LinuxCommandLibrary

cryptsetup-open

Unlock and map a block device

TLDR

Open a LUKS volume and create a decrypted mapping at /dev/mapper/mapping_name

$ cryptsetup open [/dev/sdXY] [mapping_name]
copy

Use a keyfile instead of a passphrase
$ cryptsetup open [[-k|--key-file]] [path/to/file] [/dev/sdXY] [mapping_name]
copy

Allow the use of TRIM on the device
$ cryptsetup open --allow-discards [/dev/sdXY] [mapping_name]
copy

Write the --allow-discards option into the LUKS header (the option will then always be used when you open the device)
$ cryptsetup open --allow-discards --persistent [/dev/sdXY] [mapping_name]
copy

Open a LUKS volume and make the decrypted mapping read-only
$ cryptsetup open [[-r|--readonly]] [/dev/sdXY] [mapping_name]
copy

SYNOPSIS

cryptsetup open [options] SOURCE NAME

PARAMETERS

--type, -T TYPE
    Encryption type: luks (default), plain, verity, tcw, bitlk.

--test-passphrase
    Test passphrase validity without activating device.

--key-file, -k FILE
    Read passphrase from file instead of stdin.

--key-file-size N
    Size of keyfile data to read in bytes (default 1024).

--key-slot, -S SLOT
    Select specific LUKS keyslot (0-32).

--header HEADER
    Use detached LUKS header from device or file.

--verify-passphrase
    Prompt for passphrase twice to verify.

--tries, -t N
    Maximum passphrase attempts (default 3).

--timeout SEC
    Password prompt timeout in seconds.

--allow-discards
    Enable TRIM/discard commands (use with caution).

-v, --verbose
    Enable verbose output.

-q, --quiet
    Suppress non-error messages.

--debug
    Enable debug output.

DESCRIPTION

cryptsetup open activates an encrypted block device, creating a decrypted mapping under /dev/mapper/ using the Linux device-mapper (dm-crypt) subsystem. It supports LUKS (the standard for Linux disk encryption), plain dm-crypt, TrueCrypt/VeraCrypt, BitLocker, and Verity integrity devices via the --type option.

The command prompts for a passphrase (or uses a keyfile) to unlock the device. For LUKS, it manages keyslots and headers. Once opened, the decrypted device behaves like a normal block device, suitable for mounting filesystems.

Key uses include manual unlocking of encrypted partitions, boot-time scripts (e.g., via initramfs), and scripted setups. It performs on-the-fly encryption/decryption with configurable ciphers, modes (e.g., XTS), and performance tweaks like discard support for SSDs.

Run as root; it modifies kernel tables atomically. Always close mappings with cryptsetup close when done to free resources and enhance security.

CAVEATS

Requires root privileges. Source device must be unused. Errors like wrong passphrase wipe attempts after limit. Discards may leak data on worn SSDs.

EXAMPLES

cryptsetup open /dev/sdb1 mycrypt
Opens LUKS /dev/sdb1 as /dev/mapper/mycrypt (prompts passphrase).

cryptsetup open --type plain --key-file keyfile.img /dev/sdc1 plainmap
Opens plain dm-crypt device with keyfile.

HISTORY

Introduced in cryptsetup 1.0.0 (2005) with LUKS support; evolved through versions for VeraCrypt (2.0+, 2017), BitLocker, and performance opts. Maintained by Milan Broz.

SEE ALSO

cryptsetup(8), dmsetup(8), losetup(8)

Copied to clipboard