]>
Commit | Line | Data |
---|---|---|
663996b3 MS |
1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>crypttab</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style> |
2 | a.headerlink { | |
3 | color: #c60f0f; | |
4 | font-size: 0.8em; | |
5 | padding: 0 4px 0 4px; | |
6 | text-decoration: none; | |
7 | visibility: hidden; | |
8 | } | |
9 | ||
10 | a.headerlink:hover { | |
11 | background-color: #c60f0f; | |
12 | color: white; | |
13 | } | |
14 | ||
15 | h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink { | |
16 | visibility: visible; | |
17 | } | |
18 | </style><a href="index.html">Index </a>· | |
19 | <a href="systemd.directives.html">Directives </a>· | |
20 | <a href="../python-systemd/index.html">Python </a>· | |
21 | <a href="../libudev/index.html">libudev </a>· | |
14228c0d | 22 | <a href="../libudev/index.html">gudev </a><span style="float:right">systemd 208</span><hr><div class="refentry"><a name="crypttab"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>crypttab — Configuration for encrypted block devices</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename">/etc/crypttab</code></p></div><div class="refsect1"><a name="idm274704570816"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description">¶</a></h2><p>The <code class="filename">/etc/crypttab</code> file |
663996b3 | 23 | describes encrypted block devices that are set up |
14228c0d | 24 | during system boot.</p><p>Empty lines and lines starting with the "<code class="literal">#</code>" |
663996b3 MS |
25 | character are ignored. Each of the remaining lines |
26 | describes one encrypted block device, fields on the | |
27 | line are delimited by white space. The first two | |
28 | fields are mandatory, the remaining two are | |
14228c0d MB |
29 | optional.</p><p>Setting up encrypted block devices using this file |
30 | supports three encryption modes: LUKS, TrueCrypt and plain. | |
31 | See <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a> | |
32 | for more information about each mode. When no mode is specified | |
33 | in the options field and the block device contains a LUKS | |
34 | signature, it is opened as a LUKS device; otherwise, it is | |
35 | assumed to be in raw dm-crypt (plain mode) format.</p><p>The first field contains the name of the | |
663996b3 MS |
36 | resulting encrypted block device; the device is set up |
37 | within <code class="filename">/dev/mapper/</code>.</p><p>The second field contains a path to the | |
14228c0d MB |
38 | underlying block device or file, or a specification of a block |
39 | device via "<code class="literal">UUID=</code>" followed by the | |
40 | UUID.</p><p>The third field specifies the encryption | |
663996b3 | 41 | password. If the field is not present or the password |
14228c0d MB |
42 | is set to "<code class="literal">none</code>" or "<code class="literal">-</code>", |
43 | the password has to be manually entered during system boot. | |
44 | Otherwise, the field is interpreted as a absolute path to | |
45 | a file containing the encryption password. For swap encryption, | |
663996b3 MS |
46 | <code class="filename">/dev/urandom</code> or the hardware |
47 | device <code class="filename">/dev/hw_random</code> can be used | |
48 | as the password file; using | |
49 | <code class="filename">/dev/random</code> may prevent boot | |
50 | completion if the system does not have enough entropy | |
51 | to generate a truly random encryption key.</p><p>The fourth field, if present, is a | |
52 | comma-delimited list of options. The following | |
14228c0d MB |
53 | options are recognized:</p><div class="variablelist"><dl class="variablelist"><dt id="discard"><span class="term"><code class="varname">discard</code></span><a class="headerlink" title="Permalink to this term" href="#discard">¶</a></dt><dd><p>Allow discard requests to be |
54 | passed through the encrypted block device. This | |
55 | improves performance on SSD storage but has | |
56 | security implications.</p></dd><dt id="cipher="><span class="term"><code class="varname">cipher=</code></span><a class="headerlink" title="Permalink to this term" href="#cipher=">¶</a></dt><dd><p>Specifies the cipher to use. See | |
663996b3 | 57 | <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a> |
14228c0d MB |
58 | for possible values and the default value of |
59 | this option. A cipher with unpredictable IV | |
60 | values, such as "<code class="literal">aes-cbc-essiv:sha256</code>", | |
61 | is recommended.</p></dd><dt id="hash="><span class="term"><code class="varname">hash=</code></span><a class="headerlink" title="Permalink to this term" href="#hash=">¶</a></dt><dd><p>Specifies the hash to use for | |
62 | password hashing. See | |
663996b3 | 63 | <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a> |
14228c0d MB |
64 | for possible values and the default value of |
65 | this option.</p></dd><dt id="keyfile-offset="><span class="term"><code class="varname">keyfile-offset=</code></span><a class="headerlink" title="Permalink to this term" href="#keyfile-offset=">¶</a></dt><dd><p>Specifies the number of bytes to | |
66 | skip at the start of the key file. See | |
663996b3 | 67 | <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a> |
14228c0d MB |
68 | for possible values and the default value of |
69 | this option.</p></dd><dt id="keyfile-size="><span class="term"><code class="varname">keyfile-size=</code></span><a class="headerlink" title="Permalink to this term" href="#keyfile-size=">¶</a></dt><dd><p>Specifies the maximum number | |
70 | of bytes to read from the key file. See | |
663996b3 | 71 | <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a> |
14228c0d MB |
72 | for possible values and the default value of |
73 | this option. This option is ignored in plain | |
74 | encryption mode, as the key file size is then | |
75 | given by the key size.</p></dd><dt id="luks"><span class="term"><code class="varname">luks</code></span><a class="headerlink" title="Permalink to this term" href="#luks">¶</a></dt><dd><p>Force LUKS mode. When this mode | |
76 | is used, the following options are ignored since | |
77 | they are provided by the LUKS header on the | |
78 | device: <code class="varname">cipher=</code>, | |
79 | <code class="varname">hash=</code>, | |
80 | <code class="varname">size=</code>.</p></dd><dt id="noauto"><span class="term"><code class="varname">noauto</code></span><a class="headerlink" title="Permalink to this term" href="#noauto">¶</a></dt><dd><p>This device will not be | |
81 | automatically unlocked on boot.</p></dd><dt id="nofail"><span class="term"><code class="varname">nofail</code></span><a class="headerlink" title="Permalink to this term" href="#nofail">¶</a></dt><dd><p>The system will not wait for the | |
82 | device to show up and be unlocked at boot, and | |
83 | not fail the boot if it does not show up.</p></dd><dt id="plain"><span class="term"><code class="varname">plain</code></span><a class="headerlink" title="Permalink to this term" href="#plain">¶</a></dt><dd><p>Force plain encryption mode.</p></dd><dt id="read-only"><span class="term"><code class="varname">read-only</code>, </span><span class="term"><code class="varname">readonly</code></span><a class="headerlink" title="Permalink to this term" href="#read-only">¶</a></dt><dd><p>Set up the encrypted block | |
84 | device in read-only mode.</p></dd><dt id="size="><span class="term"><code class="varname">size=</code></span><a class="headerlink" title="Permalink to this term" href="#size=">¶</a></dt><dd><p>Specifies the key size | |
85 | in bits. See | |
86 | <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a> | |
87 | for possible values and the default value of | |
88 | this option.</p></dd><dt id="swap"><span class="term"><code class="varname">swap</code></span><a class="headerlink" title="Permalink to this term" href="#swap">¶</a></dt><dd><p>The encrypted block device will | |
89 | be used as a swap device, and will be formatted | |
90 | accordingly after setting up the encrypted | |
91 | block device, with | |
92 | <a href="mkswap.html"><span class="citerefentry"><span class="refentrytitle">mkswap</span>(8)</span></a>. | |
93 | This option implies <code class="varname">plain</code>.</p><p>WARNING: Using the <code class="varname">swap</code> | |
94 | option will destroy the contents of the named | |
95 | partition during every boot, so make sure the | |
96 | underlying block device is specified correctly.</p></dd><dt id="tcrypt"><span class="term"><code class="varname">tcrypt</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt">¶</a></dt><dd><p>Use TrueCrypt encryption mode. | |
97 | When this mode is used, the following options are | |
98 | ignored since they are provided by the TrueCrypt | |
99 | header on the device or do not apply: | |
100 | <code class="varname">cipher=</code>, | |
101 | <code class="varname">hash=</code>, | |
102 | <code class="varname">keyfile-offset=</code>, | |
103 | <code class="varname">keyfile-size=</code>, | |
104 | <code class="varname">size=</code>.</p><p>When this mode is used, the passphrase is | |
105 | read from the key file given in the third field. | |
106 | Only the first line of this file is read, | |
107 | excluding the new line character.</p><p>Note that the TrueCrypt format uses both | |
108 | passphrase and key files to derive a password | |
109 | for the volume. Therefore, the passphrase and | |
110 | all key files need to be provided. Use | |
111 | <code class="varname">tcrypt-keyfile=</code> to provide | |
112 | the absolute path to all key files. When using | |
113 | an empty passphrase in combination with one or | |
114 | more key files, use "<code class="literal">/dev/null</code>" | |
115 | as the password file in the third field.</p></dd><dt id="tcrypt-hidden"><span class="term"><code class="varname">tcrypt-hidden</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt-hidden">¶</a></dt><dd><p>Use the hidden TrueCrypt volume. | |
116 | This implies <code class="varname">tcrypt</code>.</p><p>This will map the hidden volume that is | |
117 | inside of the volume provided in the second | |
118 | field. Please note that there is no protection | |
119 | for the hidden volume if the outer volume is | |
120 | mounted instead. See | |
121 | <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a> | |
122 | for more information on this limitation.</p></dd><dt id="tcrypt-keyfile="><span class="term"><code class="varname">tcrypt-keyfile=</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt-keyfile=">¶</a></dt><dd><p>Specifies the absolute path to a | |
123 | key file to use for a TrueCrypt volume. This | |
124 | implies <code class="varname">tcrypt</code> and can be | |
125 | used more than once to provide several key | |
126 | files.</p><p>See the entry for <code class="varname">tcrypt</code> | |
127 | on the behavior of the passphrase and key files | |
128 | when using TrueCrypt encryption mode.</p></dd><dt id="tcrypt-system"><span class="term"><code class="varname">tcrypt-system</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt-system">¶</a></dt><dd><p>Use TrueCrypt in system | |
129 | encryption mode. This implies | |
130 | <code class="varname">tcrypt</code>.</p><p>Please note that when using this mode, the | |
131 | whole device needs to be given in the second | |
132 | field instead of the partition. For example: if | |
133 | "<code class="literal">/dev/sda2</code>" is the system | |
134 | encrypted TrueCrypt patition, "<code class="literal">/dev/sda</code>" | |
135 | has to be given.</p></dd><dt id="timeout="><span class="term"><code class="varname">timeout=</code></span><a class="headerlink" title="Permalink to this term" href="#timeout=">¶</a></dt><dd><p>Specifies the timeout for | |
136 | querying for a password. If no unit is | |
137 | specified, seconds is used. Supported units are | |
138 | s, ms, us, min, h, d. A timeout of 0 waits | |
139 | indefinitely (which is the default).</p></dd><dt id="tmp"><span class="term"><code class="varname">tmp</code></span><a class="headerlink" title="Permalink to this term" href="#tmp">¶</a></dt><dd><p>The encrypted block device will | |
140 | be prepared for using it as <code class="filename">/tmp</code>; | |
141 | it will be formatted using | |
142 | <a href="mke2fs.html"><span class="citerefentry"><span class="refentrytitle">mke2fs</span>(8)</span></a>. | |
143 | This option implies <code class="varname">plain</code>.</p><p>WARNING: Using the <code class="varname">tmp</code> | |
144 | option will destroy the contents of the named | |
145 | partition during every boot, so make sure the | |
146 | underlying block device is specified correctly.</p></dd><dt id="tries="><span class="term"><code class="varname">tries=</code></span><a class="headerlink" title="Permalink to this term" href="#tries=">¶</a></dt><dd><p>Specifies the maximum number of | |
147 | times the user is queried for a password. | |
148 | The default is 3. If set to 0, the user is | |
149 | queried for a password indefinitely.</p></dd><dt id="verify"><span class="term"><code class="varname">verify</code></span><a class="headerlink" title="Permalink to this term" href="#verify">¶</a></dt><dd><p> If the encryption password is | |
150 | read from console, it has to be entered twice to | |
151 | prevent typos.</p></dd></dl></div><p>At early boot and when the system manager | |
152 | configuration is reloaded, this file is translated into | |
663996b3 | 153 | native systemd units |
14228c0d MB |
154 | by <a href="systemd-cryptsetup-generator.html"><span class="citerefentry"><span class="refentrytitle">systemd-cryptsetup-generator</span>(8)</span></a>.</p></div><div class="refsect1"><a name="idm274705151904"></a><h2 id="Example">Example<a class="headerlink" title="Permalink to this headline" href="#Example">¶</a></h2><div class="example"><a name="idm274702985200"></a><p class="title"><b>Example 1. /etc/crypttab example</b></p><div class="example-contents"><p>Set up four encrypted block devices. One using |
155 | LUKS for normal storage, another one for usage as a swap | |
156 | device and two TrueCrypt volumes.</p><pre class="programlisting">luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b | |
157 | swap /dev/sda7 /dev/urandom swap | |
158 | truecrypt /dev/sda2 /etc/container_password tcrypt | |
159 | hidden /mnt/tc_hidden /null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile</pre></div></div><br class="example-break"></div><div class="refsect1"><a name="idm274702530704"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also">¶</a></h2><p> | |
663996b3 MS |
160 | <a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>, |
161 | <a href="systemd-cryptsetup@.service.html"><span class="citerefentry"><span class="refentrytitle">systemd-cryptsetup@.service</span>(8)</span></a>, | |
162 | <a href="systemd-cryptsetup-generator.html"><span class="citerefentry"><span class="refentrytitle">systemd-cryptsetup-generator</span>(8)</span></a>, | |
163 | <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>, | |
164 | <a href="mkswap.html"><span class="citerefentry"><span class="refentrytitle">mkswap</span>(8)</span></a>, | |
165 | <a href="mke2fs.html"><span class="citerefentry"><span class="refentrytitle">mke2fs</span>(8)</span></a> | |
166 | </p></div></div></body></html> |