Sponsor:

Your company here — click to reach over 10,000 unique daily visitors

cryptsetup-ssh - Man Page

manage LUKS2 SSH token

Synopsis

cryptsetup-ssh <action> [<options>] <action args>

Description

Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server.

This plugin currently allows only adding a token to an existing key slot. See cryptsetup(8) for instructions on how to remove, import or export the token.

Add operation

add <options> <device>

Adds the SSH token to <device>.

The specified SSH server must contain a key file on the specified path with a passphrase for an existing key slot on the device. Provided credentials will be used by cryptsetup to get the password when opening the device using the token.

Options --ssh-server, --ssh-user, --ssh-keypath and --ssh-path are required for this operation.

Options

--debug

Show debug messages

--debug-json

Show debug messages including JSON metadata

--help,  -?

Show help

--key-slot=NUM

Keyslot to assign the token to. If not specified, the token will be assigned to the first key slot matching provided passphrase.

--ssh-keypath=STRING

Path to the SSH key for connecting to the remote server.

--ssh-path=STRING

Path to the key file on the remote server.

--ssh-server=STRING

IP address/URL of the remote server for this token.

--ssh-user=STRING

Username used for the remote server.

--verbose,  -v

Shows more detailed error messages

--version,  -V

Print program version

Notes

The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext.

Authors

The cryptsetup-ssh tool is written by Vojtech Trefny.

Reporting Bugs

Report bugs at cryptsetup mailing list or in Issues project section.

Please attach output of the failed command with --debug option added.

See Also

Cryptsetup FAQ

cryptsetup(8), integritysetup(8) and veritysetup(8)

Cryptsetup

Part of cryptsetup project.

Info

2024-06-17 cryptsetup-ssh 2.7.3 Maintenance Commands