VERITYSETUP(8)               Maintenance Commands               VERITYSETUP(8)

       veritysetup - manage dm-verity (block level verification) volumes

       veritysetup <options> <action> <action args>

       Veritysetup  is  used to configure dm-verity managed device-mapper map-

       Device-mapper verity target provides  read-only  transparent  integrity
       checking of block devices using kernel crypto API.

       The dm-verity devices are always read-only.

       Veritysetup supports these operations:

       format <data_device> <hash_device>

              Calculates  and  permanently  stores  hash verification data for
              data_device.  Hash area can be located on the same device  after
              data if specified by --hash-offset option.

              Note  you  need to provide root hash string for device verifica-
              tion or activation. Root hash must be trusted.

              The data or hash device argument can be  block  device  or  file
              image.  If hash device path doesn't exist, it will be created as

              <options> can be  [--hash,  --no-superblock,  --format,  --data-
              block-size,   --hash-block-size,  --data-blocks,  --hash-offset,
              --salt, --uuid]

       create <name> <data_device> <hash_device> <root_hash>

              Creates a mapping with <name> backed by device <data_device> and
              using <hash_device> for in-kernel verification.

              The <root_hash> is a hexadecimal string.

              <options> can be [--hash-offset, --no-superblock]

              If  option  --no-superblock is used, you have to use as the same
              options as in initial format operation.

       verify <data_device> <hash_device> <root_hash>

              Verifies data on data_device with use of hash blocks  stored  on

              This  command  performs userspace verification, no kernel device
              is created.

              The <root_hash> is a hexadecimal string.

              <options> can be [--hash-offset, --no-superblock]

              If option --no-superblock is used, you have to use as  the  same
              options as in initial format operation.

       remove <name>

              Removes existing mapping <name>.

       status <name>

              Reports status for the active verity mapping <name>.

       dump <hash_device>

              Reports   parameters   of  verity  device  from  on-disk  stored

              <options> can be [--no-superblock]

       --verbose, -v
              Print more information on command execution.

              Run in debug mode with full diagnostic logs. Debug output  lines
              are always prefixed by '#'.

              Create or use dm-verity without permanent on-disk superblock.

              Specifies  the  hash  version  type.   Format type 0 is original
              Chrome OS verion. Format type 1 is current version.

              Used block size for the data device.  (Note kernel supports only
              page-size as maximum here.)

              Used block size for the hash device.  (Note kernel supports only
              page-size as maximum here.)

              Size of data device used in verification.  If not specified, the
              whole device is used.

              Offset  of  hash  area/superblock on hash_device.  Value must be
              aligned to disk sector offset.

       --salt=hex string
              Salt used for format or verification.  Format is  a  hexadecimal

              Use  the  provided UUID for format command instead of generating
              new one.

              The  UUID  must  be  provided  in  standard  UUID  format,  e.g.

              Show the program version.

       Veritysetup returns 0 on success and a non-zero value on error.

       Error  codes are: 1 wrong parameters, 2 no permission, 3 out of memory,
       4 wrong device specified, 5 device already exists or device is busy.

       Report bugs, including ones in the  documentation,  on  the  cryptsetup
       mailing  list at <> or in the 'Issues' section on LUKS
       website.  Please attach the output  of  the  failed  command  with  the
       --debug option added.

       The  first  implementation  of  veritysetup  was  written  by Chrome OS

       This version is based on verification code written by  Mikulas  Patocka
       <>  and  rewritten  for  libcryptsetup by Milan Broz

       Copyright (C) 2012-2013 Red Hat, Inc.
       Copyright (C) 2012-2014 Milan Broz

       This is free software; see the source for copying conditions.  There is
       NO  warranty;  not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR

       The project website at

       The    verity    on-disk    format    specification    available     at

veritysetup                      December 2013                  VERITYSETUP(8)
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2021 Hurricane Electric. All Rights Reserved.