Cryptsetup is an open-source utility used to conveniently set up disk encryption based on the dm-crypt kernel module.
These formats are supported:
- plain volumes,
- LUKS volumes,
- loop-AES,
- TrueCrypt (including VeraCrypt extension),
- BitLocker, and
- FileVault2.
The project also includes a veritysetup utility used to conveniently setup dm-verity block integrity checking kernel module and integritysetup to setup dm-integrity block integrity kernel module.
LUKS is the standard for Linux disk encryption. By providing a standard on-disk format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. LUKS stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
- The latest version of the LUKS2 format specification.
- The latest version of the LUKS1 format specification.
- Project home page.
- Frequently asked questions (FAQ)
All release tarballs and release notes are hosted on kernel.org.
The latest stable cryptsetup release version is 2.6.1
- cryptsetup-2.6.1.tar.xz
- Signature cryptsetup-2.6.1.tar.sign (You need to decompress file first to check signature.)
- Cryptsetup 2.6.1 Release Notes.
Previous versions
For development version code, please refer to source page, mirror on kernel.org or GitHub.
For libcryptsetup documentation see libcryptsetup API page.
The libcryptsetup API/ABI changes are tracked in compatibility report.
NLS PO files are maintained by TranslationProject.
All distributions provide cryptsetup as distro package. If you need to compile cryptsetup yourself, some packages are required for compilation. Please always prefer distro specific build tools to manually configuring cryptsetup.
Here is the list of packages needed for the compilation of project for particular distributions:
For Fedora:
git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel
libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar
Optionally: libargon2-devel libpwquality-devel
To run the internal testsuite (make check) you also need to install
sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openssh-clients openssh sshpass
For Debian and Ubuntu:
git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev
libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar
Optionally: libargon2-0-dev libpwquality-dev
To run the internal testsuite (make check) you also need to install
sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
Note that the list could change as the distributions evolve.
The cryptsetup project uses automake and autoconf system to generate all needed files for compilation. If you check it from the git snapshot, use ./autogen.sh && ./configure && make to compile the project. If you use downloaded released tar.xz archive, the configure script is already pre-generated (no need to run autoconf.sh). See ./configure --help and use --disable-[feature] and --enable-[feature] options.
For running the test suite that come with the project, type make check. Note that most tests will need root user privileges and run many dangerous storage fail simulations. Do not run tests with root privilege on production systems! Some tests will need scsi_debug kernel module to be available.
For more details, please refer to automake and autoconf manuals.
Please read the following documentation before posting questions in the mailing list... You will be able to ask better questions and better understand the answers.
- Frequently asked questions (FAQ),
- LUKS Specifications, and
- manuals (aka man page, man pages, man-page)
The FAQ is online and in the source code for the project. The Specifications are referenced above in this document. The man pages are in source and should be available after installation using standard man commands, e.g. man cryptsetup.
For cryptsetup and LUKS related questions, please use the cryptsetup mailing list [email protected], hosted at kernel.org subspace. To subscribe send an empty mail to [email protected].
You can also browse and/or search the mailing list archive. News (NNTP), Atom feed and git access to public inbox is available through lore.kernel.org service.
The former dm-crypt list archive is also available.