cryptsetup-ssh - Man Page

manage LUKS2 SSH token

Synopsis

cryptsetup-ssh <options> <action> <action args>

Description

Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server.

This plugin currently allows only adding a token to an existing key slot, see cryptsetup(8) for instruction on how to remove, import or export the token.

Add operation

add <options> <device>

Adds the SSH token to <device>.

Specified SSH server must contain a key file on the specified path with a passphrase for an existing key slot on the device. Provided credentials will be used by cryptsetup to get the password when opening the device using the token.

--ssh-server, --ssh-user, --ssh-keypath and --ssh-path are required for this operation.

--key-slot=NUM

Keyslot to assign the token to. If not specified, the token will be assigned to the first key slot matching provided passphrase.

--ssh-keypath=STRING

Path to the SSH key for connecting to the remote server.

--ssh-path=STRING

Path to the key file on the remote server.

--ssh-server=STRING

IP address/URL of the remote server for this token.

--ssh-user=STRING

Username used for the remote server.

Options

--debug

Show debug messages

--debug-json

Show debug messages including JSON metadata

-v,  --verbose

Shows more detailed error messages

-?,  --help

Show help

-V,  --version

Print program version

Notes

The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext.

Reporting Bugs

Report bugs, including ones in the documentation, on the cryptsetup mailing list at <dm-crypt@saout.de> or in the 'Issues' section on LUKS website. Please attach the output of the failed command with the --debug option added.

See Also

The project website at https://gitlab.com/cryptsetup/cryptsetup

Info

June 2021 Maintenance Commands