crypttab — Configuration for encrypted block devices
/etc/crypttab
The /etc/crypttab file
describes encrypted block devices that are set up
during system boot.
Empty lines and lines starting with the # character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two are optional.
The first field contains the name of the
resulting encrypted block device; the device is set up
within /dev/mapper/.
The second field contains a path to the
underlying block device, or a specification of a block
device via UUID= followed by the
UUID. If the block device contains a LUKS signature,
it is opened as a LUKS encrypted partition; otherwise
it is assumed to be a raw dm-crypt partition.
The third field specifies the encryption
password. If the field is not present or the password
is set to none, the password has to be manually
entered during system boot. Otherwise the field is
interpreted as a path to a file containing the
encryption password. For swap encryption
/dev/urandom or the hardware
device /dev/hw_random can be used
as the password file; using
/dev/random may prevent boot
completion if the system does not have enough entropy
to generate a truly random encryption key.
The fourth field, if present, is a comma-delimited list of options. The following options are recognized:
cipher=¶Specifies the cipher
to use; see
cryptsetup(8)
for possible values and the default
value of this option. A cipher with
unpredictable IV values, such as
aes-cbc-essiv:sha256,
is recommended.
size=¶Specifies the key size in bits; see cryptsetup(8) for possible values and the default value of this option.
keyfile-size=¶Specifies the maximum number of bytes to read from the keyfile; see cryptsetup(8) for possible values and the default value of this option. This option is ignored in plain encryption mode, as the keyfile-size is then given by the key size.
keyfile-offset=¶Specifies the number of bytes to skip at the start of the keyfile; see cryptsetup(8) for possible values and the default value of this option.
hash=¶Specifies the hash to use for password hashing; see cryptsetup(8) for possible values and the default value of this option.
tries=¶Specifies the maximum number of times the user is queried for a password.
verify¶If the encryption password is read from console, it has to be entered twice (to prevent typos).
read-only, readonly¶Set up the encrypted block device in read-only mode.
allow-discards¶Allow discard requests to be passed through the encrypted block device. This improves performance on SSD storage but has security implications.
luks¶Force LUKS mode.
plain¶Force plain encryption mode.
timeout=¶Specify the timeout for querying for a password. If no unit is specified seconds is used. Supported units are s, ms, us, min, h, d. A timeout of 0 waits indefinitely (which is the default).
noauto¶This device will not be automatically unlocked on boot.
nofail¶The system will not wait for the device to show up and be unlocked at boot, and not fail the boot if it doesn't show up.
swap¶The encrypted block device will be used as a swap partition, and will be formatted as a swap partition after setting up the encrypted block device, with mkswap(8).
WARNING: Using the
swap option will
destroy the contents of the named
partition during every boot, so make
sure the underlying block device is
specified
correctly.
tmp¶The encrypted block
device will be prepared for using it
as /tmp
partition: it will be formatted using
mke2fs(8).
WARNING: Using the
tmp option will
destroy the contents of the named
partition during every boot, so make
sure the underlying block device is
specified
correctly.
At early boot and when the system manager configuration is reloaded this file is translated into native systemd units by systemd-cryptsetup-generator(8).
Example 1. /etc/crypttab example
Set up two encrypted block devices with LUKS: one normal one for storage, and another one for usage as swap device.
luks-2505567a-9e27-4efe-a4d5-15ad146c258b UUID=2505567a-9e27-4efe-a4d5-15ad146c258b - timeout=0 swap /dev/sda7 /dev/urandom swap