proxmox-mirrors/systemd
1
0
Fork 0
mirror of https://git.proxmox.com/git/systemd synced 2025-05-29 11:44:16 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e735f4d4ea
systemd/man/crypttab.5
Martin Pitt e735f4d4ea Imported Upstream version 219
2015-02-17 11:22:16 +01:00

265 lines
8.9 KiB
Groff
Raw Blame History

'\" t
.TH "CRYPTTAB" "5" "" "systemd 219" "crypttab"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
crypttab \- Configuration for encrypted block devices
.SH "SYNOPSIS"
.PP
/etc/crypttab
.SH "DESCRIPTION"
.PP
The
/etc/crypttab
file describes encrypted block devices that are set up during system boot\&.
.PP
Empty lines and lines starting with the
"#"
character are ignored\&. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space\&. The first two fields are mandatory, the remaining two are optional\&.
.PP
Setting up encrypted block devices using this file supports three encryption modes: LUKS, TrueCrypt and plain\&. See
\fBcryptsetup\fR(8)
for more information about each mode\&. When no mode is specified in the options field and the block device contains a LUKS signature, it is opened as a LUKS device; otherwise, it is assumed to be in raw dm\-crypt (plain mode) format\&.
.PP
The first field contains the name of the resulting encrypted block device; the device is set up within
/dev/mapper/\&.
.PP
The second field contains a path to the underlying block device or file, or a specification of a block device via
"UUID="
followed by the UUID\&.
.PP
The third field specifies the encryption password\&. If the field is not present or the password is set to
"none"
or
"\-", the password has to be manually entered during system boot\&. Otherwise, the field is interpreted as a absolute path to a file containing the encryption password\&. For swap encryption,
/dev/urandom
or the hardware device
/dev/hw_random
can be used as the password file; using
/dev/random
may prevent boot completion if the system does not have enough entropy to generate a truly random encryption key\&.
.PP
The fourth field, if present, is a comma\-delimited list of options\&. The following options are recognized:
.PP
\fBdiscard\fR
.RS 4
Allow discard requests to be passed through the encrypted block device\&. This improves performance on SSD storage but has security implications\&.
.RE
.PP
\fBcipher=\fR
.RS 4
Specifies the cipher to use\&. See
\fBcryptsetup\fR(8)
for possible values and the default value of this option\&. A cipher with unpredictable IV values, such as
"aes\-cbc\-essiv:sha256", is recommended\&.
.RE
.PP
\fBhash=\fR
.RS 4
Specifies the hash to use for password hashing\&. See
\fBcryptsetup\fR(8)
for possible values and the default value of this option\&.
.RE
.PP
\fBheader=\fR
.RS 4
Use a detached (separated) metadata device or file where the LUKS header is stored\&. This option is only relevant for LUKS devices\&. See
\fBcryptsetup\fR(8)
for possible values and the default value of this option\&.
.RE
.PP
\fBkeyfile\-offset=\fR
.RS 4
Specifies the number of bytes to skip at the start of the key file\&. See
\fBcryptsetup\fR(8)
for possible values and the default value of this option\&.
.RE
.PP
\fBkeyfile\-size=\fR
.RS 4
Specifies the maximum number of bytes to read from the key file\&. See
\fBcryptsetup\fR(8)
for possible values and the default value of this option\&. This option is ignored in plain encryption mode, as the key file size is then given by the key size\&.
.RE
.PP
\fBkey\-slot=\fR
.RS 4
Specifies the key slot to compare the passphrase or key against\&. If the key slot does not match the given passphrase or key, but another would, the setup of the device will fail regardless\&. This option implies
\fBluks\fR\&. See
\fBcryptsetup\fR(8)
for possible values\&. The default is to try all key slots in sequential order\&.
.RE
.PP
\fBluks\fR
.RS 4
Force LUKS mode\&. When this mode is used, the following options are ignored since they are provided by the LUKS header on the device:
\fBcipher=\fR,
\fBhash=\fR,
\fBsize=\fR\&.
.RE
.PP
\fBnoauto\fR
.RS 4
This device will not be automatically unlocked on boot\&.
.RE
.PP
\fBnofail\fR
.RS 4
The system will not wait for the device to show up and be unlocked at boot, and not fail the boot if it does not show up\&.
.RE
.PP
\fBplain\fR
.RS 4
Force plain encryption mode\&.
.RE
.PP
\fBread\-only\fR, \fBreadonly\fR
.RS 4
Set up the encrypted block device in read\-only mode\&.
.RE
.PP
\fBsize=\fR
.RS 4
Specifies the key size in bits\&. See
\fBcryptsetup\fR(8)
for possible values and the default value of this option\&.
.RE
.PP
\fBswap\fR
.RS 4
The encrypted block device will be used as a swap device, and will be formatted accordingly after setting up the encrypted block device, with
\fBmkswap\fR(8)\&. This option implies
\fBplain\fR\&.
.sp
WARNING: Using the
\fBswap\fR
option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly\&.
.RE
.PP
\fBtcrypt\fR
.RS 4
Use TrueCrypt encryption mode\&. When this mode is used, the following options are ignored since they are provided by the TrueCrypt header on the device or do not apply:
\fBcipher=\fR,
\fBhash=\fR,
\fBkeyfile\-offset=\fR,
\fBkeyfile\-size=\fR,
\fBsize=\fR\&.
.sp
When this mode is used, the passphrase is read from the key file given in the third field\&. Only the first line of this file is read, excluding the new line character\&.
.sp
Note that the TrueCrypt format uses both passphrase and key files to derive a password for the volume\&. Therefore, the passphrase and all key files need to be provided\&. Use
\fBtcrypt\-keyfile=\fR
to provide the absolute path to all key files\&. When using an empty passphrase in combination with one or more key files, use
"/dev/null"
as the password file in the third field\&.
.RE
.PP
\fBtcrypt\-hidden\fR
.RS 4
Use the hidden TrueCrypt volume\&. This option implies
\fBtcrypt\fR\&.
.sp
This will map the hidden volume that is inside of the volume provided in the second field\&. Please note that there is no protection for the hidden volume if the outer volume is mounted instead\&. See
\fBcryptsetup\fR(8)
for more information on this limitation\&.
.RE
.PP
\fBtcrypt\-keyfile=\fR
.RS 4
Specifies the absolute path to a key file to use for a TrueCrypt volume\&. This implies
\fBtcrypt\fR
and can be used more than once to provide several key files\&.
.sp
See the entry for
\fBtcrypt\fR
on the behavior of the passphrase and key files when using TrueCrypt encryption mode\&.
.RE
.PP
\fBtcrypt\-system\fR
.RS 4
Use TrueCrypt in system encryption mode\&. This option implies
\fBtcrypt\fR\&.
.RE
.PP
\fBtimeout=\fR
.RS 4
Specifies the timeout for querying for a password\&. If no unit is specified, seconds is used\&. Supported units are s, ms, us, min, h, d\&. A timeout of 0 waits indefinitely (which is the default)\&.
.RE
.PP
\fBx\-systemd\&.device\-timeout=\fR
.RS 4
Specifies how long systemd should wait for a device to show up before giving up on the entry\&. The argument is a time in seconds or explicitly specified units of
"s",
"min",
"h",
"ms"\&.
.RE
.PP
\fBtmp\fR
.RS 4
The encrypted block device will be prepared for using it as
/tmp; it will be formatted using
\fBmke2fs\fR(8)\&. This option implies
\fBplain\fR\&.
.sp
WARNING: Using the
\fBtmp\fR
option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly\&.
.RE
.PP
\fBtries=\fR
.RS 4
Specifies the maximum number of times the user is queried for a password\&. The default is 3\&. If set to 0, the user is queried for a password indefinitely\&.
.RE
.PP
\fBverify\fR
.RS 4
If the encryption password is read from console, it has to be entered twice to prevent typos\&.
.RE
.PP
At early boot and when the system manager configuration is reloaded, this file is translated into native systemd units by
\fBsystemd-cryptsetup-generator\fR(8)\&.
.SH "EXAMPLE"
.PP
\fBExample\ \&1.\ \&/etc/crypttab example\fR
.PP
Set up four encrypted block devices\&. One using LUKS for normal storage, another one for usage as a swap device and two TrueCrypt volumes\&.
.sp
.if n \{\
.RS 4
.\}
.nf
luks UUID=2505567a\-9e27\-4efe\-a4d5\-15ad146c258b
swap /dev/sda7 /dev/urandom swap
truecrypt /dev/sda2 /etc/container_password tcrypt
hidden /mnt/tc_hidden /dev/null tcrypt\-hidden,tcrypt\-keyfile=/etc/keyfile
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1),
\fBsystemd-cryptsetup@.service\fR(8),
\fBsystemd-cryptsetup-generator\fR(8),
\fBcryptsetup\fR(8),
\fBmkswap\fR(8),
\fBmke2fs\fR(8)
Reference in New Issue View Git Blame Copy Permalink