device or file, or a specification of a block device via
<literal>UUID=</literal> followed by the UUID.</para>
- <para>The third field specifies an absolute path to a file to read the encryption key from. If the field
- is not present or set to <literal>none</literal> or <literal>-</literal>, a key file named after the
- volume to unlock (i.e. the first column of the line), suffixed with <filename>.key</filename> is
- automatically loaded from the <filename>/etc/cryptsetup-keys.d/</filename> and
- <filename>/run/cryptsetup-keys.d/</filename> directories, if present. Otherwise, the password has to be
- manually entered during system boot. For swap encryption, <filename>/dev/urandom</filename> may be used
- as key file.</para>
+ <para>The third field specifies an absolute path to a file to read the encryption key from. Optionally,
+ the path may be followed by <literal>:</literal> and an fstab device specification (e.g. starting with
+ <literal>LABEL=</literal> or similar); in which case, the path is relative to the device file system
+ root. If the field is not present or set to <literal>none</literal> or <literal>-</literal>, a key file
+ named after the volume to unlock (i.e. the first column of the line), suffixed with
+ <filename>.key</filename> is automatically loaded from the <filename>/etc/cryptsetup-keys.d/</filename>
+ and <filename>/run/cryptsetup-keys.d/</filename> directories, if present. Otherwise, the password has to
+ be manually entered during system boot. For swap encryption, <filename>/dev/urandom</filename> may be
+ used as key file.</para>
<para>The fourth field, if present, is a comma-delimited list of
options. The following options are recognized:</para>
<option>size=</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>bitlk</option></term>
+
+ <listitem><para>Decrypt Bitlocker drive. Encryption parameters
+ are deduced by cryptsetup from Bitlocker header.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>_netdev</option></term>
<listitem><para>Perform encryption using the same cpu that IO was submitted on. The default is to use
an unbound workqueue so that encryption work is automatically balanced between available CPUs.</para>
+
<para>This requires kernel 4.0 or newer.</para>
</listitem>
</varlistentry>
<term><option>submit-from-crypt-cpus</option></term>
<listitem><para>Disable offloading writes to a separate thread after encryption. There are some
- situations where offloading write bios from the encryption threads to a single thread degrades
- performance significantly. The default is to offload write bios to the same thread because it benefits
- CFQ to have writes submitted using the same context.</para>
+ situations where offloading write requests from the encryption threads to a dedicated thread degrades
+ performance significantly. The default is to offload write requests to a dedicated thread because it
+ benefits the CFQ scheduler to have writes submitted using the same context.</para>
+
<para>This requires kernel 4.0 or newer.</para>
</listitem>
</varlistentry>
</varlistentry>
<varlistentry>
- <term><option>tmp</option></term>
+ <term><option>tmp=</option></term>
- <listitem><para>The encrypted block device will be prepared
- for using it as <filename>/tmp</filename>; it will be
- formatted using
- <citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
- This option implies <option>plain</option>.</para>
+ <listitem><para>The encrypted block device will be prepared for using it as
+ <filename>/tmp/</filename>; it will be formatted using <citerefentry
+ project='man-pages'><refentrytitle>mkfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes
+ a file system type as argument, such as <literal>ext4</literal>, <literal>xfs</literal> or
+ <literal>btrfs</literal>. If no argument is specified defaults to <literal>ext4</literal>. This
+ option implies <option>plain</option>.</para>
- <para>WARNING: Using the <option>tmp</option> option will
- destroy the contents of the named partition during every boot,
- so make sure the underlying block device is specified
- correctly.</para></listitem>
+ <para>WARNING: Using the <option>tmp</option> option will destroy the contents of the named partition
+ during every boot, so make sure the underlying block device is specified correctly.</para></listitem>
</varlistentry>
<varlistentry>
<para>The PKCS#11 logic allows hooking up any compatible security token that is capable of storing RSA
decryption keys. Here's an example how to set up a Yubikey security token for this purpose, using
- <command>ykman</command> from the yubikey-manager project:</para>
+ <citerefentry project='debian'><refentrytitle>ykmap</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ from the yubikey-manager project:</para>
<programlisting><xi:include href="yubikey-crypttab.sh" parse="text" /></programlisting>