crypttab.html 18.4 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>crypttab</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style>
    a.headerlink {
      color: #c60f0f;
      font-size: 0.8em;
      padding: 0 4px 0 4px;
      text-decoration: none;
      visibility: hidden;
    }

    a.headerlink:hover {
      background-color: #c60f0f;
      color: white;
    }

    h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink {
      visibility: visible;
    }
  </style><a href="index.html">Index </a>·
  <a href="systemd.directives.html">Directives </a>·
  <a href="../python-systemd/index.html">Python </a>·
  <a href="../libudev/index.html">libudev </a>·
Michael Biebl's avatar
Michael Biebl committed
22
  <a href="../libudev/index.html">gudev </a><span style="float:right">systemd 215</span><hr><div class="refentry"><a name="crypttab"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>crypttab — Configuration for encrypted block devices</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename">/etc/crypttab</code></p></div><div class="refsect1"><a name="idm214179029408"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description"></a></h2><p>The <code class="filename">/etc/crypttab</code> file
23
                describes encrypted block devices that are set up
Michael Biebl's avatar
Michael Biebl committed
24
                during system boot.</p><p>Empty lines and lines starting with the "<code class="literal">#</code>"
25 26 27 28
                character are ignored.  Each of the remaining lines
                describes one encrypted block device, fields on the
                line are delimited by white space.  The first two
                fields are mandatory, the remaining two are
Michael Biebl's avatar
Michael Biebl committed
29 30 31 32 33 34 35
                optional.</p><p>Setting up encrypted block devices using this file
                supports three encryption modes: LUKS, TrueCrypt and plain.
                See <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
                for more information about each mode. When no mode is specified
                in the options field and the block device contains a LUKS
                signature, it is opened as a LUKS device; otherwise, it is
                assumed to be in raw dm-crypt (plain mode) format.</p><p>The first field contains the name of the
36 37
                resulting encrypted block device; the device is set up
                within <code class="filename">/dev/mapper/</code>.</p><p>The second field contains a path to the
Michael Biebl's avatar
Michael Biebl committed
38 39 40
                underlying block device or file, or a specification of a block
                device via "<code class="literal">UUID=</code>" followed by the
                UUID.</p><p>The third field specifies the encryption
41
                password.  If the field is not present or the password
Michael Biebl's avatar
Michael Biebl committed
42 43 44 45
                is set to "<code class="literal">none</code>" or "<code class="literal">-</code>",
                the password has to be manually entered during system boot.
                Otherwise, the field is interpreted as a absolute path to
                a file containing the encryption password. For swap encryption,
46 47 48 49 50 51 52
                <code class="filename">/dev/urandom</code> or the hardware
                device <code class="filename">/dev/hw_random</code> can be used
                as the password file; using
                <code class="filename">/dev/random</code> may prevent boot
                completion if the system does not have enough entropy
                to generate a truly random encryption key.</p><p>The fourth field, if present, is a
                comma-delimited list of options.  The following
Michael Biebl's avatar
Michael Biebl committed
53
                options are recognized:</p><div class="variablelist"><dl class="variablelist"><dt id="discard"><span class="term"><code class="option">discard</code></span><a class="headerlink" title="Permalink to this term" href="#discard"></a></dt><dd><p>Allow discard requests to be
Michael Biebl's avatar
Michael Biebl committed
54 55
                                passed through the encrypted block device. This
                                improves performance on SSD storage but has
Michael Biebl's avatar
Michael Biebl committed
56
                                security implications.</p></dd><dt id="cipher="><span class="term"><code class="option">cipher=</code></span><a class="headerlink" title="Permalink to this term" href="#cipher="></a></dt><dd><p>Specifies the cipher to use. See
57
                                <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
Michael Biebl's avatar
Michael Biebl committed
58 59 60
                                for possible values and the default value of
                                this option. A cipher with unpredictable IV
                                values, such as "<code class="literal">aes-cbc-essiv:sha256</code>",
Michael Biebl's avatar
Michael Biebl committed
61
                                is recommended.</p></dd><dt id="hash="><span class="term"><code class="option">hash=</code></span><a class="headerlink" title="Permalink to this term" href="#hash="></a></dt><dd><p>Specifies the hash to use for
Michael Biebl's avatar
Michael Biebl committed
62
                                password hashing. See
63
                                <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
Michael Biebl's avatar
Michael Biebl committed
64
                                for possible values and the default value of
Michael Biebl's avatar
Michael Biebl committed
65
                                this option.</p></dd><dt id="keyfile-offset="><span class="term"><code class="option">keyfile-offset=</code></span><a class="headerlink" title="Permalink to this term" href="#keyfile-offset="></a></dt><dd><p>Specifies the number of bytes to
Michael Biebl's avatar
Michael Biebl committed
66
                                skip at the start of the key file. See
67
                                <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
Michael Biebl's avatar
Michael Biebl committed
68
                                for possible values and the default value of
Michael Biebl's avatar
Michael Biebl committed
69
                                this option.</p></dd><dt id="keyfile-size="><span class="term"><code class="option">keyfile-size=</code></span><a class="headerlink" title="Permalink to this term" href="#keyfile-size="></a></dt><dd><p>Specifies the maximum number
Michael Biebl's avatar
Michael Biebl committed
70
                                of bytes to read from the key file. See
71
                                <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
Michael Biebl's avatar
Michael Biebl committed
72 73 74
                                for possible values and the default value of
                                this option. This option is ignored in plain
                                encryption mode, as the key file size is then
Michael Biebl's avatar
Michael Biebl committed
75
                                given by the key size.</p></dd><dt id="key-slot="><span class="term"><code class="option">key-slot=</code></span><a class="headerlink" title="Permalink to this term" href="#key-slot="></a></dt><dd><p>Specifies the key slot to
76 77 78 79
                                compare the passphrase or key against.
                                If the key slot does not match the given
                                passphrase or key, but another would, the
                                setup of the device will fail regardless.
Michael Biebl's avatar
Michael Biebl committed
80
                                This option implies <code class="option">luks</code>. See
81 82
                                <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
                                for possible values. The default is to try
Michael Biebl's avatar
Michael Biebl committed
83
                                all key slots in sequential order.</p></dd><dt id="luks"><span class="term"><code class="option">luks</code></span><a class="headerlink" title="Permalink to this term" href="#luks"></a></dt><dd><p>Force LUKS mode. When this mode
Michael Biebl's avatar
Michael Biebl committed
84 85
                                is used, the following options are ignored since
                                they are provided by the LUKS header on the
Michael Biebl's avatar
Michael Biebl committed
86 87 88 89
                                device: <code class="option">cipher=</code>,
                                <code class="option">hash=</code>,
                                <code class="option">size=</code>.</p></dd><dt id="noauto"><span class="term"><code class="option">noauto</code></span><a class="headerlink" title="Permalink to this term" href="#noauto"></a></dt><dd><p>This device will not be
                                automatically unlocked on boot.</p></dd><dt id="nofail"><span class="term"><code class="option">nofail</code></span><a class="headerlink" title="Permalink to this term" href="#nofail"></a></dt><dd><p>The system will not wait for the
Michael Biebl's avatar
Michael Biebl committed
90
                                device to show up and be unlocked at boot, and
Michael Biebl's avatar
Michael Biebl committed
91 92
                                not fail the boot if it does not show up.</p></dd><dt id="plain"><span class="term"><code class="option">plain</code></span><a class="headerlink" title="Permalink to this term" href="#plain"></a></dt><dd><p>Force plain encryption mode.</p></dd><dt id="read-only"><span class="term"><code class="option">read-only</code>, </span><span class="term"><code class="option">readonly</code></span><a class="headerlink" title="Permalink to this term" href="#read-only"></a></dt><dd><p>Set up the encrypted block
                                device in read-only mode.</p></dd><dt id="size="><span class="term"><code class="option">size=</code></span><a class="headerlink" title="Permalink to this term" href="#size="></a></dt><dd><p>Specifies the key size
Michael Biebl's avatar
Michael Biebl committed
93 94 95
                                in bits. See
                                <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
                                for possible values and the default value of
Michael Biebl's avatar
Michael Biebl committed
96
                                this option.</p></dd><dt id="swap"><span class="term"><code class="option">swap</code></span><a class="headerlink" title="Permalink to this term" href="#swap"></a></dt><dd><p>The encrypted block device will
Michael Biebl's avatar
Michael Biebl committed
97 98 99 100
                                be used as a swap device, and will be formatted
                                accordingly after setting up the encrypted
                                block device, with
                                <a href="mkswap.html"><span class="citerefentry"><span class="refentrytitle">mkswap</span>(8)</span></a>.
Michael Biebl's avatar
Michael Biebl committed
101
                                This option implies <code class="option">plain</code>.</p><p>WARNING: Using the <code class="option">swap</code>
Michael Biebl's avatar
Michael Biebl committed
102 103
                                option will destroy the contents of the named
                                partition during every boot, so make sure the
Michael Biebl's avatar
Michael Biebl committed
104
                                underlying block device is specified correctly.</p></dd><dt id="tcrypt"><span class="term"><code class="option">tcrypt</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt"></a></dt><dd><p>Use TrueCrypt encryption mode.
Michael Biebl's avatar
Michael Biebl committed
105 106 107
                                When this mode is used, the following options are
                                ignored since they are provided by the TrueCrypt
                                header on the device or do not apply:
Michael Biebl's avatar
Michael Biebl committed
108 109 110 111 112
                                <code class="option">cipher=</code>,
                                <code class="option">hash=</code>,
                                <code class="option">keyfile-offset=</code>,
                                <code class="option">keyfile-size=</code>,
                                <code class="option">size=</code>.</p><p>When this mode is used, the passphrase is
Michael Biebl's avatar
Michael Biebl committed
113 114 115 116 117 118
                                read from the key file given in the third field.
                                Only the first line of this file is read,
                                excluding the new line character.</p><p>Note that the TrueCrypt format uses both
                                passphrase and key files to derive a password
                                for the volume. Therefore, the passphrase and
                                all key files need to be provided. Use
Michael Biebl's avatar
Michael Biebl committed
119
                                <code class="option">tcrypt-keyfile=</code> to provide
Michael Biebl's avatar
Michael Biebl committed
120 121 122
                                the absolute path to all key files. When using
                                an empty passphrase in combination with one or
                                more key files, use "<code class="literal">/dev/null</code>"
Michael Biebl's avatar
Michael Biebl committed
123 124
                                as the password file in the third field.</p></dd><dt id="tcrypt-hidden"><span class="term"><code class="option">tcrypt-hidden</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt-hidden"></a></dt><dd><p>Use the hidden TrueCrypt volume.
                                This option implies <code class="option">tcrypt</code>.</p><p>This will map the hidden volume that is
Michael Biebl's avatar
Michael Biebl committed
125 126 127 128 129
                                inside of the volume provided in the second
                                field. Please note that there is no protection
                                for the hidden volume if the outer volume is
                                mounted instead. See
                                <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>
Michael Biebl's avatar
Michael Biebl committed
130
                                for more information on this limitation.</p></dd><dt id="tcrypt-keyfile="><span class="term"><code class="option">tcrypt-keyfile=</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt-keyfile="></a></dt><dd><p>Specifies the absolute path to a
Michael Biebl's avatar
Michael Biebl committed
131
                                key file to use for a TrueCrypt volume. This
Michael Biebl's avatar
Michael Biebl committed
132
                                implies <code class="option">tcrypt</code> and can be
Michael Biebl's avatar
Michael Biebl committed
133
                                used more than once to provide several key
Michael Biebl's avatar
Michael Biebl committed
134
                                files.</p><p>See the entry for <code class="option">tcrypt</code>
Michael Biebl's avatar
Michael Biebl committed
135
                                on the behavior of the passphrase and key files
Michael Biebl's avatar
Michael Biebl committed
136
                                when using TrueCrypt encryption mode.</p></dd><dt id="tcrypt-system"><span class="term"><code class="option">tcrypt-system</code></span><a class="headerlink" title="Permalink to this term" href="#tcrypt-system"></a></dt><dd><p>Use TrueCrypt in system
137
                                encryption mode. This option implies
Michael Biebl's avatar
Michael Biebl committed
138
                                <code class="option">tcrypt</code>.</p></dd><dt id="timeout="><span class="term"><code class="option">timeout=</code></span><a class="headerlink" title="Permalink to this term" href="#timeout="></a></dt><dd><p>Specifies the timeout for
Michael Biebl's avatar
Michael Biebl committed
139 140 141
                                querying for a password. If no unit is
                                specified, seconds is used. Supported units are
                                s, ms, us, min, h, d. A timeout of 0 waits
Michael Biebl's avatar
Michael Biebl committed
142
                                indefinitely (which is the default).</p></dd><dt id="tmp"><span class="term"><code class="option">tmp</code></span><a class="headerlink" title="Permalink to this term" href="#tmp"></a></dt><dd><p>The encrypted block device will
Michael Biebl's avatar
Michael Biebl committed
143 144 145
                                be prepared for using it as <code class="filename">/tmp</code>;
                                it will be formatted using
                                <a href="mke2fs.html"><span class="citerefentry"><span class="refentrytitle">mke2fs</span>(8)</span></a>.
Michael Biebl's avatar
Michael Biebl committed
146
                                This option implies <code class="option">plain</code>.</p><p>WARNING: Using the <code class="option">tmp</code>
Michael Biebl's avatar
Michael Biebl committed
147 148
                                option will destroy the contents of the named
                                partition during every boot, so make sure the
Michael Biebl's avatar
Michael Biebl committed
149
                                underlying block device is specified correctly.</p></dd><dt id="tries="><span class="term"><code class="option">tries=</code></span><a class="headerlink" title="Permalink to this term" href="#tries="></a></dt><dd><p>Specifies the maximum number of
Michael Biebl's avatar
Michael Biebl committed
150 151
                                times the user is queried for a password.
                                The default is 3. If set to 0, the user is
Michael Biebl's avatar
Michael Biebl committed
152
                                queried for a password indefinitely.</p></dd><dt id="verify"><span class="term"><code class="option">verify</code></span><a class="headerlink" title="Permalink to this term" href="#verify"></a></dt><dd><p> If the encryption password is
Michael Biebl's avatar
Michael Biebl committed
153 154 155
                                read from console, it has to be entered twice to
                                prevent typos.</p></dd></dl></div><p>At early boot and when the system manager
                configuration is reloaded, this file is translated into
156
                native systemd units
Michael Biebl's avatar
Michael Biebl committed
157
                by <a href="systemd-cryptsetup-generator.html"><span class="citerefentry"><span class="refentrytitle">systemd-cryptsetup-generator</span>(8)</span></a>.</p></div><div class="refsect1"><a name="idm214174457600"></a><h2 id="Example">Example<a class="headerlink" title="Permalink to this headline" href="#Example"></a></h2><div class="example"><a name="idm214174456960"></a><p class="title"><b>Example 1. /etc/crypttab example</b></p><div class="example-contents"><p>Set up four encrypted block devices. One using
Michael Biebl's avatar
Michael Biebl committed
158 159 160 161
                        LUKS for normal storage, another one for usage as a swap
                        device and two TrueCrypt volumes.</p><pre class="programlisting">luks       UUID=2505567a-9e27-4efe-a4d5-15ad146c258b
swap       /dev/sda7       /dev/urandom             swap
truecrypt  /dev/sda2       /etc/container_password  tcrypt
Michael Biebl's avatar
Michael Biebl committed
162
hidden     /mnt/tc_hidden  /dev/null                tcrypt-hidden,tcrypt-keyfile=/etc/keyfile</pre></div></div><br class="example-break"></div><div class="refsect1"><a name="idm214174454576"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also"></a></h2><p>
163 164 165 166 167 168 169
                        <a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>,
                        <a href="systemd-cryptsetup@.service.html"><span class="citerefentry"><span class="refentrytitle">systemd-cryptsetup@.service</span>(8)</span></a>,
                        <a href="systemd-cryptsetup-generator.html"><span class="citerefentry"><span class="refentrytitle">systemd-cryptsetup-generator</span>(8)</span></a>,
                        <a href="cryptsetup.html"><span class="citerefentry"><span class="refentrytitle">cryptsetup</span>(8)</span></a>,
                        <a href="mkswap.html"><span class="citerefentry"><span class="refentrytitle">mkswap</span>(8)</span></a>,
                        <a href="mke2fs.html"><span class="citerefentry"><span class="refentrytitle">mke2fs</span>(8)</span></a>
                </p></div></div></body></html>