[thirdparty/systemd.git] / man / crypttab.xml

<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
  This file is part of systemd.

  Copyright 2012 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.

  This is based on crypttab(5) from Fedora's initscripts package, which in
  turn is based on Debian's version.

  The Red Hat version has been written by Miloslav Trmac <mitr@redhat.com>.

-->
<refentry id="crypttab" conditional='HAVE_LIBCRYPTSETUP'>

        <refentryinfo>
                <title>crypttab</title>
                <productname>systemd</productname>

                <authorgroup>
                        <author>
                                <contrib>Documentation</contrib>
                                <firstname>Miloslav</firstname>
                                <surname>Trmac</surname>
                                <email>mitr@redhat.com</email>
                        </author>
                        <author>
                                <contrib>Documentation</contrib>
                                <firstname>Lennart</firstname>
                                <surname>Poettering</surname>
                                <email>lennart@poettering.net</email>
                        </author>
                </authorgroup>
        </refentryinfo>

        <refmeta>
                <refentrytitle>crypttab</refentrytitle>
                <manvolnum>5</manvolnum>
        </refmeta>

        <refnamediv>
                <refname>crypttab</refname>
                <refpurpose>Configuration for encrypted block devices</refpurpose>
        </refnamediv>

        <refsynopsisdiv>
                <para><filename>/etc/crypttab</filename></para>
        </refsynopsisdiv>

        <refsect1>
                <title>Description</title>

                <para>The <filename>/etc/crypttab</filename> file
                describes encrypted block devices that are set up
                during system boot.</para>

                <para>Empty lines and lines starting with the <literal>#</literal>
                character are ignored.  Each of the remaining lines
                describes one encrypted block device, fields on the
                line are delimited by white space.  The first two
                fields are mandatory, the remaining two are
                optional.</para>

                <para>Setting up encrypted block devices using this file
                supports three encryption modes: LUKS, TrueCrypt and plain.
                See <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                for more information about each mode. When no mode is specified
                in the options field and the block device contains a LUKS
                signature, it is opened as a LUKS device; otherwise, it is
                assumed to be in raw dm-crypt (plain mode) format.</para>

                <para>The first field contains the name of the
                resulting encrypted block device; the device is set up
                within <filename>/dev/mapper/</filename>.</para>

                <para>The second field contains a path to the
                underlying block device or file, or a specification of a block
                device via <literal>UUID=</literal> followed by the
                UUID.</para>

                <para>The third field specifies the encryption
                password.  If the field is not present or the password
                is set to <literal>none</literal> or <literal>-</literal>,
                the password has to be manually entered during system boot.
                Otherwise, the field is interpreted as a absolute path to
                a file containing the encryption password. For swap encryption,
                <filename>/dev/urandom</filename> or the hardware
                device <filename>/dev/hw_random</filename> can be used
                as the password file; using
                <filename>/dev/random</filename> may prevent boot
                completion if the system does not have enough entropy
                to generate a truly random encryption key.</para>

                <para>The fourth field, if present, is a
                comma-delimited list of options.  The following
                options are recognized:</para>

                <variablelist class='fstab-options'>

                        <varlistentry>
                                <term><option>discard</option></term>

                                <listitem><para>Allow discard requests to be
                                passed through the encrypted block device. This
                                improves performance on SSD storage but has
                                security implications.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>cipher=</option></term>

                                <listitem><para>Specifies the cipher to use. See
                                <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                for possible values and the default value of
                                this option. A cipher with unpredictable IV
                                values, such as <literal>aes-cbc-essiv:sha256</literal>,
                                is recommended.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>hash=</option></term>

                                <listitem><para>Specifies the hash to use for
                                password hashing. See
                                <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                for possible values and the default value of
                                this option.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>header=</option></term>

                                <listitem><para>Use a detached (separated)
                                metadata device or file where the LUKS header
                                is stored. This option is only relevant for
                                LUKS devices. See
                                <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                for possible values and the default value of
                                this option.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>keyfile-offset=</option></term>

                                <listitem><para>Specifies the number of bytes to
                                skip at the start of the key file. See
                                <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                for possible values and the default value of
                                this option.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>keyfile-size=</option></term>

                                <listitem><para>Specifies the maximum number
                                of bytes to read from the key file. See
                                <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                for possible values and the default value of
                                this option. This option is ignored in plain
                                encryption mode, as the key file size is then
                                given by the key size.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>key-slot=</option></term>

                                <listitem><para>Specifies the key slot to
                                compare the passphrase or key against.
                                If the key slot does not match the given
                                passphrase or key, but another would, the
                                setup of the device will fail regardless.
                                This option implies <option>luks</option>. See
                                <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                for possible values. The default is to try
                                all key slots in sequential order.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>luks</option></term>

                                <listitem><para>Force LUKS mode. When this mode
                                is used, the following options are ignored since
                                they are provided by the LUKS header on the
                                device: <option>cipher=</option>,
                                <option>hash=</option>,
                                <option>size=</option>.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>noauto</option></term>

                                <listitem><para>This device will not be
                                automatically unlocked on boot.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>nofail</option></term>

                                <listitem><para>The system will not wait for the
                                device to show up and be unlocked at boot, and
                                not fail the boot if it does not show up.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>plain</option></term>

                                <listitem><para>Force plain encryption mode.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>read-only</option></term><term><option>readonly</option></term>

                                <listitem><para>Set up the encrypted block
                                device in read-only mode.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>size=</option></term>

                                <listitem><para>Specifies the key size
                                in bits. See
                                <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                for possible values and the default value of
                                this option.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>swap</option></term>

                                <listitem><para>The encrypted block device will
                                be used as a swap device, and will be formatted
                                accordingly after setting up the encrypted
                                block device, with
                                <citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
                                This option implies <option>plain</option>.</para>

                                <para>WARNING: Using the <option>swap</option>
                                option will destroy the contents of the named
                                partition during every boot, so make sure the
                                underlying block device is specified correctly.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>tcrypt</option></term>

                                <listitem><para>Use TrueCrypt encryption mode.
                                When this mode is used, the following options are
                                ignored since they are provided by the TrueCrypt
                                header on the device or do not apply:
                                <option>cipher=</option>,
                                <option>hash=</option>,
                                <option>keyfile-offset=</option>,
                                <option>keyfile-size=</option>,
                                <option>size=</option>.</para>

                                <para>When this mode is used, the passphrase is
                                read from the key file given in the third field.
                                Only the first line of this file is read,
                                excluding the new line character.</para>

                                <para>Note that the TrueCrypt format uses both
                                passphrase and key files to derive a password
                                for the volume. Therefore, the passphrase and
                                all key files need to be provided. Use
                                <option>tcrypt-keyfile=</option> to provide
                                the absolute path to all key files. When using
                                an empty passphrase in combination with one or
                                more key files, use <literal>/dev/null</literal>
                                as the password file in the third field.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>tcrypt-hidden</option></term>

                                <listitem><para>Use the hidden TrueCrypt volume.
                                This option implies <option>tcrypt</option>.</para>

                                <para>This will map the hidden volume that is
                                inside of the volume provided in the second
                                field. Please note that there is no protection
                                for the hidden volume if the outer volume is
                                mounted instead. See
                                <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                for more information on this limitation.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>tcrypt-keyfile=</option></term>

                                <listitem><para>Specifies the absolute path to a
                                key file to use for a TrueCrypt volume. This
                                implies <option>tcrypt</option> and can be
                                used more than once to provide several key
                                files.</para>

                                <para>See the entry for <option>tcrypt</option>
                                on the behavior of the passphrase and key files
                                when using TrueCrypt encryption mode.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>tcrypt-system</option></term>

                                <listitem><para>Use TrueCrypt in system
                                encryption mode. This option implies
                                <option>tcrypt</option>.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>timeout=</option></term>

                                <listitem><para>Specifies the timeout for
                                querying for a password. If no unit is
                                specified, seconds is used. Supported units are
                                s, ms, us, min, h, d. A timeout of 0 waits
                                indefinitely (which is the default).</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>x-systemd.device-timeout=</option></term>

                                <listitem><para>Specifies how long
                                systemd should wait for a device to
                                show up before giving up on the
                                entry. The argument is a time in
                                seconds or explicitly specified
                                units of <literal>s</literal>,
                                <literal>min</literal>,
                                <literal>h</literal>,
                                <literal>ms</literal>.
                                </para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>tmp</option></term>

                                <listitem><para>The encrypted block device will
                                be prepared for using it as <filename>/tmp</filename>;
                                it will be formatted using
                                <citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
                                This option implies <option>plain</option>.</para>

                                <para>WARNING: Using the <option>tmp</option>
                                option will destroy the contents of the named
                                partition during every boot, so make sure the
                                underlying block device is specified correctly.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>tries=</option></term>

                                <listitem><para>Specifies the maximum number of
                                times the user is queried for a password.
                                The default is 3. If set to 0, the user is
                                queried for a password indefinitely.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>verify</option></term>

                                <listitem><para> If the encryption password is
                                read from console, it has to be entered twice to
                                prevent typos.</para></listitem>
                        </varlistentry>

                </variablelist>

                <para>At early boot and when the system manager
                configuration is reloaded, this file is translated into
                native systemd units
                by <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
        </refsect1>

        <refsect1>
                <title>Example</title>
                <example>
                        <title>/etc/crypttab example</title>
                        <para>Set up four encrypted block devices. One using
                        LUKS for normal storage, another one for usage as a swap
                        device and two TrueCrypt volumes.</para>

                        <programlisting>luks       UUID=2505567a-9e27-4efe-a4d5-15ad146c258b
swap       /dev/sda7       /dev/urandom             swap
truecrypt  /dev/sda2       /etc/container_password  tcrypt
hidden     /mnt/tc_hidden  /dev/null                tcrypt-hidden,tcrypt-keyfile=/etc/keyfile</programlisting>
                </example>
        </refsect1>

        <refsect1>
                <title>See Also</title>
                <para>
                        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                </para>
        </refsect1>

</refentry>
Commit	Line	Data
45ae1a05 LP	1	<?xml version="1.0"?>
	2	<!---nxml--->
	3	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	4	<!--
	5	This file is part of systemd.
	6
	7	Copyright 2012 Lennart Poettering
	8
	9	systemd is free software; you can redistribute it and/or modify it
	10	under the terms of the GNU Lesser General Public License as published by
	11	the Free Software Foundation; either version 2.1 of the License, or
	12	(at your option) any later version.
	13
	14	systemd is distributed in the hope that it will be useful, but
	15	WITHOUT ANY WARRANTY; without even the implied warranty of
	16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	17	Lesser General Public License for more details.
	18
	19	You should have received a copy of the GNU Lesser General Public License
	20	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	21
	22	This is based on crypttab(5) from Fedora's initscripts package, which in
	23	turn is based on Debian's version.
	24
	25	The Red Hat version has been written by Miloslav Trmac <mitr@redhat.com>.
	26
	27	-->
56ba3c78	28	<refentry id="crypttab" conditional='HAVE_LIBCRYPTSETUP'>
45ae1a05 LP	29
	30	<refentryinfo>
	31	<title>crypttab</title>
	32	<productname>systemd</productname>
	33
	34	<authorgroup>
	35	<author>
	36	<contrib>Documentation</contrib>
	37	<firstname>Miloslav</firstname>
	38	<surname>Trmac</surname>
	39	<email>mitr@redhat.com</email>
	40	</author>
	41	<author>
	42	<contrib>Documentation</contrib>
	43	<firstname>Lennart</firstname>
	44	<surname>Poettering</surname>
	45	<email>lennart@poettering.net</email>
	46	</author>
	47	</authorgroup>
	48	</refentryinfo>
	49
	50	<refmeta>
	51	<refentrytitle>crypttab</refentrytitle>
	52	<manvolnum>5</manvolnum>
	53	</refmeta>
	54
	55	<refnamediv>
	56	<refname>crypttab</refname>
	57	<refpurpose>Configuration for encrypted block devices</refpurpose>
	58	</refnamediv>
	59
	60	<refsynopsisdiv>
	61	<para><filename>/etc/crypttab</filename></para>
	62	</refsynopsisdiv>
	63
	64	<refsect1>
	65	<title>Description</title>
	66
	67	<para>The <filename>/etc/crypttab</filename> file
	68	describes encrypted block devices that are set up
	69	during system boot.</para>
	70
909f413d	71	<para>Empty lines and lines starting with the <literal>#</literal>
45ae1a05 LP	72	character are ignored. Each of the remaining lines
	73	describes one encrypted block device, fields on the
	74	line are delimited by white space. The first two
	75	fields are mandatory, the remaining two are
	76	optional.</para>
	77
8cf3ca80 JJ	78	<para>Setting up encrypted block devices using this file
	79	supports three encryption modes: LUKS, TrueCrypt and plain.
	80	See <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	81	for more information about each mode. When no mode is specified
	82	in the options field and the block device contains a LUKS
	83	signature, it is opened as a LUKS device; otherwise, it is
	84	assumed to be in raw dm-crypt (plain mode) format.</para>
	85
45ae1a05 LP	86	<para>The first field contains the name of the
	87	resulting encrypted block device; the device is set up
	88	within <filename>/dev/mapper/</filename>.</para>
	89
	90	<para>The second field contains a path to the
8cf3ca80	91	underlying block device or file, or a specification of a block
45ae1a05	92	device via <literal>UUID=</literal> followed by the
8cf3ca80	93	UUID.</para>
45ae1a05 LP	94
	95	<para>The third field specifies the encryption
	96	password. If the field is not present or the password
8cf3ca80 JJ	97	is set to <literal>none</literal> or <literal>-</literal>,
	98	the password has to be manually entered during system boot.
	99	Otherwise, the field is interpreted as a absolute path to
	100	a file containing the encryption password. For swap encryption,
45ae1a05 LP	101	<filename>/dev/urandom</filename> or the hardware
	102	device <filename>/dev/hw_random</filename> can be used
	103	as the password file; using
	104	<filename>/dev/random</filename> may prevent boot
	105	completion if the system does not have enough entropy
	106	to generate a truly random encryption key.</para>
	107
	108	<para>The fourth field, if present, is a
	109	comma-delimited list of options. The following
	110	options are recognized:</para>
	111
63b03c0b	112	<variablelist class='fstab-options'>
8cf3ca80 JJ	113
8cf3ca80 JJ	114	<varlistentry>
63b03c0b	115	<term><option>discard</option></term>
8cf3ca80 JJ	116
	117	<listitem><para>Allow discard requests to be
	118	passed through the encrypted block device. This
	119	improves performance on SSD storage but has
	120	security implications.</para></listitem>
	121	</varlistentry>
	122
45ae1a05	123	<varlistentry>
63b03c0b	124	<term><option>cipher=</option></term>
45ae1a05	125
8cf3ca80	126	<listitem><para>Specifies the cipher to use. See
45ae1a05	127	<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
8cf3ca80 JJ	128	for possible values and the default value of
	129	this option. A cipher with unpredictable IV
	130	values, such as <literal>aes-cbc-essiv:sha256</literal>,
	131	is recommended.</para></listitem>
45ae1a05 LP	132	</varlistentry>
45ae1a05 LP	133
45ae1a05	134	<varlistentry>
63b03c0b	135	<term><option>hash=</option></term>
45ae1a05	136
8cf3ca80 JJ	137	<listitem><para>Specifies the hash to use for
8cf3ca80 JJ	138	password hashing. See
45ae1a05	139	<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
8cf3ca80 JJ	140	for possible values and the default value of
8cf3ca80 JJ	141	this option.</para></listitem>
45ae1a05 LP	142	</varlistentry>
45ae1a05 LP	143
7376e835 AC	144	<varlistentry>
	145	<term><option>header=</option></term>
	146
	147	<listitem><para>Use a detached (separated)
	148	metadata device or file where the LUKS header
	149	is stored. This option is only relevant for
	150	LUKS devices. See
	151	<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	152	for possible values and the default value of
	153	this option.</para></listitem>
	154	</varlistentry>
	155
8cf3ca80	156	<varlistentry>
63b03c0b	157	<term><option>keyfile-offset=</option></term>
8cf3ca80 JJ	158
	159	<listitem><para>Specifies the number of bytes to
	160	skip at the start of the key file. See
	161	<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	162	for possible values and the default value of
	163	this option.</para></listitem>
	164	</varlistentry>
45ae1a05	165
4271d823	166	<varlistentry>
63b03c0b	167	<term><option>keyfile-size=</option></term>
4271d823 TG	168
4271d823 TG	169	<listitem><para>Specifies the maximum number
8cf3ca80	170	of bytes to read from the key file. See
4271d823	171	<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
8cf3ca80 JJ	172	for possible values and the default value of
	173	this option. This option is ignored in plain
	174	encryption mode, as the key file size is then
	175	given by the key size.</para></listitem>
4271d823 TG	176	</varlistentry>
4271d823 TG	177
b4a11878	178	<varlistentry>
63b03c0b	179	<term><option>key-slot=</option></term>
b4a11878 CS	180
	181	<listitem><para>Specifies the key slot to
	182	compare the passphrase or key against.
	183	If the key slot does not match the given
	184	passphrase or key, but another would, the
	185	setup of the device will fail regardless.
63b03c0b	186	This option implies <option>luks</option>. See
b4a11878 CS	187	<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	188	for possible values. The default is to try
	189	all key slots in sequential order.</para></listitem>
	190	</varlistentry>
	191
880a599e	192	<varlistentry>
63b03c0b	193	<term><option>luks</option></term>
880a599e	194
8cf3ca80	195	<listitem><para>Force LUKS mode. When this mode
fbce1139	196	is used, the following options are ignored since
8cf3ca80	197	they are provided by the LUKS header on the
63b03c0b ZJS	198	device: <option>cipher=</option>,
	199	<option>hash=</option>,
	200	<option>size=</option>.</para></listitem>
880a599e TG	201	</varlistentry>
880a599e TG	202
45ae1a05	203	<varlistentry>
63b03c0b	204	<term><option>noauto</option></term>
45ae1a05	205
8cf3ca80 JJ	206	<listitem><para>This device will not be
8cf3ca80 JJ	207	automatically unlocked on boot.</para></listitem>
45ae1a05 LP	208	</varlistentry>
	209
	210	<varlistentry>
63b03c0b	211	<term><option>nofail</option></term>
45ae1a05	212
8cf3ca80 JJ	213	<listitem><para>The system will not wait for the
	214	device to show up and be unlocked at boot, and
	215	not fail the boot if it does not show up.</para></listitem>
45ae1a05 LP	216	</varlistentry>
	217
	218	<varlistentry>
63b03c0b	219	<term><option>plain</option></term>
45ae1a05	220
8cf3ca80	221	<listitem><para>Force plain encryption mode.</para></listitem>
45ae1a05 LP	222	</varlistentry>
	223
	224	<varlistentry>
63b03c0b	225	<term><option>read-only</option></term><term><option>readonly</option></term>
45ae1a05	226
8cf3ca80 JJ	227	<listitem><para>Set up the encrypted block
8cf3ca80 JJ	228	device in read-only mode.</para></listitem>
45ae1a05 LP	229	</varlistentry>
	230
	231	<varlistentry>
63b03c0b	232	<term><option>size=</option></term>
45ae1a05	233
8cf3ca80 JJ	234	<listitem><para>Specifies the key size
	235	in bits. See
	236	<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	237	for possible values and the default value of
	238	this option.</para></listitem>
45ae1a05 LP	239	</varlistentry>
	240
	241	<varlistentry>
63b03c0b	242	<term><option>swap</option></term>
45ae1a05	243
8cf3ca80 JJ	244	<listitem><para>The encrypted block device will
	245	be used as a swap device, and will be formatted
	246	accordingly after setting up the encrypted
	247	block device, with
5aded369	248	<citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
63b03c0b	249	This option implies <option>plain</option>.</para>
8cf3ca80	250
63b03c0b	251	<para>WARNING: Using the <option>swap</option>
8cf3ca80 JJ	252	option will destroy the contents of the named
	253	partition during every boot, so make sure the
	254	underlying block device is specified correctly.</para></listitem>
45ae1a05 LP	255	</varlistentry>
	256
	257	<varlistentry>
63b03c0b	258	<term><option>tcrypt</option></term>
8cf3ca80 JJ	259
8cf3ca80 JJ	260	<listitem><para>Use TrueCrypt encryption mode.
fbce1139	261	When this mode is used, the following options are
8cf3ca80 JJ	262	ignored since they are provided by the TrueCrypt
8cf3ca80 JJ	263	header on the device or do not apply:
63b03c0b ZJS	264	<option>cipher=</option>,
	265	<option>hash=</option>,
	266	<option>keyfile-offset=</option>,
	267	<option>keyfile-size=</option>,
	268	<option>size=</option>.</para>
8cf3ca80 JJ	269
	270	<para>When this mode is used, the passphrase is
	271	read from the key file given in the third field.
	272	Only the first line of this file is read,
	273	excluding the new line character.</para>
	274
	275	<para>Note that the TrueCrypt format uses both
	276	passphrase and key files to derive a password
	277	for the volume. Therefore, the passphrase and
	278	all key files need to be provided. Use
63b03c0b	279	<option>tcrypt-keyfile=</option> to provide
8cf3ca80 JJ	280	the absolute path to all key files. When using
	281	an empty passphrase in combination with one or
	282	more key files, use <literal>/dev/null</literal>
	283	as the password file in the third field.</para></listitem>
	284	</varlistentry>
45ae1a05	285
8cf3ca80	286	<varlistentry>
63b03c0b	287	<term><option>tcrypt-hidden</option></term>
8cf3ca80 JJ	288
8cf3ca80 JJ	289	<listitem><para>Use the hidden TrueCrypt volume.
63b03c0b	290	This option implies <option>tcrypt</option>.</para>
8cf3ca80 JJ	291
	292	<para>This will map the hidden volume that is
	293	inside of the volume provided in the second
	294	field. Please note that there is no protection
	295	for the hidden volume if the outer volume is
	296	mounted instead. See
	297	<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	298	for more information on this limitation.</para></listitem>
45ae1a05 LP	299	</varlistentry>
	300
	301	<varlistentry>
63b03c0b	302	<term><option>tcrypt-keyfile=</option></term>
8cf3ca80 JJ	303
	304	<listitem><para>Specifies the absolute path to a
	305	key file to use for a TrueCrypt volume. This
63b03c0b	306	implies <option>tcrypt</option> and can be
8cf3ca80 JJ	307	used more than once to provide several key
8cf3ca80 JJ	308	files.</para>
45ae1a05	309
63b03c0b	310	<para>See the entry for <option>tcrypt</option>
8cf3ca80 JJ	311	on the behavior of the passphrase and key files
8cf3ca80 JJ	312	when using TrueCrypt encryption mode.</para></listitem>
45ae1a05 LP	313	</varlistentry>
	314
	315	<varlistentry>
63b03c0b	316	<term><option>tcrypt-system</option></term>
8cf3ca80 JJ	317
8cf3ca80 JJ	318	<listitem><para>Use TrueCrypt in system
dc968941	319	encryption mode. This option implies
63b03c0b	320	<option>tcrypt</option>.</para></listitem>
8cf3ca80 JJ	321	</varlistentry>
	322
	323	<varlistentry>
63b03c0b	324	<term><option>timeout=</option></term>
45ae1a05	325
8cf3ca80 JJ	326	<listitem><para>Specifies the timeout for
	327	querying for a password. If no unit is
	328	specified, seconds is used. Supported units are
	329	s, ms, us, min, h, d. A timeout of 0 waits
	330	indefinitely (which is the default).</para></listitem>
45ae1a05 LP	331	</varlistentry>
45ae1a05 LP	332
dc5cd2b7 ZJS	333	<varlistentry>
	334	<term><option>x-systemd.device-timeout=</option></term>
	335
	336	<listitem><para>Specifies how long
	337	systemd should wait for a device to
	338	show up before giving up on the
	339	entry. The argument is a time in
cc98b302	340	seconds or explicitly specified
dc5cd2b7 ZJS	341	units of <literal>s</literal>,
	342	<literal>min</literal>,
	343	<literal>h</literal>,
	344	<literal>ms</literal>.
	345	</para></listitem>
	346	</varlistentry>
	347
45ae1a05	348	<varlistentry>
63b03c0b	349	<term><option>tmp</option></term>
8cf3ca80 JJ	350
	351	<listitem><para>The encrypted block device will
	352	be prepared for using it as <filename>/tmp</filename>;
	353	it will be formatted using
5aded369	354	<citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
63b03c0b	355	This option implies <option>plain</option>.</para>
45ae1a05	356
63b03c0b	357	<para>WARNING: Using the <option>tmp</option>
8cf3ca80 JJ	358	option will destroy the contents of the named
	359	partition during every boot, so make sure the
	360	underlying block device is specified correctly.</para></listitem>
45ae1a05 LP	361	</varlistentry>
	362
	363	<varlistentry>
63b03c0b	364	<term><option>tries=</option></term>
45ae1a05	365
8cf3ca80	366	<listitem><para>Specifies the maximum number of
404dac4d TB	367	times the user is queried for a password.
	368	The default is 3. If set to 0, the user is
	369	queried for a password indefinitely.</para></listitem>
45ae1a05 LP	370	</varlistentry>
	371
	372	<varlistentry>
63b03c0b	373	<term><option>verify</option></term>
45ae1a05	374
8cf3ca80 JJ	375	<listitem><para> If the encryption password is
	376	read from console, it has to be entered twice to
	377	prevent typos.</para></listitem>
45ae1a05	378	</varlistentry>
8cf3ca80	379
45ae1a05 LP	380	</variablelist>
45ae1a05 LP	381
8e129f51	382	<para>At early boot and when the system manager
409dee2e	383	configuration is reloaded, this file is translated into
8e129f51 LP	384	native systemd units
8e129f51 LP	385	by <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
45ae1a05 LP	386	</refsect1>
	387
	388	<refsect1>
	389	<title>Example</title>
	390	<example>
	391	<title>/etc/crypttab example</title>
8cf3ca80 JJ	392	<para>Set up four encrypted block devices. One using
	393	LUKS for normal storage, another one for usage as a swap
	394	device and two TrueCrypt volumes.</para>
	395
	396	<programlisting>luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b
	397	swap /dev/sda7 /dev/urandom swap
	398	truecrypt /dev/sda2 /etc/container_password tcrypt
9fcdf322	399	hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile</programlisting>
45ae1a05 LP	400	</example>
	401	</refsect1>
	402
	403	<refsect1>
	404	<title>See Also</title>
	405	<para>
	406	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	407	<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
8e129f51	408	<citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
45ae1a05	409	<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
5aded369 ZJS	410	<citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
5aded369 ZJS	411	<citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
45ae1a05 LP	412	</para>
	413	</refsect1>
	414
	415	</refentry>