]>
Commit | Line | Data |
---|---|---|
d0d6944c LP |
1 | <?xml version="1.0"?> |
2 | <!--*-nxml-*--> | |
3a54a157 ZJS |
3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
4 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
0307f791 | 5 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> |
56ba3c78 | 6 | <refentry id="systemd-cryptsetup@.service" conditional='HAVE_LIBCRYPTSETUP'> |
d0d6944c | 7 | |
798d3a52 ZJS |
8 | <refentryinfo> |
9 | <title>systemd-cryptsetup@.service</title> | |
10 | <productname>systemd</productname> | |
798d3a52 | 11 | </refentryinfo> |
d0d6944c | 12 | |
798d3a52 ZJS |
13 | <refmeta> |
14 | <refentrytitle>systemd-cryptsetup@.service</refentrytitle> | |
15 | <manvolnum>8</manvolnum> | |
16 | </refmeta> | |
d0d6944c | 17 | |
798d3a52 ZJS |
18 | <refnamediv> |
19 | <refname>systemd-cryptsetup@.service</refname> | |
20 | <refname>systemd-cryptsetup</refname> | |
21 | <refpurpose>Full disk decryption logic</refpurpose> | |
22 | </refnamediv> | |
d0d6944c | 23 | |
798d3a52 ZJS |
24 | <refsynopsisdiv> |
25 | <para><filename>systemd-cryptsetup@.service</filename></para> | |
12b42c76 | 26 | <para><filename>/usr/lib/systemd/systemd-cryptsetup</filename></para> |
798d3a52 | 27 | </refsynopsisdiv> |
d0d6944c | 28 | |
798d3a52 ZJS |
29 | <refsect1> |
30 | <title>Description</title> | |
d0d6944c | 31 | |
798d3a52 ZJS |
32 | <para><filename>systemd-cryptsetup@.service</filename> is a |
33 | service responsible for setting up encrypted block devices. It is | |
34 | instantiated for each device that requires decryption for | |
35 | access.</para> | |
d0d6944c | 36 | |
798d3a52 ZJS |
37 | <para><filename>systemd-cryptsetup@.service</filename> will ask |
38 | for hard disk passwords via the <ulink | |
28a0ad81 | 39 | url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents"> |
798d3a52 ZJS |
40 | password agent logic</ulink>, in order to query the user for the |
41 | password using the right mechanism at boot and during | |
42 | runtime.</para> | |
8e129f51 | 43 | |
c0cee5f1 LP |
44 | <para>At early boot and when the system manager configuration is reloaded, <filename>/etc/crypttab</filename> is |
45 | translated into <filename>systemd-cryptsetup@.service</filename> units by | |
798d3a52 | 46 | <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> |
6e41f4dd LP |
47 | |
48 | <para>In order to unlock a volume a password or binary key is | |
49 | required. <filename>systemd-cryptsetup@.service</filename> tries to acquire a suitable password or binary | |
50 | key via the following mechanisms, tried in order:</para> | |
51 | ||
52 | <orderedlist> | |
53 | <listitem><para>If a key file is explicitly configured (via the third column in | |
54 | <filename>/etc/crypttab</filename>), a key read from it is used. If a PKCS#11 token is configured | |
55 | (using the <varname>pkcs11-uri=</varname> option) the key is decrypted before use.</para></listitem> | |
56 | ||
57 | <listitem><para>If no key file is configured explicitly this way, a key file is automatically loaded | |
58 | from <filename>/etc/cryptsetup-keys.d/<replaceable>volume</replaceable>.key</filename> and | |
59 | <filename>/run/cryptsetup-keys.d/<replaceable>volume</replaceable>.key</filename>, if present. Here | |
60 | too, if a PKCS#11 token is configured, any key found this way is decrypted before | |
61 | use.</para></listitem> | |
62 | ||
63 | <listitem><para>If the <varname>try-empty-password</varname> option is specified it is then attempted | |
64 | to unlock the volume with an empty password.</para></listitem> | |
65 | ||
66 | <listitem><para>The kernel keyring is then checked for a suitable cached password from previous | |
67 | attempts.</para></listitem> | |
68 | ||
69 | <listitem><para>Finally, the user is queried for a password, possibly multiple times.</para></listitem> | |
70 | </orderedlist> | |
71 | ||
72 | <para>If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails.</para> | |
798d3a52 | 73 | </refsect1> |
d0d6944c | 74 | |
798d3a52 ZJS |
75 | <refsect1> |
76 | <title>See Also</title> | |
77 | <para> | |
78 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
79 | <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
80 | <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
3ba3a79d | 81 | <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
798d3a52 ZJS |
82 | </para> |
83 | </refsect1> | |
d0d6944c LP |
84 | |
85 | </refentry> |