-.TH E4CRYPT 8 "Mar 2015" "e4crypt version 1"
+.TH E4CRYPT 8 "@E2FSPROGS_MONTH@ @E2FSPROGS_YEAR@" "E2fsprogs version @E2FSPROGS_VERSION@"
.SH NAME
-e4crypt \- ext4 filesystem encryption utility
+e4crypt \- ext4 file system encryption utility
.SH SYNOPSIS
-.B e4crypt \-a \-n
-.I salt
-[
-.B \-k
-.I keyring
-]
-[
-.I path\fR ...
-]
+.B e4crypt add_key -S \fR[\fB -k \fIkeyring\fR ] [\fB-v\fR] [\fB-q\fR] \fR[\fB -p \fIpad\fR ] [ \fIpath\fR ... ]
+.br
+.B e4crypt new_session
.br
-.B e4crypt \-s
-.I policy
-.I path\fR ...
+.B e4crypt get_policy \fIpath\fR ...
+.br
+.B e4crypt set_policy \fR[\fB -p \fIpad\fR ] \fIpolicy path\fR ...
.SH DESCRIPTION
.B e4crypt
performs encryption management for ext4 file systems.
-.SH OPTIONS
-.TP
-.B \-a
-Prompts the user for a passphrase and transforms it into an ecryption
-key for use by ext4. The encryption key will be added to the specified
-keyring, with a type "logon" (which makes the key accessible to the
-user, but which does not allow the key to be returned to userspace), and
-with the descrpiptor of the key set to "ext4:" followed the encryption
-key identifer, which is composed of 16 hexadecimal characters calculated
-by taking a cryptographic hash of the key.
+.SH COMMANDS
.TP
-.B \-k
+.B e4crypt add_key \fR[\fB-vq\fR] [\fB-S\fI salt\fR ] [\fB-k \fIkeyring\fR ] [\fB -p \fIpad\fR ] [ \fIpath\fR ... ]
+Prompts the user for a passphrase and inserts it into the specified
+keyring. If no keyring is specified, e4crypt will use the session
+keyring if it exists or the user session keyring if it does not.
+.IP
+The
+.I salt
+argument is interpreted in a number of different ways, depending on how
+its prefix value. If the first two characters are "s:", then the rest
+of the argument will be used as an text string and used as the salt
+value. If the first two characters are "0x", then the rest of the
+argument will be parsed as a hex string as used as the salt. If the
+first characters are "f:" then the rest of the argument will be
+interpreted as a filename from which the salt value will be read. If
+the string begins with a '/' character, it will similarly be treated as
+filename. Finally, if the
+.I salt
+argument can be parsed as a valid UUID, then the UUID value will be used
+as a salt value.
+.IP
+The
.I keyring
-This option specifies the keyring to which the key will be added. See
-the keyctl man page for more details, but the only keyring which only
-makes sence is @u, @s, and @us, which specifies the user, session, and
-user session keyrings, respectively. By default,
-.B e4crypt
-will add the key to the session keyring if it has been establishd for
-the current process, or the user session keyring if it has not.
+argument specifies the keyring to which the key should be added.
+.IP
+The
+.I pad
+value specifies the number of bytes of padding will be added to
+directory names for obfuscation purposes. Valid
+.I pad
+values are 4, 8, 16, and 32.
+.IP
+If one or more directory paths are specified, e4crypt will try to
+set the policy of those directories to use the key just added by the
+.B add_key
+command. If a salt was explicitly specified, then it will be used
+to derive the encryption key of those directories. Otherwise a
+directory-specific default salt will be used.
.TP
-.B \-n
-.I salt
-The salt must be specified, and it should be unique for each
-passphrase. The salt consists of up to 256 hexadecimal bytes.
+.B e4crypt get_policy \fIpath\fR ...
+Print the policy for the directories specified on the command line.
.TP
-.B \-s
-Sets a policy for the directories specified on the command line.
+.B e4crypt new_session
+Give the invoking process (typically a shell) a new session keyring,
+discarding its old session keyring.
+.TP
+.B e4crypt set_policy \fR[\fB -p \fIpad\fR ] \fIpolicy path\fR ...
+Sets the policy for the directories specified on the command line.
All directories must be empty to set the policy; if the directory
-already has a policy established,
-.B e4crypt
-will validate that the policy is what was specified. A policy is an
-encryption key identifier of length 16 hexadecimal characters.
+already has a policy established, e4crypt will validate that the
+policy matches what was specified. A policy is an encryption key
+identifier consisting of 16 hexadecimal characters.
.SH AUTHOR
-Written by Michael Halcrow <mhalcrow@google.com> and Ildar Muslukhov
-<muslukhovi@gmail.com>.
+Written by Michael Halcrow <mhalcrow@google.com>, Ildar Muslukhov
+<muslukhovi@gmail.com>, and Theodore Ts'o <tytso@mit.edu>
.SH SEE ALSO
+.BR keyctl (1),
.BR mke2fs (8),
.BR mount (8).