diff options
| author | Milan Broz <gmazyland@gmail.com> | 2020-12-29 15:05:12 +0100 |
|---|---|---|
| committer | Milan Broz <gmazyland@gmail.com> | 2020-12-29 15:11:43 +0100 |
| commit | 3c886ccff87b8c06a638d3d844f9e448f628fca9 (patch) | |
| tree | d80e7bc17fd0a865bbd3c530c1d7b142e2cb6ad4 /man | |
| parent | eddc3b03818a3815180fff40259423c607514c4f (diff) | |
| download | cryptsetup-3c886ccff87b8c06a638d3d844f9e448f628fca9.tar.gz | |
tcrypt: Support --hash and --cipher options to limit opening time.
If user knows which particular PBKDF2 hash or cipher is used for
True/VeraCrypt container, using --hash of --cipher option in tcryptDump
and tcryptOpen can scan only these variants.
Note for the cipher it means substring (all cipher chains containing
the cipher are tried).
For example, you can use
cryptsetup tcryptDump --hash sha512 <container>
Note: for speed up, usually the hash option matters, cipher variants
are scanned very quickly.
Use witch care, in a script it can reveal some sensitive attribute
of the container.
Fixes #608.
Diffstat (limited to 'man')
| -rw-r--r-- | man/cryptsetup.8 | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 index 58d7519a..137265c7 100644 --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -716,12 +716,16 @@ a mapping <name>. \fB<options>\fR can be [\-\-key\-file, \-\-tcrypt\-hidden, \-\-tcrypt\-system, \-\-tcrypt\-backup, \-\-readonly, \-\-test\-passphrase, \-\-allow-discards, \-\-veracrypt, \-\-veracrypt\-pim, \-\-veracrypt\-query\-pim, -\-\-header]. +\-\-header, \-\-cipher, \-\-hash]. The keyfile parameter allows a combination of file content with the passphrase and can be repeated. Note that using keyfiles is compatible with TCRYPT and is different from LUKS keyfile logic. +If \fB\-\-\cipher\fR or \fB\-\-hash\fR options are used, only cipher chains or +PBKDF2 variants with the specified hash algoprithms are checked. This could speed +up opening of the device (but also it reveals some information about the container). + \fBWARNING:\fR Option \fB\-\-allow\-discards\fR cannot be combined with option \fB\-\-tcrypt\-hidden\fR. For normal mapping, it can cause the \fBdestruction of hidden volume\fR (hidden volume appears as unused space @@ -741,7 +745,7 @@ This means that if the master key is compromised, the whole device has to be erased to prevent further access. Use this option carefully. \fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file, -\-\-tcrypt\-hidden, \-\-tcrypt\-system, \-\-tcrypt\-backup]. +\-\-tcrypt\-hidden, \-\-tcrypt\-system, \-\-tcrypt\-backup, \-\-cipher, \-\-hash]. The keyfile parameter allows a combination of file content with the passphrase and can be repeated. |