for possible values and the default value of this option. A cipher with unpredictable IV values, such
as <literal>aes-cbc-essiv:sha256</literal>, is recommended. Embedded commas in the cipher
specification need to be escaped by preceding them with a backslash, see example below.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/>
</listitem>
</varlistentry>
<listitem><para>Allow discard requests to be passed through the encrypted block
device. This improves performance on SSD storage but has security implications.
- </para></listitem>
+ </para>
+
+ <xi:include href="version-info.xml" xpointer="v207"/></listitem>
</varlistentry>
<varlistentry>
hashing. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this
- option.</para></listitem>
+ option.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<term><option>header=</option></term>
- <listitem><para>Use a detached (separated) metadata device or
- file where the LUKS header is stored. This option is only
- relevant for LUKS devices. See
+ <listitem><para>Use a detached (separated) metadata device or file
+ where the header containing the master key(s) is stored. This
+ option is only relevant for LUKS and TrueCrypt/VeraCrypt devices. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- for possible values and the default value of this
- option.</para>
+ for possible values and the default value of this option.</para>
<para>Optionally, the path may be followed by <literal>:</literal> and an
<filename>/etc/fstab</filename> device specification (e.g. starting with <literal>UUID=</literal> or
similar); in which case, the path is relative to the device file system root. The device gets mounted
- automatically for LUKS device activation duration only.</para></listitem>
+ automatically for LUKS device activation duration only.</para>
+
+ <xi:include href="version-info.xml" xpointer="v219"/></listitem>
</varlistentry>
<varlistentry>
start of the key file. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this
- option.</para></listitem>
+ option.</para>
+
+ <xi:include href="version-info.xml" xpointer="v187"/></listitem>
</varlistentry>
<varlistentry>
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this option. This
option is ignored in plain encryption mode, as the key file
- size is then given by the key size.</para></listitem>
+ size is then given by the key size.</para>
+
+ <xi:include href="version-info.xml" xpointer="v188"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>If enabled, the specified key file is erased after the volume is activated or when
activation fails. This is in particular useful when the key file is only acquired transiently before
activation (e.g. via a file in <filename>/run/</filename>, generated by a service running before
- activation), and shall be removed after use. Defaults to off.</para></listitem>
+ activation), and shall be removed after use. Defaults to off.</para>
+
+ <xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
<option>luks</option>. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values. The default is to try all key slots in
- sequential order.</para></listitem>
+ sequential order.</para>
+
+ <xi:include href="version-info.xml" xpointer="v209"/></listitem>
</varlistentry>
<varlistentry>
and falls back to a password if it could not be accessed. See
<citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for key files on external devices.
- </para></listitem>
+ </para>
+
+ <xi:include href="version-info.xml" xpointer="v243"/></listitem>
</varlistentry>
<varlistentry>
following options are ignored since they are provided by the
LUKS header on the device: <option>cipher=</option>,
<option>hash=</option>,
- <option>size=</option>.</para></listitem>
+ <option>size=</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<term><option>bitlk</option></term>
<listitem><para>Decrypt BitLocker drive. Encryption parameters
- are deduced by cryptsetup from BitLocker header.</para></listitem>
+ are deduced by cryptsetup from BitLocker header.</para>
+
+ <xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
will be pulled in by <filename>local-fs.target</filename>, while the
service to configure the network is usually only started <emphasis>after</emphasis>
the local file system has been mounted.</para>
+
+ <xi:include href="version-info.xml" xpointer="v235"/>
</listitem>
</varlistentry>
This means that it will not be automatically unlocked on boot, unless something else pulls
it in. In particular, if the device is used for a mount point, it'll be unlocked
automatically during boot, unless the mount point itself is also disabled with
- <option>noauto</option>.</para></listitem>
+ <option>noauto</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
unsuccessful. Note that other units that depend on the unlocked device may still fail. In
particular, if the device is used for a mount point, the mount point itself also needs to
have the <option>nofail</option> option, or the boot will fail if the device is not unlocked
- successfully.</para></listitem>
+ successfully.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<term><option>offset=</option></term>
<listitem><para>Start offset in the backend device, in 512-byte sectors. This
- option is only relevant for plain devices.</para></listitem>
+ option is only relevant for plain devices.</para>
+
+ <xi:include href="version-info.xml" xpointer="v220"/></listitem>
</varlistentry>
<varlistentry>
<term><option>plain</option></term>
- <listitem><para>Force plain encryption mode.</para></listitem>
+ <listitem><para>Force plain encryption mode.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<term><option>read-only</option></term><term><option>readonly</option></term>
<listitem><para>Set up the encrypted block device in read-only
- mode.</para></listitem>
+ mode.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
an unbound workqueue so that encryption work is automatically balanced between available CPUs.</para>
<para>This requires kernel 4.0 or newer.</para>
+
+ <xi:include href="version-info.xml" xpointer="v242"/>
</listitem>
</varlistentry>
benefits the CFQ scheduler to have writes submitted using the same context.</para>
<para>This requires kernel 4.0 or newer.</para>
+
+ <xi:include href="version-info.xml" xpointer="v242"/>
</listitem>
</varlistentry>
default is to queue these requests and process them asynchronously.</para>
<para>This requires kernel 5.9 or newer.</para>
+
+ <xi:include href="version-info.xml" xpointer="v248"/>
</listitem>
</varlistentry>
<varlistentry>
default is to queue these requests and process them asynchronously.</para>
<para>This requires kernel 5.9 or newer.</para>
+
+ <xi:include href="version-info.xml" xpointer="v248"/>
</listitem>
</varlistentry>
with its number for IV generation being <replaceable>n</replaceable>.</para>
<para>This option is only relevant for plain devices.</para>
+
+ <xi:include href="version-info.xml" xpointer="v220"/>
</listitem>
</varlistentry>
<listitem><para>Specifies the key size in bits. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this
- option.</para></listitem>
+ option.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Specifies the sector size in bytes. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this
- option.</para></listitem>
+ option.</para>
+
+ <xi:include href="version-info.xml" xpointer="v240"/></listitem>
</varlistentry>
<varlistentry>
<para>WARNING: Using the <option>swap</option> option will
destroy the contents of the named partition during every boot,
so make sure the underlying block device is specified
- correctly.</para></listitem>
+ correctly.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
to all key files. When using an empty passphrase in
combination with one or more key files, use
<literal>/dev/null</literal> as the password file in the third
- field.</para></listitem>
+ field.</para>
+
+ <xi:include href="version-info.xml" xpointer="v206"/></listitem>
</varlistentry>
<varlistentry>
no protection for the hidden volume if the outer volume is
mounted instead. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- for more information on this limitation.</para></listitem>
+ for more information on this limitation.</para>
+
+ <xi:include href="version-info.xml" xpointer="v206"/></listitem>
</varlistentry>
<varlistentry>
<para>See the entry for <option>tcrypt</option> on the
behavior of the passphrase and key files when using TrueCrypt
- encryption mode.</para></listitem>
+ encryption mode.</para>
+
+ <xi:include href="version-info.xml" xpointer="v206"/></listitem>
</varlistentry>
<varlistentry>
<term><option>tcrypt-system</option></term>
<listitem><para>Use TrueCrypt in system encryption mode. This
- option implies <option>tcrypt</option>.</para></listitem>
+ option implies <option>tcrypt</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v206"/></listitem>
</varlistentry>
<varlistentry>
derivation algorithms that cannot be detected without this flag.
Enabling this option could substantially slow down unlocking, because
VeraCrypt's key derivation takes much longer than TrueCrypt's. This
- option implies <option>tcrypt</option>.</para></listitem>
+ option implies <option>tcrypt</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v232"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>veracrypt-pim=</option></term>
+
+ <listitem><para>Specifies a custom Personal Iteration Multiplier (PIM)
+ value, which can range from 0..2147468 for standard veracrypt volumes
+ and 0..65535 for veracrypt system volumes. A value of 0 will imply the
+ VeraCrypt default.
+
+ This option is only effective when <option>tcrypt-veracrypt</option> is
+ set.</para>
+
+ <para>Note that VeraCrypt enforces a minimal allowed PIM value depending on the
+ password strength and the hash algorithm used for key derivation, however
+ <option>veracrypt-pim=</option> is not checked against these bounds.
+ <ulink url="https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html">See
+ documentation</ulink> for more information.</para>
+
+ <xi:include href="version-info.xml" xpointer="v254"/>
+ </listitem>
</varlistentry>
<varlistentry>
<listitem><para>Specifies the timeout for querying for a
password. If no unit is specified, seconds is used. Supported
units are s, ms, us, min, h, d. A timeout of 0 waits
- indefinitely (which is the default).</para></listitem>
+ indefinitely (which is the default).</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
option implies <option>plain</option>.</para>
<para>WARNING: Using the <option>tmp</option> option will destroy the contents of the named partition
- during every boot, so make sure the underlying block device is specified correctly.</para></listitem>
+ during every boot, so make sure the underlying block device is specified correctly.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Specifies the maximum number of times the user
is queried for a password. The default is 3. If set to 0, the
- user is queried for a password indefinitely.</para></listitem>
+ user is queried for a password indefinitely.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<term><option>headless=</option></term>
<listitem><para>Takes a boolean argument, defaults to false. If true, never query interactively
- for the password/PIN. Useful for headless systems.</para></listitem>
+ for the password/PIN. Useful for headless systems.</para>
+
+ <xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
<varlistentry>
<term><option>verify</option></term>
<listitem><para>If the encryption password is read from console, it has to be entered twice to
- prevent typos.</para></listitem>
+ prevent typos.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
(<literal>*</literal>) is echoed for each character typed. Regardless of
which mode is chosen, if the user hits the tabulator key (<literal>↹</literal>)
at any time, or the backspace key (<literal>⌫</literal>) before any other
- data has been entered, then echo is turned off.</para></listitem>
+ data has been entered, then echo is turned off.</para>
+
+ <xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
<varlistentry>
implement the newer and simpler FIDO2 standard. Consider using <option>fido2-device=</option>
(described below) to enroll it via FIDO2 instead. Note that a security token enrolled via PKCS#11
cannot be used to unlock the volume via FIDO2, unless also enrolled via FIDO2, and vice
- versa.</para></listitem>
+ versa.</para>
+
+ <xi:include href="version-info.xml" xpointer="v245"/></listitem>
</varlistentry>
<varlistentry>
<para>Note that many security tokens that implement FIDO2 also implement PKCS#11, suitable for
unlocking volumes via the <option>pkcs11-uri=</option> option described above. Typically the newer,
- simpler FIDO2 standard is preferable.</para></listitem>
+ simpler FIDO2 standard is preferable.</para>
+
+ <xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
must be of LUKS2 type, and the CID is read from the LUKS2 JSON token header. Use
<citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
for enrolling a FIDO2 token in the LUKS2 header compatible with this automatic
- mode.</para></listitem>
+ mode.</para>
+
+ <xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Takes a string, configuring the FIDO2 Relying Party (rp) for the FIDO2 unlock
operation. If not specified <literal>io.systemd.cryptsetup</literal> is used, except if the LUKS2
JSON token header contains a different value. It should normally not be necessary to override
- this.</para></listitem>
+ this.</para>
+
+ <xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
used to unlock the volume. When the randomized key is encrypted the current values of the selected
PCRs (see below) are included in the operation, so that different PCR state results in different
encrypted keys and the decrypted key can only be recovered if the same PCR state is
- reproduced.</para></listitem>
+ reproduced.</para>
+
+ <xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<command>systemd-cryptenroll</command> writes it there. If not used (and no metadata in the LUKS2
JSON token header defines it), defaults to a list of a single entry: PCR 7. Assign an empty string to
encode a policy that binds the key to no PCRs, making the key accessible to local programs regardless
- of the current PCR state.</para></listitem>
+ of the current PCR state.</para>
+
+ <xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Takes a boolean argument, defaults to <literal>false</literal>. Controls whether
TPM2 volume unlocking is bound to a PIN in addition to PCRs. Similarly, this option is only useful
- when TPM2 enrollment metadata is not available.</para></listitem>
+ when TPM2 enrollment metadata is not available.</para>
+
+ <xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry>
<varlistentry>
unlock a LUKS2 volume with a signed TPM2 PCR enrollment a suitable signature file
<filename>tpm2-pcr-signature.json</filename> is searched for in <filename>/etc/systemd/</filename>,
<filename>/run/systemd/</filename>, <filename>/usr/lib/systemd/</filename> (in this
- order).</para></listitem>
+ order).</para>
+
+ <xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
<varlistentry>
the specified PCR. The volume key is measured along with the activated volume name and its UUID. This
functionality is particularly useful for the encrypted volume backing the root file system, as it
then allows later TPM objects to be securely bound to the root file system and hence the specific
- installation.</para></listitem>
+ installation.</para>
+
+ <xi:include href="version-info.xml" xpointer="v253"/></listitem>
</varlistentry>
<varlistentry>
<option>tpm2-measure-pcr=</option> above. Multiple banks may be specified, separated by a colon
character. If not specified automatically determines available and used banks. Expects a message
digest name (e.g. <literal>sha1</literal>, <literal>sha256</literal>, …) as argument, to identify the
- bank.</para></listitem>
+ bank.</para>
+
+ <xi:include href="version-info.xml" xpointer="v253"/></listitem>
</varlistentry>
<varlistentry>
for supported formats). Defaults to 30s. Once the specified timeout elapsed authentication via
password is attempted. Note that this timeout applies to waiting for the security device to show up —
it does not apply to the PIN prompt for the device (should one be needed) or similar. Pass 0 to turn
- off the time-out and wait forever.</para></listitem>
+ off the time-out and wait forever.</para>
+
+ <xi:include href="version-info.xml" xpointer="v250"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Takes a boolean argument. If enabled, right before asking the user for a password it
is first attempted to unlock the volume with an empty password. This is useful for systems that are
initialized with an encrypted volume with only an empty password set, which shall be replaced with a
- suitable password during first boot, but after activation.</para></listitem>
+ suitable password during first boot, but after activation.</para>
+
+ <xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Specifies how long systemd should wait for a block device to show up before
giving up on the entry. The argument is a time in seconds or explicitly specified units of
<literal>s</literal>, <literal>min</literal>, <literal>h</literal>, <literal>ms</literal>.
- </para></listitem>
+ </para>
+
+ <xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<para>All other encrypted block devices that contain file systems mounted in the initrd should use
this option.</para>
+
+ <xi:include href="version-info.xml" xpointer="v245"/>
</listitem>
</varlistentry>
projects / thirdparty / systemd.git / blobdiff