for possible values and the default value of this option. A cipher with unpredictable IV values, such
as <literal>aes-cbc-essiv:sha256</literal>, is recommended. Embedded commas in the cipher
specification need to be escaped by preceding them with a backslash, see example below.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/>
</listitem>
</varlistentry>
<listitem><para>Allow discard requests to be passed through the encrypted block
device. This improves performance on SSD storage but has security implications.
- </para></listitem>
+ </para>
+
+ <xi:include href="version-info.xml" xpointer="v207"/></listitem>
</varlistentry>
<varlistentry>
hashing. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this
- option.</para></listitem>
+ option.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<para>Optionally, the path may be followed by <literal>:</literal> and an
<filename>/etc/fstab</filename> device specification (e.g. starting with <literal>UUID=</literal> or
similar); in which case, the path is relative to the device file system root. The device gets mounted
- automatically for LUKS device activation duration only.</para></listitem>
+ automatically for LUKS device activation duration only.</para>
+
+ <xi:include href="version-info.xml" xpointer="v219"/></listitem>
</varlistentry>
<varlistentry>
start of the key file. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this
- option.</para></listitem>
+ option.</para>
+
+ <xi:include href="version-info.xml" xpointer="v187"/></listitem>
</varlistentry>
<varlistentry>
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this option. This
option is ignored in plain encryption mode, as the key file
- size is then given by the key size.</para></listitem>
+ size is then given by the key size.</para>
+
+ <xi:include href="version-info.xml" xpointer="v188"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>If enabled, the specified key file is erased after the volume is activated or when
activation fails. This is in particular useful when the key file is only acquired transiently before
activation (e.g. via a file in <filename>/run/</filename>, generated by a service running before
- activation), and shall be removed after use. Defaults to off.</para></listitem>
+ activation), and shall be removed after use. Defaults to off.</para>
+
+ <xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
<option>luks</option>. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values. The default is to try all key slots in
- sequential order.</para></listitem>
+ sequential order.</para>
+
+ <xi:include href="version-info.xml" xpointer="v209"/></listitem>
</varlistentry>
<varlistentry>
and falls back to a password if it could not be accessed. See
<citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for key files on external devices.
- </para></listitem>
+ </para>
+
+ <xi:include href="version-info.xml" xpointer="v243"/></listitem>
</varlistentry>
<varlistentry>
following options are ignored since they are provided by the
LUKS header on the device: <option>cipher=</option>,
<option>hash=</option>,
- <option>size=</option>.</para></listitem>
+ <option>size=</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<term><option>bitlk</option></term>
<listitem><para>Decrypt BitLocker drive. Encryption parameters
- are deduced by cryptsetup from BitLocker header.</para></listitem>
+ are deduced by cryptsetup from BitLocker header.</para>
+
+ <xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
will be pulled in by <filename>local-fs.target</filename>, while the
service to configure the network is usually only started <emphasis>after</emphasis>
the local file system has been mounted.</para>
+
+ <xi:include href="version-info.xml" xpointer="v235"/>
</listitem>
</varlistentry>
This means that it will not be automatically unlocked on boot, unless something else pulls
it in. In particular, if the device is used for a mount point, it'll be unlocked
automatically during boot, unless the mount point itself is also disabled with
- <option>noauto</option>.</para></listitem>
+ <option>noauto</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
unsuccessful. Note that other units that depend on the unlocked device may still fail. In
particular, if the device is used for a mount point, the mount point itself also needs to
have the <option>nofail</option> option, or the boot will fail if the device is not unlocked
- successfully.</para></listitem>
+ successfully.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<term><option>offset=</option></term>
<listitem><para>Start offset in the backend device, in 512-byte sectors. This
- option is only relevant for plain devices.</para></listitem>
+ option is only relevant for plain devices.</para>
+
+ <xi:include href="version-info.xml" xpointer="v220"/></listitem>
</varlistentry>
<varlistentry>
<term><option>plain</option></term>
- <listitem><para>Force plain encryption mode.</para></listitem>
+ <listitem><para>Force plain encryption mode.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<term><option>read-only</option></term><term><option>readonly</option></term>
<listitem><para>Set up the encrypted block device in read-only
- mode.</para></listitem>
+ mode.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
an unbound workqueue so that encryption work is automatically balanced between available CPUs.</para>
<para>This requires kernel 4.0 or newer.</para>
+
+ <xi:include href="version-info.xml" xpointer="v242"/>
</listitem>
</varlistentry>
benefits the CFQ scheduler to have writes submitted using the same context.</para>
<para>This requires kernel 4.0 or newer.</para>
+
+ <xi:include href="version-info.xml" xpointer="v242"/>
</listitem>
</varlistentry>
with its number for IV generation being <replaceable>n</replaceable>.</para>
<para>This option is only relevant for plain devices.</para>
+
+ <xi:include href="version-info.xml" xpointer="v220"/>
</listitem>
</varlistentry>
<listitem><para>Specifies the key size in bits. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this
- option.</para></listitem>
+ option.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Specifies the sector size in bytes. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this
- option.</para></listitem>
+ option.</para>
+
+ <xi:include href="version-info.xml" xpointer="v240"/></listitem>
</varlistentry>
<varlistentry>
<para>WARNING: Using the <option>swap</option> option will
destroy the contents of the named partition during every boot,
so make sure the underlying block device is specified
- correctly.</para></listitem>
+ correctly.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
to all key files. When using an empty passphrase in
combination with one or more key files, use
<literal>/dev/null</literal> as the password file in the third
- field.</para></listitem>
+ field.</para>
+
+ <xi:include href="version-info.xml" xpointer="v206"/></listitem>
</varlistentry>
<varlistentry>
no protection for the hidden volume if the outer volume is
mounted instead. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- for more information on this limitation.</para></listitem>
+ for more information on this limitation.</para>
+
+ <xi:include href="version-info.xml" xpointer="v206"/></listitem>
</varlistentry>
<varlistentry>
<para>See the entry for <option>tcrypt</option> on the
behavior of the passphrase and key files when using TrueCrypt
- encryption mode.</para></listitem>
+ encryption mode.</para>
+
+ <xi:include href="version-info.xml" xpointer="v206"/></listitem>
</varlistentry>
<varlistentry>
<term><option>tcrypt-system</option></term>
<listitem><para>Use TrueCrypt in system encryption mode. This
- option implies <option>tcrypt</option>.</para></listitem>
+ option implies <option>tcrypt</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v206"/></listitem>
</varlistentry>
<varlistentry>
derivation algorithms that cannot be detected without this flag.
Enabling this option could substantially slow down unlocking, because
VeraCrypt's key derivation takes much longer than TrueCrypt's. This
- option implies <option>tcrypt</option>.</para></listitem>
+ option implies <option>tcrypt</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v232"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Specifies the timeout for querying for a
password. If no unit is specified, seconds is used. Supported
units are s, ms, us, min, h, d. A timeout of 0 waits
- indefinitely (which is the default).</para></listitem>
+ indefinitely (which is the default).</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
option implies <option>plain</option>.</para>
<para>WARNING: Using the <option>tmp</option> option will destroy the contents of the named partition
- during every boot, so make sure the underlying block device is specified correctly.</para></listitem>
+ during every boot, so make sure the underlying block device is specified correctly.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Specifies the maximum number of times the user
is queried for a password. The default is 3. If set to 0, the
- user is queried for a password indefinitely.</para></listitem>
+ user is queried for a password indefinitely.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
<term><option>verify</option></term>
<listitem><para>If the encryption password is read from console, it has to be entered twice to
- prevent typos.</para></listitem>
+ prevent typos.</para>
+
+ <xi:include href="version-info.xml" xpointer="v186"/></listitem>
</varlistentry>
<varlistentry>
implement the newer and simpler FIDO2 standard. Consider using <option>fido2-device=</option>
(described below) to enroll it via FIDO2 instead. Note that a security token enrolled via PKCS#11
cannot be used to unlock the volume via FIDO2, unless also enrolled via FIDO2, and vice
- versa.</para></listitem>
+ versa.</para>
+
+ <xi:include href="version-info.xml" xpointer="v245"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Takes a boolean argument. If enabled, right before asking the user for a password it
is first attempted to unlock the volume with an empty password. This is useful for systems that are
initialized with an encrypted volume with only an empty password set, which shall be replaced with a
- suitable password during first boot, but after activation.</para></listitem>
+ suitable password during first boot, but after activation.</para>
+
+ <xi:include href="version-info.xml" xpointer="v246"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Specifies how long systemd should wait for a block device to show up before
giving up on the entry. The argument is a time in seconds or explicitly specified units of
<literal>s</literal>, <literal>min</literal>, <literal>h</literal>, <literal>ms</literal>.
- </para></listitem>
+ </para>
+
+ <xi:include href="version-info.xml" xpointer="v216"/></listitem>
</varlistentry>
<varlistentry>
<para>All other encrypted block devices that contain file systems mounted in the initrd should use
this option.</para>
+
+ <xi:include href="version-info.xml" xpointer="v245"/>
</listitem>
</varlistentry>