]> git.proxmox.com Git - systemd.git/blame - man/crypttab.html
projects / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Imported Upstream version 208
[systemd.git] / man / crypttab.html
CommitLineData
663996b3
MS		 1<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>crypttab</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style>
2 a.headerlink {
3 color: #c60f0f;
4 font-size: 0.8em;
5 padding: 0 4px 0 4px;
6 text-decoration: none;
7 visibility: hidden;
8 }
9
10 a.headerlink:hover {
11 background-color: #c60f0f;
12 color: white;
13 }
14
15 h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink {
16 visibility: visible;
17 }
18 </style><a href="index.html">Index </a>·
19 <a href="systemd.directives.html">Directives </a>·
20 <a href="../python-systemd/index.html">Python </a>·
21 <a href="../libudev/index.html">libudev </a>·
14228c0d 22 <a href="../libudev/index.html">gudev </a><span style="float:right">systemd 208</span><hr><div class="refentry"><a name="crypttab"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>crypttab — Configuration for encrypted block devices</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename">/etc/crypttab</code></p></div><div class="refsect1"><a name="idm274704570816"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description">¶</a></h2><p>The <code class="filename">/etc/crypttab</code> file
663996b3 23 describes encrypted block devices that are set up
14228c0d 24 during system boot.</p><p>Empty lines and lines starting with the "<code class="literal">#</code>"
663996b3
MS		 25 character are ignored. Each of the remaining lines
26 describes one encrypted block device, fields on the
27 line are delimited by white space. The first two
28 fields are mandatory, the remaining two are
14228c0d
MB		 29 optional.</p><p>Setting up encrypted block devices using this file
30 supports three encryption modes: LUKS, TrueCrypt and plain.
31 See <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
32 for more information about each mode. When no mode is specified
33 in the options field and the block device contains a LUKS
34 signature, it is opened as a LUKS device; otherwise, it is
35 assumed to be in raw dm-crypt (plain mode) format.</p><p>The first field contains the name of the
663996b3
MS		 36 resulting encrypted block device; the device is set up
37 within <code class="filename">/dev/mapper/</code>.</p><p>The second field contains a path to the
14228c0d
MB		 38 underlying block device or file, or a specification of a block
39 device via "<code class="literal">UUID=</code>" followed by the
40 UUID.</p><p>The third field specifies the encryption
663996b3 41 password. If the field is not present or the password
14228c0d
MB		 42 is set to "<code class="literal">none</code>" or "<code class="literal">-</code>",
43 the password has to be manually entered during system boot.
44 Otherwise, the field is interpreted as a absolute path to
45 a file containing the encryption password. For swap encryption,
663996b3
MS		 46 <code class="filename">/dev/urandom</code> or the hardware
47 device <code class="filename">/dev/hw_random</code> can be used
48 as the password file; using
49 <code class="filename">/dev/random</code> may prevent boot
50 completion if the system does not have enough entropy
51 to generate a truly random encryption key.</p><p>The fourth field, if present, is a
52 comma-delimited list of options. The following
14228c0d
MB		 53 options are recognized:</p><div class="variablelist"><dl class="variablelist"><dt id="discard"><span class="term"><code class="varname">discard</code></span><a class="headerlink" title="Permalink to this term" href="#discard">¶</a></dt><dd><p>Allow discard requests to be
54 passed through the encrypted block device. This
55 improves performance on SSD storage but has
56 security implications.</p></dd><dt id="cipher="><span class="term"><code class="varname">cipher=</code></span><a class="headerlink" title="Permalink to this term" href="#cipher=">¶</a></dt><dd><p>Specifies the cipher to use. See
663996b3 57 <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
14228c0d
MB		 58 for possible values and the default value of
59 this option. A cipher with unpredictable IV
60 values, such as "<code class="literal">aes-cbc-essiv:sha256</code>",
61 is recommended.</p></dd><dt id="hash="><span class="term"><code class="varname">hash=</code></span><a class="headerlink" title="Permalink to this term" href="#hash=">¶</a></dt><dd><p>Specifies the hash to use for
62 password hashing. See
663996b3 63 <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
14228c0d
MB		 64 for possible values and the default value of
65 this option.</p></dd><dt id="keyfile-offset="><span class="term"><code class="varname">keyfile-offset=</code></span><a class="headerlink" title="Permalink to this term" href="#keyfile-offset=">¶</a></dt><dd><p>Specifies the number of bytes to
66 skip at the start of the key file. See
663996b3 67 <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
14228c0d
MB		 68 for possible values and the default value of
69 this option.</p></dd><dt id="keyfile-size="><span class="term"><code class="varname">keyfile-size=</code></span><a class="headerlink" title="Permalink to this term" href="#keyfile-size=">¶</a></dt><dd><p>Specifies the maximum number
70 of bytes to read from the key file. See
663996b3 71 <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
14228c0d
MB		 72 for possible values and the default value of
73 this option. This option is ignored in plain
74 encryption mode, as the key file size is then
75 given by the key size.</p></dd><dt id="luks"><span class="term"><code class="varname">luks</code></span><a class="headerlink" title="Permalink to this term" href="#luks">¶</a></dt><dd><p>Force LUKS mode. When this mode
76 is used, the following options are ignored since
77 they are provided by the LUKS header on the
78 device: <code class="varname">cipher=</code>,
79 <code class="varname">hash=</code>,
80 <code class="varname">size=</code>.</p></dd><dt id="noauto"><span class="term"><code class="varname">noauto</code></span><a class="headerlink" title="Permalink to this term" href="#noauto">¶</a></dt><dd><p>This device will not be
81 automatically unlocked on boot.</p></dd><dt id="nofail"><span class="term"><code class="varname">nofail</code></span><a class="headerlink" title="Permalink to this term" href="#nofail">¶</a></dt><dd><p>The system will not wait for the
82 device to show up and be unlocked at boot, and
83 not fail the boot if it does not show up.</p></dd><dt id="plain"><span class="term"><code class="varname">plain</code></span><a class="headerlink" title="Permalink to this term" href="#plain">¶</a></dt><dd><p>Force plain encryption mode.</p></dd><dt id="read-only"><span class="term"><code class="varname">read-only</code>, </span><span class="term"><code class="varname">readonly</code></span><a class="headerlink" title="Permalink to this term" href="#read-only">¶</a></dt><dd><p>Set up the encrypted block
84 device in read-only mode.</p></dd><dt id="size="><span class="term"><code class="varname">size=</code></span><a class="headerlink" title="Permalink to this term" href="#size=">¶</a></dt><dd><p>Specifies the key size
85 in bits. See
86 <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
87 for possible values and the default value of
88 this option.</p></dd><dt id="swap"><span class="term"><code class="varname">swap</code></span><a class="headerlink" title="Permalink to this term" href="#swap">¶</a></dt><dd><p>The encrypted block device will
89 be used as a swap device, and will be formatted
90 accordingly after setting up the encrypted
91 block device, with
92 <a href="mkswap.html"><span class="citerefentry"><span class="refentrytitle">mkswap</span>(8)</span></a>.
93 This option implies <code class="varname">plain</code>.</p><p>WARNING: Using the <code class="varname">swap</code>
94 option will destroy the contents of the named
95 partition during every boot, so make sure the
96 underlying block device is specified correctly.</p></dd><dt id="tcrypt"><span class="term"><code class="varname">tcrypt</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt">¶</a></dt><dd><p>Use TrueCrypt encryption mode.
97 When this mode is used, the following options are
98 ignored since they are provided by the TrueCrypt
99 header on the device or do not apply:
100 <code class="varname">cipher=</code>,
101 <code class="varname">hash=</code>,
102 <code class="varname">keyfile-offset=</code>,
103 <code class="varname">keyfile-size=</code>,
104 <code class="varname">size=</code>.</p><p>When this mode is used, the passphrase is
105 read from the key file given in the third field.
106 Only the first line of this file is read,
107 excluding the new line character.</p><p>Note that the TrueCrypt format uses both
108 passphrase and key files to derive a password
109 for the volume. Therefore, the passphrase and
110 all key files need to be provided. Use
111 <code class="varname">tcrypt-keyfile=</code> to provide
112 the absolute path to all key files. When using
113 an empty passphrase in combination with one or
114 more key files, use "<code class="literal">/dev/null</code>"
115 as the password file in the third field.</p></dd><dt id="tcrypt-hidden"><span class="term"><code class="varname">tcrypt-hidden</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt-hidden">¶</a></dt><dd><p>Use the hidden TrueCrypt volume.
116 This implies <code class="varname">tcrypt</code>.</p><p>This will map the hidden volume that is
117 inside of the volume provided in the second
118 field. Please note that there is no protection
119 for the hidden volume if the outer volume is
120 mounted instead. See
121 <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
122 for more information on this limitation.</p></dd><dt id="tcrypt-keyfile="><span class="term"><code class="varname">tcrypt-keyfile=</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt-keyfile=">¶</a></dt><dd><p>Specifies the absolute path to a
123 key file to use for a TrueCrypt volume. This
124 implies <code class="varname">tcrypt</code> and can be
125 used more than once to provide several key
126 files.</p><p>See the entry for <code class="varname">tcrypt</code>
127 on the behavior of the passphrase and key files
128 when using TrueCrypt encryption mode.</p></dd><dt id="tcrypt-system"><span class="term"><code class="varname">tcrypt-system</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt-system">¶</a></dt><dd><p>Use TrueCrypt in system
129 encryption mode. This implies
130 <code class="varname">tcrypt</code>.</p><p>Please note that when using this mode, the
131 whole device needs to be given in the second
132 field instead of the partition. For example: if
133 "<code class="literal">/dev/sda2</code>" is the system
134 encrypted TrueCrypt patition, "<code class="literal">/dev/sda</code>"
135 has to be given.</p></dd><dt id="timeout="><span class="term"><code class="varname">timeout=</code></span><a class="headerlink" title="Permalink to this term" href="#timeout=">¶</a></dt><dd><p>Specifies the timeout for
136 querying for a password. If no unit is
137 specified, seconds is used. Supported units are
138 s, ms, us, min, h, d. A timeout of 0 waits
139 indefinitely (which is the default).</p></dd><dt id="tmp"><span class="term"><code class="varname">tmp</code></span><a class="headerlink" title="Permalink to this term" href="#tmp">¶</a></dt><dd><p>The encrypted block device will
140 be prepared for using it as <code class="filename">/tmp</code>;
141 it will be formatted using
142 <a href="mke2fs.html"><span class="citerefentry"><span class="refentrytitle">mke2fs</span>(8)</span></a>.
143 This option implies <code class="varname">plain</code>.</p><p>WARNING: Using the <code class="varname">tmp</code>
144 option will destroy the contents of the named
145 partition during every boot, so make sure the
146 underlying block device is specified correctly.</p></dd><dt id="tries="><span class="term"><code class="varname">tries=</code></span><a class="headerlink" title="Permalink to this term" href="#tries=">¶</a></dt><dd><p>Specifies the maximum number of
147 times the user is queried for a password.
148 The default is 3. If set to 0, the user is
149 queried for a password indefinitely.</p></dd><dt id="verify"><span class="term"><code class="varname">verify</code></span><a class="headerlink" title="Permalink to this term" href="#verify">¶</a></dt><dd><p> If the encryption password is
150 read from console, it has to be entered twice to
151 prevent typos.</p></dd></dl></div><p>At early boot and when the system manager
152 configuration is reloaded, this file is translated into
663996b3 153 native systemd units
14228c0d
MB		 154 by <a href="systemd-cryptsetup-generator.html"><span class="citerefentry"><span class="refentrytitle">systemd-cryptsetup-generator</span>(8)</span></a>.</p></div><div class="refsect1"><a name="idm274705151904"></a><h2 id="Example">Example<a class="headerlink" title="Permalink to this headline" href="#Example">¶</a></h2><div class="example"><a name="idm274702985200"></a><p class="title"><b>Example 1. /etc/crypttab example</b></p><div class="example-contents"><p>Set up four encrypted block devices. One using
155 LUKS for normal storage, another one for usage as a swap
156 device and two TrueCrypt volumes.</p><pre class="programlisting">luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b
157swap /dev/sda7 /dev/urandom swap
158truecrypt /dev/sda2 /etc/container_password tcrypt
159hidden /mnt/tc_hidden /null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile</pre></div></div><br class="example-break"></div><div class="refsect1"><a name="idm274702530704"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also">¶</a></h2><p>
663996b3
MS		 160 <a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>,
161 <a href="systemd-cryptsetup@.service.html"><span class="citerefentry"><span class="refentrytitle">systemd-cryptsetup@.service</span>(8)</span></a>,
162 <a href="systemd-cryptsetup-generator.html"><span class="citerefentry"><span class="refentrytitle">systemd-cryptsetup-generator</span>(8)</span></a>,
163 <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>,
164 <a href="mkswap.html"><span class="citerefentry"><span class="refentrytitle">mkswap</span>(8)</span></a>,
165 <a href="mke2fs.html"><span class="citerefentry"><span class="refentrytitle">mke2fs</span>(8)</span></a>
166 </p></div></div></body></html>
systemd for Proxmox projects