CRYPTSETUP-ERASE(8) Maintenance Commands CRYPTSETUP-ERASE(8)

cryptsetup-erase, cryptsetup-luksErase - erase all keyslots

cryptsetup erase [<options>] <device>
cryptsetup luksErase [<options>] <device>

Erase all keyslots and make the LUKS container permanently inaccessible. Unless the device is configured with HW OPAL support you do not need to provide any password for this operation.

WARNING: This operation is irreversible.

WARNING: with --hw-opal-factory-reset ALL data is lost on the device, regardless of the partition it is ran on, if any, and regardless of any LUKS2 header backup, and does not require a valid LUKS2 header to be present on the device to run.

<options> can be [--header, --disable-locks, --hw-opal-factory-reset, --key-file].

--batch-mode, -q

Suppresses all confirmation questions. Use with care!

If the --verify-passphrase option is not specified, this option also switches off the passphrase verification.

--debug or --debug-json

Run in debug mode with full diagnostic logs. Debug output lines are always prefixed by #.

If --debug-json is used, additional LUKS2 JSON data structures are printed.

--disable-locks

Disable lock protection for metadata on disk. This option is valid only for LUKS2 and ignored for other formats.

WARNING: Do not use this option unless you run cryptsetup in a restricted environment where locking is impossible to perform (where /run directory cannot be used).

--header <device or file storing the LUKS header>

Use to specify detached LUKS2 header when erasing HW OPAL enabled data device.

--help, -?

Show help text and default parameters.

--hw-opal-factory-reset

Erase ALL data on the OPAL self-encrypted device, regardless of the partition it is ran on, if any, and does not require a valid LUKS2 header to be present on the device to run. After providing correct PSID via interactive prompt or via --key-file parameter the device is erased. PSID is usually printed on the OPAL device label (either directly or as a QR code).

--key-file, -d name (LUKS2 with HW OPAL only)

Read the Admin PIN or PSID (with --hw-opal-factory-reset) from file depending on options used.

If the name given is "-", then the secret will be read from stdin. In this case, reading will not stop at newline characters.

--usage

Show short option help.

--version, -V

Show the program version.

Report bugs at cryptsetup mailing list <cryptsetup@lists.linux.dev> or in Issues project section https://gitlab.com/cryptsetup/cryptsetup/-/issues/new.

Please attach output of the failed command with --debug option added.

Cryptsetup FAQ https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions

cryptsetup(8), integritysetup(8) and veritysetup(8)

Part of cryptsetup project https://gitlab.com/cryptsetup/cryptsetup/.

2023-11-15 cryptsetup 2.7.5