]>
Commit | Line | Data |
---|---|---|
8e129f51 LP |
1 | <?xml version="1.0"?> |
2 | <!--*-nxml-*--> | |
3a54a157 ZJS |
3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
4 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
db9ecf05 | 5 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
56ba3c78 | 6 | <refentry id="systemd-cryptsetup-generator" conditional='HAVE_LIBCRYPTSETUP'> |
8e129f51 | 7 | |
798d3a52 ZJS |
8 | <refentryinfo> |
9 | <title>systemd-cryptsetup-generator</title> | |
10 | <productname>systemd</productname> | |
798d3a52 ZJS |
11 | </refentryinfo> |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>systemd-cryptsetup-generator</refentrytitle> | |
15 | <manvolnum>8</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>systemd-cryptsetup-generator</refname> | |
20 | <refpurpose>Unit generator for <filename>/etc/crypttab</filename></refpurpose> | |
21 | </refnamediv> | |
22 | ||
23 | <refsynopsisdiv> | |
12b42c76 | 24 | <para><filename>/usr/lib/systemd/system-generators/systemd-cryptsetup-generator</filename></para> |
798d3a52 ZJS |
25 | </refsynopsisdiv> |
26 | ||
27 | <refsect1> | |
28 | <title>Description</title> | |
29 | ||
30 | <para><filename>systemd-cryptsetup-generator</filename> is a | |
31 | generator that translates <filename>/etc/crypttab</filename> into | |
32 | native systemd units early at boot and when configuration of the | |
33 | system manager is reloaded. This will create | |
34 | <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
35 | units as necessary.</para> | |
36 | ||
b1c1a519 ZC |
37 | <para><filename>systemd-cryptsetup-generator</filename> implements |
38 | <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> | |
798d3a52 ZJS |
39 | </refsect1> |
40 | ||
41 | <refsect1> | |
42 | <title>Kernel Command Line</title> | |
43 | ||
44 | <para><filename>systemd-cryptsetup-generator</filename> | |
45 | understands the following kernel command line parameters:</para> | |
46 | ||
47 | <variablelist class='kernel-commandline-options'> | |
48 | <varlistentry> | |
49 | <term><varname>luks=</varname></term> | |
50 | <term><varname>rd.luks=</varname></term> | |
51 | ||
b66a6e1a ZJS |
52 | <listitem><para>Takes a boolean argument. Defaults to <literal>yes</literal>. If |
53 | <literal>no</literal>, disables the generator entirely. <varname>rd.luks=</varname> is honored only | |
54 | in the initrd while <varname>luks=</varname> is honored by both the main system and in the initrd. | |
55 | </para></listitem> | |
798d3a52 ZJS |
56 | </varlistentry> |
57 | ||
58 | <varlistentry> | |
59 | <term><varname>luks.crypttab=</varname></term> | |
60 | <term><varname>rd.luks.crypttab=</varname></term> | |
61 | ||
b66a6e1a ZJS |
62 | <listitem><para>Takes a boolean argument. Defaults to <literal>yes</literal>. If |
63 | <literal>no</literal>, causes the generator to ignore any devices configured in | |
64 | <filename>/etc/crypttab</filename> (<varname>luks.uuid=</varname> will still work however). | |
65 | <varname>rd.luks.crypttab=</varname> is honored only in initrd while | |
8b9f0921 | 66 | <varname>luks.crypttab=</varname> is honored by both the main system and in the initrd. |
b66a6e1a | 67 | </para></listitem> |
798d3a52 ZJS |
68 | </varlistentry> |
69 | ||
70 | <varlistentry> | |
71 | <term><varname>luks.uuid=</varname></term> | |
72 | <term><varname>rd.luks.uuid=</varname></term> | |
73 | ||
b66a6e1a ZJS |
74 | <listitem><para>Takes a LUKS superblock UUID as argument. This will activate the specified device as |
75 | part of the boot process as if it was listed in <filename>/etc/crypttab</filename>. This option may | |
76 | be specified more than once in order to set up multiple devices. <varname>rd.luks.uuid=</varname> is | |
77 | honored only in the initrd, while <varname>luks.uuid=</varname> is honored by both the main system | |
8b9f0921 | 78 | and in the initrd.</para> |
b66a6e1a ZJS |
79 | |
80 | <para>If <filename>/etc/crypttab</filename> contains entries with the same UUID, then the name, | |
81 | keyfile and options specified there will be used. Otherwise, the device will have the name | |
798d3a52 | 82 | <literal>luks-UUID</literal>.</para> |
b66a6e1a ZJS |
83 | |
84 | <para>If <filename>/etc/crypttab</filename> exists, only those UUIDs specified on the kernel command | |
85 | line will be activated in the initrd or the real root.</para> | |
798d3a52 ZJS |
86 | </listitem> |
87 | </varlistentry> | |
88 | ||
89 | <varlistentry> | |
90 | <term><varname>luks.name=</varname></term> | |
91 | <term><varname>rd.luks.name=</varname></term> | |
92 | ||
93 | <listitem><para>Takes a LUKS super block UUID followed by an | |
94 | <literal>=</literal> and a name. This implies | |
95 | <varname>rd.luks.uuid=</varname> or | |
96 | <varname>luks.uuid=</varname> and will additionally make the | |
97 | LUKS device given by the UUID appear under the provided | |
98 | name.</para> | |
99 | ||
a8574d00 OK |
100 | <para>This parameter is the analogue of the first <citerefentry><refentrytitle>crypttab</refentrytitle> |
101 | <manvolnum>5</manvolnum></citerefentry> field <replaceable>volume-name</replaceable>.</para> | |
102 | ||
b66a6e1a | 103 | <para><varname>rd.luks.name=</varname> is honored only in the initrd, while |
8b9f0921 | 104 | <varname>luks.name=</varname> is honored by both the main system and in the initrd.</para> |
798d3a52 ZJS |
105 | </listitem> |
106 | </varlistentry> | |
107 | ||
108 | <varlistentry> | |
a8574d00 OK |
109 | <term><varname>luks.data=</varname></term> |
110 | <term><varname>rd.luks.data=</varname></term> | |
798d3a52 | 111 | |
a8574d00 OK |
112 | <listitem><para>Takes a LUKS super block UUID followed by a <literal>=</literal> and a block device |
113 | specification for device hosting encrypted data.</para> | |
114 | ||
115 | <para>For those entries specified with <varname>rd.luks.uuid=</varname> or | |
116 | <varname>luks.uuid=</varname>, the data device will be set to the one specified by | |
117 | <varname>rd.luks.data=</varname> or <varname>luks.data=</varname> of the corresponding UUID.</para> | |
118 | ||
377a9545 | 119 | <para>LUKS data device parameter is useful for specifying encrypted data devices with detached headers specified in |
a8574d00 OK |
120 | <varname>luks.options</varname> entry containing <literal>header=</literal> argument. For example, |
121 | <varname>rd.luks.uuid=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40 | |
122 | <varname>rd.luks.options=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40=header=/path/to/luks.hdr | |
123 | <varname>rd.luks.data=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40=/dev/sdx. | |
124 | Hence, in this case, we will attempt to unlock LUKS device assembled from data device <literal>/dev/sdx</literal> | |
125 | and LUKS header (metadata) put in <literal>/path/to/luks.hdr</literal> file. This syntax is for now | |
126 | only supported on a per-device basis, i.e. you have to specify LUKS device UUID.</para> | |
127 | ||
128 | <para>This parameter is the analogue of the second <citerefentry><refentrytitle>crypttab</refentrytitle> | |
129 | <manvolnum>5</manvolnum></citerefentry> field <replaceable>encrypted-device</replaceable>.</para> | |
130 | ||
b66a6e1a ZJS |
131 | <para><varname>rd.luks.data=</varname> is honored only in the initrd, while |
132 | <varname>luks.data=</varname> is honored by both the main system and in the initrd.</para> | |
798d3a52 ZJS |
133 | </listitem> |
134 | </varlistentry> | |
135 | ||
136 | <varlistentry> | |
137 | <term><varname>luks.key=</varname></term> | |
138 | <term><varname>rd.luks.key=</varname></term> | |
139 | ||
140 | <listitem><para>Takes a password file name as argument or a | |
141 | LUKS super block UUID followed by a <literal>=</literal> and a | |
142 | password file name.</para> | |
143 | ||
144 | <para>For those entries specified with | |
145 | <varname>rd.luks.uuid=</varname> or | |
146 | <varname>luks.uuid=</varname>, the password file will be set | |
147 | to the one specified by <varname>rd.luks.key=</varname> or | |
148 | <varname>luks.key=</varname> of the corresponding UUID, or the | |
149 | password file that was specified without a UUID.</para> | |
70f5f48e MS |
150 | |
151 | <para>It is also possible to specify an external device which | |
152 | should be mounted before we attempt to unlock the LUKS device. | |
153 | systemd-cryptsetup will use password file stored on that | |
154 | device. Device containing password file is specified by | |
155 | appending colon and a device identifier to the password file | |
156 | path. For example, | |
157 | <varname>rd.luks.uuid=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40 | |
158 | <varname>rd.luks.key=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40=/keyfile:LABEL=keydev. | |
159 | Hence, in this case, we will attempt to mount file system | |
160 | residing on the block device with label <literal>keydev</literal>. | |
161 | This syntax is for now only supported on a per-device basis, | |
162 | i.e. you have to specify LUKS device UUID.</para> | |
163 | ||
a8574d00 OK |
164 | <para>This parameter is the analogue of the third <citerefentry><refentrytitle>crypttab</refentrytitle> |
165 | <manvolnum>5</manvolnum></citerefentry> field <replaceable>key-file</replaceable>.</para> | |
166 | ||
b66a6e1a ZJS |
167 | <para><varname>rd.luks.key=</varname> is honored only in the initrd, while |
168 | <varname>luks.key=</varname> is honored by both the main system and in the initrd.</para> | |
798d3a52 ZJS |
169 | </listitem> |
170 | </varlistentry> | |
a8574d00 OK |
171 | |
172 | <varlistentry> | |
173 | <term><varname>luks.options=</varname></term> | |
174 | <term><varname>rd.luks.options=</varname></term> | |
175 | ||
176 | <listitem><para>Takes a LUKS super block UUID followed by an | |
177 | <literal>=</literal> and a string of options separated by | |
178 | commas as argument. This will override the options for the | |
179 | given UUID.</para> | |
180 | <para>If only a list of options, without an UUID, is | |
181 | specified, they apply to any UUIDs not specified elsewhere, | |
182 | and without an entry in | |
183 | <filename>/etc/crypttab</filename>.</para> | |
184 | ||
185 | <para>This parameter is the analogue of the fourth <citerefentry><refentrytitle>crypttab</refentrytitle> | |
186 | <manvolnum>5</manvolnum></citerefentry> field <replaceable>options</replaceable>.</para> | |
187 | ||
188 | <para>It is possible to specify an external device which | |
189 | should be mounted before we attempt to unlock the LUKS device. | |
190 | systemd-cryptsetup will assemble LUKS device by combining | |
191 | data device specified in <varname>luks.data</varname> with | |
192 | detached LUKS header found in <literal>header=</literal> | |
193 | argument. For example, | |
194 | <varname>rd.luks.uuid=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40 | |
195 | <varname>rd.luks.options=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40=header=/luks.hdr:LABEL=hdrdev | |
196 | <varname>rd.luks.data=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40=/dev/sdx. | |
197 | Hence, in this case, we will attempt to mount file system | |
198 | residing on the block device with label <literal>hdrdev</literal>, and look | |
199 | for <literal>luks.hdr</literal> on that file system. Said header will be used | |
200 | to unlock (decrypt) encrypted data stored on /dev/sdx. | |
201 | This syntax is for now only supported on a per-device basis, | |
202 | i.e. you have to specify LUKS device UUID.</para> | |
203 | ||
204 | <para><varname>rd.luks.options=</varname> is honored only by initial | |
205 | RAM disk (initrd) while <varname>luks.options=</varname> is | |
8b9f0921 | 206 | honored by both the main system and in the initrd.</para> |
a8574d00 OK |
207 | </listitem> |
208 | </varlistentry> | |
798d3a52 ZJS |
209 | </variablelist> |
210 | </refsect1> | |
211 | ||
212 | <refsect1> | |
213 | <title>See Also</title> | |
214 | <para> | |
215 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
216 | <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
217 | <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
cf1e172d | 218 | <citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
3ba3a79d | 219 | <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
798d3a52 ZJS |
220 | <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
221 | </para> | |
222 | </refsect1> | |
8e129f51 LP |
223 | |
224 | </refentry> |