table of contents
CRYPTSETUP-LUKSKILLSLOT(8) | Maintenance Commands | CRYPTSETUP-LUKSKILLSLOT(8) |
NAME¶
cryptsetup-luksKillSlot - wipe a key-slot from the LUKS device
SYNOPSIS¶
cryptsetup luksKillSlot [<options>] <device> <key slot number>
DESCRIPTION¶
Wipe the key-slot number <key slot> from the LUKS device. Except running in batch-mode (-q) a remaining passphrase must be supplied, either interactively or via --key-file. This command can remove the last remaining key-slot, but requires an interactive confirmation when doing so. Removing the last passphrase makes a LUKS container permanently inaccessible.
<options> can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type, --verify-passphrase, --timeout].
WARNING: If you read the passphrase from stdin (without further argument or with '-' as an argument to --key-file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container. Removing the last passphrase makes the LUKS container permanently inaccessible.
NOTE: If there is no passphrase provided (on stdin or through --key-file argument) and batch-mode (-q) is active, the key-slot is removed without any other warning.
OPTIONS¶
--type <device-type>
--verify-passphrase, -y
--key-file, -d name
If the name given is "-", then the passphrase will be read from stdin. In this case, reading will not stop at newline characters.
See section NOTES ON PASSPHRASE PROCESSING in cryptsetup(8) for more information.
--keyfile-offset value
--keyfile-size, -l value
This option is useful to cut trailing newlines, for example. If --keyfile-offset is also given, the size count starts after the offset.
--timeout, -t <number of seconds>
This option is useful when the system should not stall if the user does not input a passphrase, e.g. during boot. The default is a value of 0 seconds, which means to wait forever.
--header <device or file storing the LUKS header>
For commands that change the LUKS header (e.g. luksAddKey), specify the device or file with the LUKS header directly as the LUKS device.
--disable-locks
WARNING: Do not use this option unless you run cryptsetup in a restricted environment where locking is impossible to perform (where /run directory cannot be used).
--batch-mode, -q
If the --verify-passphrase option is not specified, this option also switches off the passphrase verification.
--debug or --debug-json
If --debug-json is used, additional LUKS2 JSON data structures are printed.
--version, -V
--usage
--help, -?
REPORTING BUGS¶
Report bugs at cryptsetup mailing list <cryptsetup@lists.linux.dev> or in Issues project section <https://gitlab.com/cryptsetup/cryptsetup/-/issues/new>.
Please attach output of the failed command with --debug option added.
SEE ALSO¶
Cryptsetup FAQ <https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions>
CRYPTSETUP¶
Part of cryptsetup project <https://gitlab.com/cryptsetup/cryptsetup/>.
2023-12-18 | cryptsetup 2.6.1 |