cryptops-api --root-device=DEV --crypt-name=LABEL [--notify-command=COMMAND]
  • The --root-device=DEV option is mandatory. DEV should be the root device of the machine, like /dev/sda or /dev/xvda.

    When the root device is still unencrypted (for example when starting cryptops-api for the first time), this should be an unpartitioned device, with the file system spanning the whole device.

    As part of the encryption process, this device will be partitioned and the encrypted contents will be stored on the second partition, but DEV should still point to the whole device, as before.

  • The --crypt-name=LABEL option is mandatory. LABEL will be used by cryptsetup to name the encrypted volume. This will be visible to the operating system, as the decrypted root disk is available at /dev/mapper/LABEL.

  • The --notify-command=COMMAND option is optional. The given COMMAND will be run whenever cryptops-api detects that the root device needs the user to enter their password to continue the booting process. You can use this to notify the user of this situation.