logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

cryptsetup-erase, cryptsetup-luksErase - erase all keyslots

Contents

Cryptsetup

       Part of cryptsetupproject <https://gitlab.com/cryptsetup/cryptsetup/>.

cryptsetup 2.7.5                                   2025-02-18                                CRYPTSETUP-ERASE(8)

Description

       Erase all keyslots and make the LUKS container permanently inaccessible. Unless the device is configured
       with HW OPAL support you do not need to provide any password for this operation.

       WARNING: This operation is irreversible.

       WARNING: with --hw-opal-factory-reset ALL data is lost on the device, regardless of the partition it is
       ran on, if any, and regardless of any LUKS2 header backup, and does not require a valid LUKS2 header to
       be present on the device to run.

       <options> can be [--header, --disable-locks, --hw-opal-factory-reset, --key-file].

Name

       cryptsetup-erase, cryptsetup-luksErase - erase all keyslots

Options

--batch-mode,-q
           Suppresses all confirmation questions. Use with care!

           If the --verify-passphrase option is not specified, this option also switches off the passphrase
           verification.

       --debugor--debug-json
           Run in debug mode with full diagnostic logs. Debug output lines are always prefixed by #.

           If --debug-json is used, additional LUKS2 JSON data structures are printed.

       --disable-locks
           Disable lock protection for metadata on disk. This option is valid only for LUKS2 and ignored for
           other formats.

           WARNING: Do not use this option unless you run cryptsetup in a restricted environment where locking
           is impossible to perform (where /run directory cannot be used).

       --header<deviceorfilestoringtheLUKSheader>
           Use to specify detached LUKS2 header when erasing HW OPAL enabled data device.

       --help,-?
           Show help text and default parameters.

       --hw-opal-factory-reset
           Erase ALL data on the OPAL self-encrypted device, regardless of the partition it is ran on, if any,
           and does not require a valid LUKS2 header to be present on the device to run. After providing correct
           PSID via interactive prompt or via --key-file parameter the device is erased. PSID is usually printed
           on the OPAL device label (either directly or as a QR code).

       --key-file,-dname(LUKS2withHWOPALonly)
           Read the Admin PIN or PSID (with --hw-opal-factory-reset) from file depending on options used.

           If the name given is "-", then the secret will be read from stdin. In this case, reading will not
           stop at newline characters.

       --usage
           Show short option help.

       --version,-V
           Show the program version.

Reporting Bugs

       Report bugs at cryptsetupmailinglist <cryptsetup@lists.linux.dev> or in Issuesprojectsection
       <https://gitlab.com/cryptsetup/cryptsetup/-/issues/new>.

       Please attach output of the failed command with --debug option added.

See Also

CryptsetupFAQ <https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions>

       cryptsetup(8), integritysetup(8) and veritysetup(8)

Synopsis

cryptsetuperase[<options>]<device>cryptsetupluksErase[<options>]<device>

See Also

Man Pages
cryptsetup Man Pages
Man Pages
opal Man Pages
Erase
Erase PNG Icons
Man Pages
device Man Pages
Option
Option PNG Icons
TLDR
Systemd-cryptenroll - unlock luks2 devices Tldr
Header
Header PNG Icons
Man Pages
Debugging Man Pages
Data
Data PNG Icons
← View System admin Category← Back to Authentication and access control🙏  Credits & Acknowledgments