAddKey)]:size (bytes)' \
'--new-keyfile-offset=[specify number of bytes to skip in newly added keyfile]:offset (bytes)' \
'(-S --key-slot)'{-S+,--key-slot=}'[select key slot]:key slot' \
'(-b --size)'{-b+,--size=}'[force device size]:sectors' \
'--device-size=[use only specified device size (ignore rest of device)]:size (bytes)' \
'(-o --offset)'{-o+,--offset=}'[set start offset]:sectors' \
'(-p --skip)'{-p+,--skip=}'[data to skip at beginning]:sectors' \
'(-r --readonly)'{-r,--readonly}'[create a read-only mapping]' \
'(-i --iter-time)'{-i+,--iter-time=}'[set password processing duration]:duration (milliseconds)' \
'(-q --batch-mode)'{-q,--batch-mode}"[don't ask for confirmation]" \
'(-t --timeout)'{-t+,--timeout=}'[set password prompt timeout]:timeout (seconds)' \
'--progress-frequency=[specify progress line update interval]:interval (seconds)' \
'(-T --tries)'{-T+,--tries=}'[set maximum number of retries]:number of retries' \
'--align-payload=[set payload alignment]:sectors' \
'--header-backup-file=[specify file with LUKS header and keyslots backup]:file:_files' \
'(--use-urandom)--use-random[use /dev/random to generate volume key]' \
'(--use-random)--use-urandom[use /dev/urandom to generate volume key]' \
'--shared[share device with another non-overlapping crypt segment]' \
'--uuid=[set device UUID]:uuid' \
'--allow-discards[allow discard (aka TRIM) requests for device]' \
'--cancel-deferred[cancel previously set deferred device removal]' \
'--disable-blkid[disable blkid on-disk signature detection and wiping]' \
'--disable-external-tokens[disable loading of external LUKS2 token plugins]' \
"--disable-veracrypt[don't scan for VeraCrypt compatible device]" \
'--dump-json-metadata[dump info in JSON format (LUKS2 only)]' \
'--dump-volume-key[dump volume key instead of keyslots info]' \
'--external-tokens-path=[specify path to directory with external token handlers (plugins)]:path:_directories' \
'--force-offline-reencrypt[force offline LUKS2 reencryption and bypass active device detection]' \
'--header=[device or file with separated LUKS header]:file:_files' \
'--hw-opal[use HW OPAL encryption together with SW encryption]' \
'--hw-opal-factory-reset[wipe WHOLE OPAL disk on luksErase]' \
'--hw-opal-only[use only HW OPAL encryption]' \
'--keep-key[do not change volume key]' \
'--link-vk-to-keyring=[set keyring where to link volume key]:string' \
'--new-keyfile=[read the key for a new slot from a file]:file:_files' \
'--new-key-slot=[specify slot number for new key]:slot [first free]' \
'--new-token-id=[token number]:number [any]' \
'--progress-json[print progress data in json format]' \
"--test-args[don't run action, just validate all command line parameters]" \
'--volume-key-file=[use the volume key from file]:file:_files' \
'--volume-key-keyring=[use the specified keyring key as a volume key]:key' \
'(-B --block-size)'{-B+,--block-size=}'[reencryption block size]:block size (MiB)' \
'(-N --new)'{-N,--new}'[create new header on not encrypted device]' \
'--use-directio[use direct-io when accessing devices]' \
'--use-fsync[use fsync after each block]' \
'--write-log[update log file after every block]' \
"--test-passphrase[don't activate device, just check passphrase]" \
'--token-replace[replace the current token]' \
'--token-type=[restrict allowed token types used to retrieve LUKS2 key]:string' \
'--tcrypt-hidden[use hidden header (hidden TCRYPT device)]' \
'--tcrypt-system[device is system TCRYPT drive (with bootloader)]' \
'--tcrypt-backup[use backup (secondary) TCRYPT header]' \
'--veracrypt[scan also for VeraCrypt compatible device]' \
'--veracrypt-pim=[specify personal iteration multiplier for VeraCrypt compatible device]:multiplier' \
'--veracrypt-query-pim[query personal iteration multiplier for VeraCrypt compatible device]' \
'(-M --type)'{-M+,--type=}'[specify type of device metadata]:type:(luks luks1 luks2 plain loopaes tcrypt bitlk)' \
'--force-password[disable password quality check (if enabled)]' \
'--perf-same_cpu_crypt[use dm-crypt same_cpu_crypt performance compatibility option]' \
'--perf-submit_from_crypt_cpus[use dm-crypt submit_from_crypt_cpus performance compatibility option]' \
'--perf-no_read_workqueue[bypass dm-crypt workqueue and process read requests synchronously]' \
'--perf-no_write_workqueue[bypass dm-crypt workqueue and process write requests synchronously]' \
'--deferred[device removal is deferred until the last user closes it]' \
'--serialize-memory-hard-pbkdf[use global lock to serialize memory]' \
'--pbkdf=[specify PBKDF algorithm for LUKS2]:algorithm:(argon2i argon2id pbkdf2)' \
'--pbkdf-memory=[specify PBKDF memory cost limit]:limit (kilobytes)' \
'--pbkdf-parallel=[specify PBKDF parallel cost]:threads' \
'--pbkdf-force-iterations=[specify PBKDF iterations cost]:cost' \
'--priority=[specify keyslot priority]:priority:(ignore normal prefer)' \
'--disable-locks[disable locking of on-disk metadata]' \
'--disable-keyring[disable loading volume keys via kernel keyring]' \
'(-I --integrity)'{-I+,--integrity=}'[specify data integrity algorithm (LUKS2 only)]:algorithm' \
'--integrity-no-journal[disable journal for integrity device]' \
"--integrity-no-wipe[don't wipe device after format]" \
'--integrity-legacy-padding[use inefficient legacy padding (old kernels)]' \
"--token-only[don't ask for passphrase if activation by token fails]" \
'--token-id=[specify token number]:number [any]' \
'--key-description=[specify key description]:description' \
'--sector-size=[specify encryption sector size]:size [512 bytes]' \
'--iv-large-sectors[use IV counted in sector size (not in 512 bytes)]' \
'--persistent[set activation flags persistent for device]' \
'--label=[set label for the LUKS2 device]:label' \
'--subsystem=[set subsystem label for the LUKS2 device]:subsystem' \
'--unbound[create or dump unbound (no assigned data segment) LUKS2 keyslot]' \
'--json-file=[read or write token to json file]:json file:_files -g "*.json(-.)"' \
'--luks2-metadata-size=[specify LUKS2 header metadata area size]:size (bytes)' \
'--luks2-keyslots-size=[specify LUKS2 header keyslots area size]:size (bytes)' \
'--refresh[refresh (reactivate) device with new parameters]' \
'--keyslot-key-size=[specify size of the encryption key]:size (bits)' \
'--keyslot-cipher=[specify cipher used for LUKS2 keyslot encryption]:cipher' \
'--encrypt[Encrypt LUKS2 device (in-place encryption)]' \
'--decrypt[decrypt LUKS2 device (remove encryption)]' \
'--init-only[initialize LUKS2 reencryption in metadata only]' \
'--resume-only[resume initialized LUKS2 reencryption only]' \
'--reduce-device-size=[reduce data device size (move data offset)]:size (bytes)' \
'--hotzone-size=[specify maximal reencryption hotzone size]:size (bytes)' \
'--resilience=[specify reencryption hotzone resilience type]:resilience type:(checksum journal none)' \
'--resilience-hash=[specify reencryption hotzone checksums hash]:string' \
'--active-name=[override device autodetection of dm device to be reencrypted]:string' \
"${ign}(- : *)"{-V,--version}'[show version information]' \
"${ign}(- : *)"{-\?,--help}'[display help information]' \
"${ign}(- : *)--usage[display brief usage]" \
':action:->actions' \
'*::arguments:->action-arguments' && ret=0
case $state in
actions)
actions=(
'open:open device with named mapping'
'close:close device (remove mapping)'
'status:report mapping status'
'resize:resize an active mapping'
'benchmark:benchmark cipher'
'repair:try to repair on-disk metadata'
'reencrypt:reencrypt LUKS2 device'
'erase:erase all keyslots'
'convert:convert LUKS from/to LUKS2 format'
'config:set permanent configuration options for LUKS2'
'luksFormat:initialize a LUKS partition'
'luksAddKey:add a new key'
'luksRemoveKey:remove a key'
'luksChangeKey:change a key'
'luksConvertKey:convert a key to new pbkdf parameters'
'luksKillSlot:wipe key from slot'
'luksUUID:print/change device UUID'
'isLuks:check if device is a LUKS partition'
'luksDump:dump header information'
'tcryptDump:dump TCRYPT device information'
'bitlkDump:dump BITLK device information'
'fvault2Dump:dump FVAULT2 device information'
'luksSuspend:suspend LUKS device and wipe key'
'luksResume:resume suspended LUKS device'
'luksHeaderBackup:store binary backup of headers'
'luksHeaderRestore:restore header backup'
'token:manipulate auto-activation token of the device'
)
_describe action actions && ret=0
;;
action-arguments)
local -a args
local mapping=':mapping:_path_files -W /dev/mapper'
local device=':device:_files'
case ${words[1]} in
create) args=( $mapping $device '--type=:type' );;
open) args=( $device $mapping '--type=:type' );;
(plain|luks|loopaes|tcrypt)Open) args=( $device $mapping '--type=:type' );;
benchmark) args=( '--cipher=:cipher' );;
luksKillSlot) args=( $device ':key slot number' );;
remove|status|resize|*lose|luksSuspend|luksResume) args=( $mapping );;
erase|convert|config|repair|reencrypt|(luks(AddKey|Erase|RemoveKey|DelKey|UUID|Dump)|isLuks))
args=( $device )
;;
luks(Format|AddKey|RemoveKey|ChangeKey|ConvertKey))
args=( $device ':key file:_files' )
;;
luksHeader*) args=( $device '--header-backup-file:file:_files' );;
token)
args=(
':action:((
add\:create\ a\ new\ keyring
remove\:remove\ any\ token\ from\ slot
import\:store\ arbitrary\ valid\ token\ json\ in\ LUKS2\ header
export\:write\ requested\ token\ json\ to\ a\ file
))'
$device
)
;;
*)
_default && ret=0
;;
esac
_arguments $args && ret=0
;;
esac
return ret
|
