'\" t .TH "CRYPTTAB" "5" "" "systemd 218" "crypttab" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" crypttab \- Configuration for encrypted block devices .SH "SYNOPSIS" .PP /etc/crypttab .SH "DESCRIPTION" .PP The /etc/crypttab file describes encrypted block devices that are set up during system boot\&. .PP Empty lines and lines starting with the "#" character are ignored\&. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space\&. The first two fields are mandatory, the remaining two are optional\&. .PP Setting up encrypted block devices using this file supports three encryption modes: LUKS, TrueCrypt and plain\&. See \fBcryptsetup\fR(8) for more information about each mode\&. When no mode is specified in the options field and the block device contains a LUKS signature, it is opened as a LUKS device; otherwise, it is assumed to be in raw dm\-crypt (plain mode) format\&. .PP The first field contains the name of the resulting encrypted block device; the device is set up within /dev/mapper/\&. .PP The second field contains a path to the underlying block device or file, or a specification of a block device via "UUID=" followed by the UUID\&. .PP The third field specifies the encryption password\&. If the field is not present or the password is set to "none" or "\-", the password has to be manually entered during system boot\&. Otherwise, the field is interpreted as a absolute path to a file containing the encryption password\&. For swap encryption, /dev/urandom or the hardware device /dev/hw_random can be used as the password file; using /dev/random may prevent boot completion if the system does not have enough entropy to generate a truly random encryption key\&. .PP The fourth field, if present, is a comma\-delimited list of options\&. The following options are recognized: .PP \fBdiscard\fR .RS 4 Allow discard requests to be passed through the encrypted block device\&. This improves performance on SSD storage but has security implications\&. .RE .PP \fBcipher=\fR .RS 4 Specifies the cipher to use\&. See \fBcryptsetup\fR(8) for possible values and the default value of this option\&. A cipher with unpredictable IV values, such as "aes\-cbc\-essiv:sha256", is recommended\&. .RE .PP \fBhash=\fR .RS 4 Specifies the hash to use for password hashing\&. See \fBcryptsetup\fR(8) for possible values and the default value of this option\&. .RE .PP \fBkeyfile\-offset=\fR .RS 4 Specifies the number of bytes to skip at the start of the key file\&. See \fBcryptsetup\fR(8) for possible values and the default value of this option\&. .RE .PP \fBkeyfile\-size=\fR .RS 4 Specifies the maximum number of bytes to read from the key file\&. See \fBcryptsetup\fR(8) for possible values and the default value of this option\&. This option is ignored in plain encryption mode, as the key file size is then given by the key size\&. .RE .PP \fBkey\-slot=\fR .RS 4 Specifies the key slot to compare the passphrase or key against\&. If the key slot does not match the given passphrase or key, but another would, the setup of the device will fail regardless\&. This option implies \fBluks\fR\&. See \fBcryptsetup\fR(8) for possible values\&. The default is to try all key slots in sequential order\&. .RE .PP \fBluks\fR .RS 4 Force LUKS mode\&. When this mode is used, the following options are ignored since they are provided by the LUKS header on the device: \fBcipher=\fR, \fBhash=\fR, \fBsize=\fR\&. .RE .PP \fBnoauto\fR .RS 4 This device will not be automatically unlocked on boot\&. .RE .PP \fBnofail\fR .RS 4 The system will not wait for the device to show up and be unlocked at boot, and not fail the boot if it does not show up\&. .RE .PP \fBplain\fR .RS 4 Force plain encryption mode\&. .RE .PP \fBread\-only\fR, \fBreadonly\fR .RS 4 Set up the encrypted block device in read\-only mode\&. .RE .PP \fBsize=\fR .RS 4 Specifies the key size in bits\&. See \fBcryptsetup\fR(8) for possible values and the default value of this option\&. .RE .PP \fBswap\fR .RS 4 The encrypted block device will be used as a swap device, and will be formatted accordingly after setting up the encrypted block device, with \fBmkswap\fR(8)\&. This option implies \fBplain\fR\&. .sp WARNING: Using the \fBswap\fR option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly\&. .RE .PP \fBtcrypt\fR .RS 4 Use TrueCrypt encryption mode\&. When this mode is used, the following options are ignored since they are provided by the TrueCrypt header on the device or do not apply: \fBcipher=\fR, \fBhash=\fR, \fBkeyfile\-offset=\fR, \fBkeyfile\-size=\fR, \fBsize=\fR\&. .sp When this mode is used, the passphrase is read from the key file given in the third field\&. Only the first line of this file is read, excluding the new line character\&. .sp Note that the TrueCrypt format uses both passphrase and key files to derive a password for the volume\&. Therefore, the passphrase and all key files need to be provided\&. Use \fBtcrypt\-keyfile=\fR to provide the absolute path to all key files\&. When using an empty passphrase in combination with one or more key files, use "/dev/null" as the password file in the third field\&. .RE .PP \fBtcrypt\-hidden\fR .RS 4 Use the hidden TrueCrypt volume\&. This option implies \fBtcrypt\fR\&. .sp This will map the hidden volume that is inside of the volume provided in the second field\&. Please note that there is no protection for the hidden volume if the outer volume is mounted instead\&. See \fBcryptsetup\fR(8) for more information on this limitation\&. .RE .PP \fBtcrypt\-keyfile=\fR .RS 4 Specifies the absolute path to a key file to use for a TrueCrypt volume\&. This implies \fBtcrypt\fR and can be used more than once to provide several key files\&. .sp See the entry for \fBtcrypt\fR on the behavior of the passphrase and key files when using TrueCrypt encryption mode\&. .RE .PP \fBtcrypt\-system\fR .RS 4 Use TrueCrypt in system encryption mode\&. This option implies \fBtcrypt\fR\&. .RE .PP \fBtimeout=\fR .RS 4 Specifies the timeout for querying for a password\&. If no unit is specified, seconds is used\&. Supported units are s, ms, us, min, h, d\&. A timeout of 0 waits indefinitely (which is the default)\&. .RE .PP \fBx\-systemd\&.device\-timeout=\fR .RS 4 Specifies how long systemd should wait for a device to show up before giving up on the entry\&. The argument is a time in seconds or explicitly specifified units of "s", "min", "h", "ms"\&. .RE .PP \fBtmp\fR .RS 4 The encrypted block device will be prepared for using it as /tmp; it will be formatted using \fBmke2fs\fR(8)\&. This option implies \fBplain\fR\&. .sp WARNING: Using the \fBtmp\fR option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly\&. .RE .PP \fBtries=\fR .RS 4 Specifies the maximum number of times the user is queried for a password\&. The default is 3\&. If set to 0, the user is queried for a password indefinitely\&. .RE .PP \fBverify\fR .RS 4 If the encryption password is read from console, it has to be entered twice to prevent typos\&. .RE .PP At early boot and when the system manager configuration is reloaded, this file is translated into native systemd units by \fBsystemd-cryptsetup-generator\fR(8)\&. .SH "EXAMPLE" .PP \fBExample\ \&1.\ \&/etc/crypttab example\fR .PP Set up four encrypted block devices\&. One using LUKS for normal storage, another one for usage as a swap device and two TrueCrypt volumes\&. .sp .if n \{\ .RS 4 .\} .nf luks UUID=2505567a\-9e27\-4efe\-a4d5\-15ad146c258b swap /dev/sda7 /dev/urandom swap truecrypt /dev/sda2 /etc/container_password tcrypt hidden /mnt/tc_hidden /dev/null tcrypt\-hidden,tcrypt\-keyfile=/etc/keyfile .fi .if n \{\ .RE .\} .SH "SEE ALSO" .PP \fBsystemd\fR(1), \fBsystemd-cryptsetup@.service\fR(8), \fBsystemd-cryptsetup-generator\fR(8), \fBcryptsetup\fR(8), \fBmkswap\fR(8), \fBmke2fs\fR(8)