Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.27 cryptomount

Command: cryptomount [ [-p password] | [-k keyfile [-O keyoffset] [-S keysize] ] | [-P protector] | [-A] ] [-H file] device|-u uuid|-a|-b

Setup access to encrypted device. A passphrase will be requested interactively, if neither the -p nor -k options are given. The option -p can be used to supply a passphrase (useful for scripts). Alternatively the -k option can be used to supply a keyfile with options -O and -S optionally supplying the offset and size, respectively, of the key data in the given key file. Besides the keyfile, the key can be stored in a key protector, and option -P configures specific key protector, e.g. tpm2, to retrieve the key from. The option -A enables hardware acceleration in libgcrypt to speed up decryption. The -H options can be used to supply cryptomount backends with an alternative header file (aka detached header). Not all backends have headers nor support alternative header files (currently only LUKS1 and LUKS2 support them). Argument device configures specific grub device (see Naming convention); option -u uuid configures device with specified uuid; option -a configures all detected encrypted devices; option -b configures all geli containers that have boot flag set.

Devices are not allowed to be given as key files nor as detached header files. However, this limitation can be worked around by using blocklist syntax. So for instance, (hd1,gpt2) can not be used, but (hd1,gpt2)0+ will achieve the desired result.

GRUB supports devices encrypted using LUKS, LUKS2 and geli. Note that necessary modules (luks, luks2 and geli) have to be loaded manually before this command can be used. For LUKS2 only the PBKDF2 key derivation function is supported, as Argon2 is not yet supported.

Successfully decrypted disks are named as (cryptoX) and have increasing numeration suffix for each new decrypted disk. If the encrypted disk hosts some higher level of abstraction (like LVM2 or MDRAID) it will be created under a separate device namespace in addition to the cryptodisk namespace.

Support for plain encryption mode (plain dm-crypt) is provided via separate see plainmount command.

On the EFI platform, GRUB tries to erase master keys from memory when the cryptodisk module is unloaded or the command exit is executed. All secrets remain in memory when the command chainloader is issued, because execution can return to GRUB on the EFI platform.

Next: cutmem, Previous: cryptocheck, Up: Command-line commands   [Contents][Index]