cryptsetup-open

Open a LUKS volume and create a decrypted mapping at /dev/mapper/mapping_name

$ cryptsetup open [/dev/sdXY] [mapping_name]

$ cryptsetup open --key-file [path/to/file] [/dev/sdXY] [mapping_name]

$ cryptsetup open --allow-discards [/dev/sdXY] [mapping_name]

$ cryptsetup open --allow-discards --persistent [/dev/sdXY] [mapping_name]

$ cryptsetup open --readonly [/dev/sdXY] [mapping_name]

cryptsetup open []

device
    The path to the encrypted block device (e.g., /dev/sda2, /home/user/encrypted_file).

name
    The name of the device mapper device that will be created (e.g., my_encrypted_volume). It will be available at /dev/mapper/.

--type
    Specifies the encryption type. Common types are luks (for LUKS), plain, loopaes. If not specified, LUKS is assumed.

--key-file
    Specifies a file containing the key to unlock the device. Useful for automated unlocking.

--header
    Uses the specified file as a header file instead of the header on the encrypted device.

--offset
    Specifies an offset (in sectors) from the beginning of the device. Use with caution.

--size
    Specifies the size (in sectors) to use for the encrypted volume. Use with caution, as errors can lead to data loss.

--readonly
    Opens the device in read-only mode.

--persistent
    Specifies that the device mapping should be persistent across reboots by writing info to /etc/crypttab.

--keyfile-offset
    Specifies an offset (in bytes) within the key file.

--keyfile-size
    Specifies the size (in bytes) to read from the key file.

--allow-discards
    Allows the use of discards (TRIM) on the underlying device. Use with caution on SSDs, as it might reveal usage patterns.

--perf-same_cpu_crypt
    Used for performance and sets the crypto handling in the same CPU.

The cryptsetup-open command sets up a mapping from a device (or file) containing LUKS or other supported encrypted data to a virtual device in /dev/mapper. This allows you to access the encrypted data after providing the correct passphrase. It is a crucial part of the dm-crypt subsystem in Linux, enabling full disk encryption, partition encryption, and file encryption. The mapping name is used for the new virtual device. Once opened, you can mount and access the device as a normal block device. Upon completion, a device mapper device is available. When the device is no longer needed, use cryptsetup close to remove it and unmount it first!
It is a very dangerous operation. So be careful!

Incorrect use of options like --offset or --size can lead to irreversible data loss. Always back up your data before performing any encryption operations. Using --allow-discards on SSDs might expose usage patterns, compromising security.

Example 1: Opening a LUKS-encrypted partition:
cryptsetup open /dev/sda2 my_encrypted_volume

Example 2: Opening an encrypted file using a keyfile:
cryptsetup open /home/user/encrypted_file my_encrypted_file --type plain --key-file /home/user/secret.key

Example 3: Opening a LUKS-encrypted partition in read-only mode:
cryptsetup open /dev/sda2 my_readonly_volume --readonly

cryptsetup(8), cryptsetup-close(8), dmsetup(8), mount(8)