]>
Commit | Line | Data |
---|---|---|
45ae1a05 LP |
1 | <?xml version="1.0"?> |
2 | <!--*-nxml-*--> | |
3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | <!-- | |
5 | This file is part of systemd. | |
6 | ||
7 | Copyright 2012 Lennart Poettering | |
8 | ||
9 | systemd is free software; you can redistribute it and/or modify it | |
10 | under the terms of the GNU Lesser General Public License as published by | |
11 | the Free Software Foundation; either version 2.1 of the License, or | |
12 | (at your option) any later version. | |
13 | ||
14 | systemd is distributed in the hope that it will be useful, but | |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
17 | Lesser General Public License for more details. | |
18 | ||
19 | You should have received a copy of the GNU Lesser General Public License | |
20 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
21 | ||
22 | This is based on crypttab(5) from Fedora's initscripts package, which in | |
23 | turn is based on Debian's version. | |
24 | ||
25 | The Red Hat version has been written by Miloslav Trmac <mitr@redhat.com>. | |
26 | ||
27 | --> | |
56ba3c78 | 28 | <refentry id="crypttab" conditional='HAVE_LIBCRYPTSETUP'> |
45ae1a05 LP |
29 | |
30 | <refentryinfo> | |
31 | <title>crypttab</title> | |
32 | <productname>systemd</productname> | |
33 | ||
34 | <authorgroup> | |
35 | <author> | |
36 | <contrib>Documentation</contrib> | |
37 | <firstname>Miloslav</firstname> | |
38 | <surname>Trmac</surname> | |
39 | <email>mitr@redhat.com</email> | |
40 | </author> | |
41 | <author> | |
42 | <contrib>Documentation</contrib> | |
43 | <firstname>Lennart</firstname> | |
44 | <surname>Poettering</surname> | |
45 | <email>lennart@poettering.net</email> | |
46 | </author> | |
47 | </authorgroup> | |
48 | </refentryinfo> | |
49 | ||
50 | <refmeta> | |
51 | <refentrytitle>crypttab</refentrytitle> | |
52 | <manvolnum>5</manvolnum> | |
53 | </refmeta> | |
54 | ||
55 | <refnamediv> | |
56 | <refname>crypttab</refname> | |
57 | <refpurpose>Configuration for encrypted block devices</refpurpose> | |
58 | </refnamediv> | |
59 | ||
60 | <refsynopsisdiv> | |
61 | <para><filename>/etc/crypttab</filename></para> | |
62 | </refsynopsisdiv> | |
63 | ||
64 | <refsect1> | |
65 | <title>Description</title> | |
66 | ||
67 | <para>The <filename>/etc/crypttab</filename> file | |
68 | describes encrypted block devices that are set up | |
69 | during system boot.</para> | |
70 | ||
909f413d | 71 | <para>Empty lines and lines starting with the <literal>#</literal> |
45ae1a05 LP |
72 | character are ignored. Each of the remaining lines |
73 | describes one encrypted block device, fields on the | |
74 | line are delimited by white space. The first two | |
75 | fields are mandatory, the remaining two are | |
76 | optional.</para> | |
77 | ||
8cf3ca80 JJ |
78 | <para>Setting up encrypted block devices using this file |
79 | supports three encryption modes: LUKS, TrueCrypt and plain. | |
80 | See <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
81 | for more information about each mode. When no mode is specified | |
82 | in the options field and the block device contains a LUKS | |
83 | signature, it is opened as a LUKS device; otherwise, it is | |
84 | assumed to be in raw dm-crypt (plain mode) format.</para> | |
85 | ||
45ae1a05 LP |
86 | <para>The first field contains the name of the |
87 | resulting encrypted block device; the device is set up | |
88 | within <filename>/dev/mapper/</filename>.</para> | |
89 | ||
90 | <para>The second field contains a path to the | |
8cf3ca80 | 91 | underlying block device or file, or a specification of a block |
45ae1a05 | 92 | device via <literal>UUID=</literal> followed by the |
8cf3ca80 | 93 | UUID.</para> |
45ae1a05 LP |
94 | |
95 | <para>The third field specifies the encryption | |
96 | password. If the field is not present or the password | |
8cf3ca80 JJ |
97 | is set to <literal>none</literal> or <literal>-</literal>, |
98 | the password has to be manually entered during system boot. | |
99 | Otherwise, the field is interpreted as a absolute path to | |
100 | a file containing the encryption password. For swap encryption, | |
45ae1a05 LP |
101 | <filename>/dev/urandom</filename> or the hardware |
102 | device <filename>/dev/hw_random</filename> can be used | |
103 | as the password file; using | |
104 | <filename>/dev/random</filename> may prevent boot | |
105 | completion if the system does not have enough entropy | |
106 | to generate a truly random encryption key.</para> | |
107 | ||
108 | <para>The fourth field, if present, is a | |
109 | comma-delimited list of options. The following | |
110 | options are recognized:</para> | |
111 | ||
63b03c0b | 112 | <variablelist class='fstab-options'> |
8cf3ca80 JJ |
113 | |
114 | <varlistentry> | |
63b03c0b | 115 | <term><option>discard</option></term> |
8cf3ca80 JJ |
116 | |
117 | <listitem><para>Allow discard requests to be | |
118 | passed through the encrypted block device. This | |
119 | improves performance on SSD storage but has | |
120 | security implications.</para></listitem> | |
121 | </varlistentry> | |
122 | ||
45ae1a05 | 123 | <varlistentry> |
63b03c0b | 124 | <term><option>cipher=</option></term> |
45ae1a05 | 125 | |
8cf3ca80 | 126 | <listitem><para>Specifies the cipher to use. See |
45ae1a05 | 127 | <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
8cf3ca80 JJ |
128 | for possible values and the default value of |
129 | this option. A cipher with unpredictable IV | |
130 | values, such as <literal>aes-cbc-essiv:sha256</literal>, | |
131 | is recommended.</para></listitem> | |
45ae1a05 LP |
132 | </varlistentry> |
133 | ||
45ae1a05 | 134 | <varlistentry> |
63b03c0b | 135 | <term><option>hash=</option></term> |
45ae1a05 | 136 | |
8cf3ca80 JJ |
137 | <listitem><para>Specifies the hash to use for |
138 | password hashing. See | |
45ae1a05 | 139 | <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
8cf3ca80 JJ |
140 | for possible values and the default value of |
141 | this option.</para></listitem> | |
45ae1a05 LP |
142 | </varlistentry> |
143 | ||
7376e835 AC |
144 | <varlistentry> |
145 | <term><option>header=</option></term> | |
146 | ||
147 | <listitem><para>Use a detached (separated) | |
148 | metadata device or file where the LUKS header | |
149 | is stored. This option is only relevant for | |
150 | LUKS devices. See | |
151 | <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
152 | for possible values and the default value of | |
153 | this option.</para></listitem> | |
154 | </varlistentry> | |
155 | ||
8cf3ca80 | 156 | <varlistentry> |
63b03c0b | 157 | <term><option>keyfile-offset=</option></term> |
8cf3ca80 JJ |
158 | |
159 | <listitem><para>Specifies the number of bytes to | |
160 | skip at the start of the key file. See | |
161 | <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
162 | for possible values and the default value of | |
163 | this option.</para></listitem> | |
164 | </varlistentry> | |
45ae1a05 | 165 | |
4271d823 | 166 | <varlistentry> |
63b03c0b | 167 | <term><option>keyfile-size=</option></term> |
4271d823 TG |
168 | |
169 | <listitem><para>Specifies the maximum number | |
8cf3ca80 | 170 | of bytes to read from the key file. See |
4271d823 | 171 | <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
8cf3ca80 JJ |
172 | for possible values and the default value of |
173 | this option. This option is ignored in plain | |
174 | encryption mode, as the key file size is then | |
175 | given by the key size.</para></listitem> | |
4271d823 TG |
176 | </varlistentry> |
177 | ||
b4a11878 | 178 | <varlistentry> |
63b03c0b | 179 | <term><option>key-slot=</option></term> |
b4a11878 CS |
180 | |
181 | <listitem><para>Specifies the key slot to | |
182 | compare the passphrase or key against. | |
183 | If the key slot does not match the given | |
184 | passphrase or key, but another would, the | |
185 | setup of the device will fail regardless. | |
63b03c0b | 186 | This option implies <option>luks</option>. See |
b4a11878 CS |
187 | <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
188 | for possible values. The default is to try | |
189 | all key slots in sequential order.</para></listitem> | |
190 | </varlistentry> | |
191 | ||
880a599e | 192 | <varlistentry> |
63b03c0b | 193 | <term><option>luks</option></term> |
880a599e | 194 | |
8cf3ca80 | 195 | <listitem><para>Force LUKS mode. When this mode |
fbce1139 | 196 | is used, the following options are ignored since |
8cf3ca80 | 197 | they are provided by the LUKS header on the |
63b03c0b ZJS |
198 | device: <option>cipher=</option>, |
199 | <option>hash=</option>, | |
200 | <option>size=</option>.</para></listitem> | |
880a599e TG |
201 | </varlistentry> |
202 | ||
45ae1a05 | 203 | <varlistentry> |
63b03c0b | 204 | <term><option>noauto</option></term> |
45ae1a05 | 205 | |
8cf3ca80 JJ |
206 | <listitem><para>This device will not be |
207 | automatically unlocked on boot.</para></listitem> | |
45ae1a05 LP |
208 | </varlistentry> |
209 | ||
210 | <varlistentry> | |
63b03c0b | 211 | <term><option>nofail</option></term> |
45ae1a05 | 212 | |
8cf3ca80 JJ |
213 | <listitem><para>The system will not wait for the |
214 | device to show up and be unlocked at boot, and | |
215 | not fail the boot if it does not show up.</para></listitem> | |
45ae1a05 LP |
216 | </varlistentry> |
217 | ||
218 | <varlistentry> | |
63b03c0b | 219 | <term><option>plain</option></term> |
45ae1a05 | 220 | |
8cf3ca80 | 221 | <listitem><para>Force plain encryption mode.</para></listitem> |
45ae1a05 LP |
222 | </varlistentry> |
223 | ||
224 | <varlistentry> | |
63b03c0b | 225 | <term><option>read-only</option></term><term><option>readonly</option></term> |
45ae1a05 | 226 | |
8cf3ca80 JJ |
227 | <listitem><para>Set up the encrypted block |
228 | device in read-only mode.</para></listitem> | |
45ae1a05 LP |
229 | </varlistentry> |
230 | ||
231 | <varlistentry> | |
63b03c0b | 232 | <term><option>size=</option></term> |
45ae1a05 | 233 | |
8cf3ca80 JJ |
234 | <listitem><para>Specifies the key size |
235 | in bits. See | |
236 | <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
237 | for possible values and the default value of | |
238 | this option.</para></listitem> | |
45ae1a05 LP |
239 | </varlistentry> |
240 | ||
241 | <varlistentry> | |
63b03c0b | 242 | <term><option>swap</option></term> |
45ae1a05 | 243 | |
8cf3ca80 JJ |
244 | <listitem><para>The encrypted block device will |
245 | be used as a swap device, and will be formatted | |
246 | accordingly after setting up the encrypted | |
247 | block device, with | |
5aded369 | 248 | <citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>. |
63b03c0b | 249 | This option implies <option>plain</option>.</para> |
8cf3ca80 | 250 | |
63b03c0b | 251 | <para>WARNING: Using the <option>swap</option> |
8cf3ca80 JJ |
252 | option will destroy the contents of the named |
253 | partition during every boot, so make sure the | |
254 | underlying block device is specified correctly.</para></listitem> | |
45ae1a05 LP |
255 | </varlistentry> |
256 | ||
257 | <varlistentry> | |
63b03c0b | 258 | <term><option>tcrypt</option></term> |
8cf3ca80 JJ |
259 | |
260 | <listitem><para>Use TrueCrypt encryption mode. | |
fbce1139 | 261 | When this mode is used, the following options are |
8cf3ca80 JJ |
262 | ignored since they are provided by the TrueCrypt |
263 | header on the device or do not apply: | |
63b03c0b ZJS |
264 | <option>cipher=</option>, |
265 | <option>hash=</option>, | |
266 | <option>keyfile-offset=</option>, | |
267 | <option>keyfile-size=</option>, | |
268 | <option>size=</option>.</para> | |
8cf3ca80 JJ |
269 | |
270 | <para>When this mode is used, the passphrase is | |
271 | read from the key file given in the third field. | |
272 | Only the first line of this file is read, | |
273 | excluding the new line character.</para> | |
274 | ||
275 | <para>Note that the TrueCrypt format uses both | |
276 | passphrase and key files to derive a password | |
277 | for the volume. Therefore, the passphrase and | |
278 | all key files need to be provided. Use | |
63b03c0b | 279 | <option>tcrypt-keyfile=</option> to provide |
8cf3ca80 JJ |
280 | the absolute path to all key files. When using |
281 | an empty passphrase in combination with one or | |
282 | more key files, use <literal>/dev/null</literal> | |
283 | as the password file in the third field.</para></listitem> | |
284 | </varlistentry> | |
45ae1a05 | 285 | |
8cf3ca80 | 286 | <varlistentry> |
63b03c0b | 287 | <term><option>tcrypt-hidden</option></term> |
8cf3ca80 JJ |
288 | |
289 | <listitem><para>Use the hidden TrueCrypt volume. | |
63b03c0b | 290 | This option implies <option>tcrypt</option>.</para> |
8cf3ca80 JJ |
291 | |
292 | <para>This will map the hidden volume that is | |
293 | inside of the volume provided in the second | |
294 | field. Please note that there is no protection | |
295 | for the hidden volume if the outer volume is | |
296 | mounted instead. See | |
297 | <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
298 | for more information on this limitation.</para></listitem> | |
45ae1a05 LP |
299 | </varlistentry> |
300 | ||
301 | <varlistentry> | |
63b03c0b | 302 | <term><option>tcrypt-keyfile=</option></term> |
8cf3ca80 JJ |
303 | |
304 | <listitem><para>Specifies the absolute path to a | |
305 | key file to use for a TrueCrypt volume. This | |
63b03c0b | 306 | implies <option>tcrypt</option> and can be |
8cf3ca80 JJ |
307 | used more than once to provide several key |
308 | files.</para> | |
45ae1a05 | 309 | |
63b03c0b | 310 | <para>See the entry for <option>tcrypt</option> |
8cf3ca80 JJ |
311 | on the behavior of the passphrase and key files |
312 | when using TrueCrypt encryption mode.</para></listitem> | |
45ae1a05 LP |
313 | </varlistentry> |
314 | ||
315 | <varlistentry> | |
63b03c0b | 316 | <term><option>tcrypt-system</option></term> |
8cf3ca80 JJ |
317 | |
318 | <listitem><para>Use TrueCrypt in system | |
dc968941 | 319 | encryption mode. This option implies |
63b03c0b | 320 | <option>tcrypt</option>.</para></listitem> |
8cf3ca80 JJ |
321 | </varlistentry> |
322 | ||
323 | <varlistentry> | |
63b03c0b | 324 | <term><option>timeout=</option></term> |
45ae1a05 | 325 | |
8cf3ca80 JJ |
326 | <listitem><para>Specifies the timeout for |
327 | querying for a password. If no unit is | |
328 | specified, seconds is used. Supported units are | |
329 | s, ms, us, min, h, d. A timeout of 0 waits | |
330 | indefinitely (which is the default).</para></listitem> | |
45ae1a05 LP |
331 | </varlistentry> |
332 | ||
dc5cd2b7 ZJS |
333 | <varlistentry> |
334 | <term><option>x-systemd.device-timeout=</option></term> | |
335 | ||
336 | <listitem><para>Specifies how long | |
337 | systemd should wait for a device to | |
338 | show up before giving up on the | |
339 | entry. The argument is a time in | |
cc98b302 | 340 | seconds or explicitly specified |
dc5cd2b7 ZJS |
341 | units of <literal>s</literal>, |
342 | <literal>min</literal>, | |
343 | <literal>h</literal>, | |
344 | <literal>ms</literal>. | |
345 | </para></listitem> | |
346 | </varlistentry> | |
347 | ||
45ae1a05 | 348 | <varlistentry> |
63b03c0b | 349 | <term><option>tmp</option></term> |
8cf3ca80 JJ |
350 | |
351 | <listitem><para>The encrypted block device will | |
352 | be prepared for using it as <filename>/tmp</filename>; | |
353 | it will be formatted using | |
5aded369 | 354 | <citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>. |
63b03c0b | 355 | This option implies <option>plain</option>.</para> |
45ae1a05 | 356 | |
63b03c0b | 357 | <para>WARNING: Using the <option>tmp</option> |
8cf3ca80 JJ |
358 | option will destroy the contents of the named |
359 | partition during every boot, so make sure the | |
360 | underlying block device is specified correctly.</para></listitem> | |
45ae1a05 LP |
361 | </varlistentry> |
362 | ||
363 | <varlistentry> | |
63b03c0b | 364 | <term><option>tries=</option></term> |
45ae1a05 | 365 | |
8cf3ca80 | 366 | <listitem><para>Specifies the maximum number of |
404dac4d TB |
367 | times the user is queried for a password. |
368 | The default is 3. If set to 0, the user is | |
369 | queried for a password indefinitely.</para></listitem> | |
45ae1a05 LP |
370 | </varlistentry> |
371 | ||
372 | <varlistentry> | |
63b03c0b | 373 | <term><option>verify</option></term> |
45ae1a05 | 374 | |
8cf3ca80 JJ |
375 | <listitem><para> If the encryption password is |
376 | read from console, it has to be entered twice to | |
377 | prevent typos.</para></listitem> | |
45ae1a05 | 378 | </varlistentry> |
8cf3ca80 | 379 | |
45ae1a05 LP |
380 | </variablelist> |
381 | ||
8e129f51 | 382 | <para>At early boot and when the system manager |
409dee2e | 383 | configuration is reloaded, this file is translated into |
8e129f51 LP |
384 | native systemd units |
385 | by <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
45ae1a05 LP |
386 | </refsect1> |
387 | ||
388 | <refsect1> | |
389 | <title>Example</title> | |
390 | <example> | |
391 | <title>/etc/crypttab example</title> | |
8cf3ca80 JJ |
392 | <para>Set up four encrypted block devices. One using |
393 | LUKS for normal storage, another one for usage as a swap | |
394 | device and two TrueCrypt volumes.</para> | |
395 | ||
396 | <programlisting>luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b | |
397 | swap /dev/sda7 /dev/urandom swap | |
398 | truecrypt /dev/sda2 /etc/container_password tcrypt | |
9fcdf322 | 399 | hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile</programlisting> |
45ae1a05 LP |
400 | </example> |
401 | </refsect1> | |
402 | ||
403 | <refsect1> | |
404 | <title>See Also</title> | |
405 | <para> | |
406 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
407 | <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
8e129f51 | 408 | <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
45ae1a05 | 409 | <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
5aded369 ZJS |
410 | <citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
411 | <citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
45ae1a05 LP |
412 | </para> |
413 | </refsect1> | |
414 | ||
415 | </refentry> |