CLI reference
Every subcommand of `luksbox`, with examples.
The luksbox binary is a single CLI with subcommands for every
vault operation. Run luksbox --help for the always-current list,
or luksbox <subcommand> --help for per-subcommand detail.
Subcommand index
| Command | Purpose |
|---|---|
create |
Create a new encrypted container with the first keyslot |
open |
Decrypt the header + slot, leave the vault open for follow-up commands |
mount |
Mount the vault as a real drive (FUSE on Linux/macOS, WinFsp on Windows) |
umount |
Unmount a previously-mounted vault |
enroll |
Add a new keyslot to an existing vault (passphrase, FIDO2, TPM 2.0, or any hybrid PQ variant) |
wizard |
Launch the interactive TUI - no flags to remember |
revoke |
Disable a keyslot without rotating the MVK |
rotate-mvk |
Generate a new MVK and re-wrap every active keyslot under it |
migrate-fido2-slot |
Migrate a pre-v0.3.0 FIDO2 keyslot to the cross-platform V4 convention |
put |
Add a file to the vault |
get |
Extract a file from the vault |
ls |
List directory contents inside the vault |
rm |
Remove a file from the vault |
info |
Show vault metadata (cipher, KDF, slot table) |
list-fido2-devices |
Enumerate plugged-in FIDO2 authenticators with their device paths |
kyber-init |
Generate a new .kyber seed file for hybrid-PQ vaults |
Forensic and partial-recovery subcommands
These five live in their own section because they are post-incident tools, not day-to-day operations. See the forensics page for the workflow that ties them together.
| Command | Purpose |
|---|---|
header-backup |
Save the 8 KiB header bytes to a separate file. Equivalent to cryptsetup luksHeaderBackup |
header-restore |
Restore the on-disk header from a previously saved backup (HMAC-verified by default) |
header-dump |
Decrypt the metadata blob and emit a JSON tree of every inode, chunk reference, and keyslot summary |
check |
Walk every used chunk, AEAD-decrypt it, report per-chunk status. Read-only |
extract |
Forensic best-effort extract: same as get but tolerates per-chunk AEAD failures (with explicit --tolerate-errors flag) |
Common flags
| Flag | Used by | Purpose |
|---|---|---|
--header <path> |
most | Detached header (default: header inline at start of .lbx) |
--cipher <aes|chacha|aes-siv> |
create |
AEAD primitive (default: aes-siv = AES-256-GCM-SIV) |
--kdf <interactive|sensitive> |
create, enroll |
Argon2id preset |
--fido2-device <path> |
FIDO2 ops | Pin a specific authenticator (use list-fido2-devices to find paths) |
--kind <slot-kind> |
create, enroll |
Pick the keyslot kind: passphrase / fido2 / tpm2 / tpm2-pin / tpm2-fido2 / hybrid-pq / hybrid-pq-fido2 / hybrid-pq-tpm2 / hybrid-pq-tpm2-fido2 (and the 1024 variants of each hybrid) |
--pq-hybrid <kyber-path> |
hybrid-PQ ops | Path to the .kyber seed file |
--sync |
mount, deniable-mount |
Eager flush: every metadata-mutating op is durable on return. Default is deferred (a 30 s background timer drives flushes), which keeps rm / cp -r fast on vaults with thousands of files. See mount -> Flush policy. |
Environment variables
| Variable | Purpose |
|---|---|
LUKSBOX_PASSPHRASE |
Read existing passphrase from env (avoids tty prompt; useful for scripts) |
LUKSBOX_NEW_PASSPHRASE |
Read a new passphrase (e.g. for create or enroll --passphrase) |
LUKSBOX_FIDO2_PIN |
Provide the FIDO2 PIN non-interactively |
LUKSBOX_TEST_FAST_KDF |
Override Argon2id to weak-test parameters - debug builds only, compiled out of release binaries |
LUKSBOX_NO_FOLLOW_SYMLINKS |
Refuse to open vaults whose path is a symlink (paranoid mode) |
For full per-subcommand help: luksbox <subcommand> --help.
- luksbox create Create a new encrypted container.
- luksbox open Unlock a vault and run a follow-up command (or just verify it opens).
- luksbox mount Mount a vault as a real drive (FUSE / WinFsp).
- luksbox enroll Add a new keyslot to an existing vault.
- luksbox migrate-fido2-slot Migrate a pre-v0.3.0 FIDO2 keyslot to the cross-platform v0.3.0 (V4) wire convention.
- luksbox revoke Disable a keyslot without rotating the MVK.
- luksbox rotate-mvk Generate a fresh master volume key, re-encrypt the vault.
- luksbox header-backup Save a copy of the 8 KiB header bytes for offline recovery.
- luksbox header-restore Replace a damaged on-disk header with a previously saved backup.
- luksbox header-dump Decrypt the metadata blob and emit a JSON tree of every inode and chunk reference.
- luksbox check Walk every used chunk in the vault, AEAD-decrypt it, and report per-chunk status.
- luksbox extract --tolerate-errors Forensic best-effort extract: recover what is still readable from a partly-corrupted file.