Mandatory options that are absent are inquired interactively, and pmt-ehd will
exit if stdin is not a terminal.
Turn on debugging strings.
Force operation that would otherwise ask for interactive confirmation. Multiple
-F can be specified to apply more force.
The cipher to be used for the filesystem. This can take any value that
cryptsetup(8) recognizes, usually in the form of "cipher-mode[-extras]".
Recommended are aes-cbc-essiv:sha256 (this is the default) or
Store the new disk image at path. If the file already exists, pmt-ehd
will prompt before overwriting unless -F is given. If path refers to a
symlink, pmt-ehd will act even more cautious.
Digest used for fskey derivation from the password. This can take any value
that OpenSSL recognizes. The default is sha1.
Cipher used for the filesystem key (not the encrypted filesystem itself). This
can take any value that OpenSSL recognizes, usually in the form of
"cipher-keysize-mode". Recommended is aes-256-cbc (this is the default).
The keysize for the cipher specified with -c. Some ciphers support multiple
keysizes, AES for example is available with at least the keysizes 192 and 256.
Example: -c aes-cbc-essiv:sha256 -k 192.
Store the filesystem key at path. The filesystem key is the ultimate key
to open the encrypted filesystem, and the fs key itself is encrypted with your
The initial size of the encrypted filesystem, in megabytes. This option is
ignored when the filesystem is created on a block device.
Filesystem to use for the encrypted filesystem. Defaults to xfs.
Give the container and fskey files to user (because the program is
usually runs as root, and the files would otherwise retain root ownership).
Do not initialize the container with random bytes. This may impact secrecy.
pmt-ehd can be used to create a new encrypted container, and replaces the
previous mkehd script as well as any HOWTOs that explain how to do it manually.
Without any arguments, pmt-ehd will interactively ask for all missing
parameters. To create a container with a size of 256 MB, use: