[thirdparty/systemd.git] / man / systemd-cryptsetup-generator.xml

<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refentry id="systemd-cryptsetup-generator" conditional='HAVE_LIBCRYPTSETUP'>

  <refentryinfo>
    <title>systemd-cryptsetup-generator</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-cryptsetup-generator</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-cryptsetup-generator</refname>
    <refpurpose>Unit generator for <filename>/etc/crypttab</filename></refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/usr/lib/systemd/system-generators/systemd-cryptsetup-generator</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><filename>systemd-cryptsetup-generator</filename> is a
    generator that translates <filename>/etc/crypttab</filename> into
    native systemd units early at boot and when configuration of the
    system manager is reloaded. This will create
    <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    units as necessary.</para>

    <para><filename>systemd-cryptsetup-generator</filename> implements
    <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
  </refsect1>

  <refsect1>
    <title>Kernel Command Line</title>

    <para><filename>systemd-cryptsetup-generator</filename>
    understands the following kernel command line parameters:</para>

    <variablelist class='kernel-commandline-options'>
      <varlistentry>
        <term><varname>luks=</varname></term>
        <term><varname>rd.luks=</varname></term>

        <listitem><para>Takes a boolean argument. Defaults to
        <literal>yes</literal>. If <literal>no</literal>, disables the
        generator entirely. <varname>rd.luks=</varname> is honored
        only by initial RAM disk (initrd) while
        <varname>luks=</varname> is honored by both the main system
        and the initrd. </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>luks.crypttab=</varname></term>
        <term><varname>rd.luks.crypttab=</varname></term>

        <listitem><para>Takes a boolean argument. Defaults to
        <literal>yes</literal>. If <literal>no</literal>, causes the
        generator to ignore any devices configured in
        <filename>/etc/crypttab</filename>
        (<varname>luks.uuid=</varname> will still work however).
        <varname>rd.luks.crypttab=</varname> is honored only by
        initial RAM disk (initrd) while
        <varname>luks.crypttab=</varname> is honored by both the main
        system and the initrd. </para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>luks.uuid=</varname></term>
        <term><varname>rd.luks.uuid=</varname></term>

        <listitem><para>Takes a LUKS superblock UUID as argument. This
        will activate the specified device as part of the boot process
        as if it was listed in <filename>/etc/crypttab</filename>.
        This option may be specified more than once in order to set up
        multiple devices. <varname>rd.luks.uuid=</varname> is honored
        only by initial RAM disk (initrd) while
        <varname>luks.uuid=</varname> is honored by both the main
        system and the initrd.</para>
        <para>If /etc/crypttab contains entries with the same UUID,
        then the name, keyfile and options specified there will be
        used. Otherwise, the device will have the name
        <literal>luks-UUID</literal>.</para>
        <para>If /etc/crypttab exists, only those UUIDs
        specified on the kernel command line
        will be activated in the initrd or the real root.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>luks.name=</varname></term>
        <term><varname>rd.luks.name=</varname></term>

        <listitem><para>Takes a LUKS super block UUID followed by an
        <literal>=</literal> and a name. This implies
        <varname>rd.luks.uuid=</varname> or
        <varname>luks.uuid=</varname> and will additionally make the
        LUKS device given by the UUID appear under the provided
        name.</para>

        <para><varname>rd.luks.name=</varname> is honored only by
        initial RAM disk (initrd) while <varname>luks.name=</varname>
        is honored by both the main system and the initrd.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>luks.options=</varname></term>
        <term><varname>rd.luks.options=</varname></term>

        <listitem><para>Takes a LUKS super block UUID followed by an
        <literal>=</literal> and a string of options separated by
        commas as argument. This will override the options for the
        given UUID.</para>
        <para>If only a list of options, without an UUID, is
        specified, they apply to any UUIDs not specified elsewhere,
        and without an entry in
        <filename>/etc/crypttab</filename>.</para><para>
        <varname>rd.luks.options=</varname> is honored only by initial
        RAM disk (initrd) while <varname>luks.options=</varname> is
        honored by both the main system and the initrd.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>luks.key=</varname></term>
        <term><varname>rd.luks.key=</varname></term>

        <listitem><para>Takes a password file name as argument or a
        LUKS super block UUID followed by a <literal>=</literal> and a
        password file name.</para>

        <para>For those entries specified with
        <varname>rd.luks.uuid=</varname> or
        <varname>luks.uuid=</varname>, the password file will be set
        to the one specified by <varname>rd.luks.key=</varname> or
        <varname>luks.key=</varname> of the corresponding UUID, or the
        password file that was specified without a UUID.</para>

        <para>It is also possible to specify an external device which
        should be mounted before we attempt to unlock the LUKS device.
        systemd-cryptsetup will use password file stored on that
        device. Device containing password file is specified by
        appending colon and a device identifier to the password file
        path. For example,
        <varname>rd.luks.uuid=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40
        <varname>rd.luks.key=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40=/keyfile:LABEL=keydev.
        Hence, in this case, we will attempt to mount file system
        residing on the block device with label <literal>keydev</literal>.
        This syntax is for now only supported on a per-device basis,
        i.e. you have to specify LUKS device UUID.</para>

        <para><varname>rd.luks.key=</varname>
        is honored only by initial RAM disk
        (initrd) while
        <varname>luks.key=</varname> is
        honored by both the main system and
        the initrd.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
8e129f51 LP	1	<?xml version="1.0"?>
8e129f51 LP	2	<!---nxml--->
3a54a157 ZJS	3	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3a54a157 ZJS	4	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791	5	<!-- SPDX-License-Identifier: LGPL-2.1+ -->
56ba3c78	6	<refentry id="systemd-cryptsetup-generator" conditional='HAVE_LIBCRYPTSETUP'>
8e129f51	7
798d3a52 ZJS	8	<refentryinfo>
	9	<title>systemd-cryptsetup-generator</title>
	10	<productname>systemd</productname>
798d3a52 ZJS	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>systemd-cryptsetup-generator</refentrytitle>
	15	<manvolnum>8</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>systemd-cryptsetup-generator</refname>
	20	<refpurpose>Unit generator for <filename>/etc/crypttab</filename></refpurpose>
	21	</refnamediv>
	22
	23	<refsynopsisdiv>
12b42c76	24	<para><filename>/usr/lib/systemd/system-generators/systemd-cryptsetup-generator</filename></para>
798d3a52 ZJS	25	</refsynopsisdiv>
	26
	27	<refsect1>
	28	<title>Description</title>
	29
	30	<para><filename>systemd-cryptsetup-generator</filename> is a
	31	generator that translates <filename>/etc/crypttab</filename> into
	32	native systemd units early at boot and when configuration of the
	33	system manager is reloaded. This will create
	34	<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	35	units as necessary.</para>
	36
b1c1a519 ZC	37	<para><filename>systemd-cryptsetup-generator</filename> implements
b1c1a519 ZC	38	<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
798d3a52 ZJS	39	</refsect1>
	40
	41	<refsect1>
	42	<title>Kernel Command Line</title>
	43
	44	<para><filename>systemd-cryptsetup-generator</filename>
	45	understands the following kernel command line parameters:</para>
	46
	47	<variablelist class='kernel-commandline-options'>
	48	<varlistentry>
	49	<term><varname>luks=</varname></term>
	50	<term><varname>rd.luks=</varname></term>
	51
	52	<listitem><para>Takes a boolean argument. Defaults to
	53	<literal>yes</literal>. If <literal>no</literal>, disables the
	54	generator entirely. <varname>rd.luks=</varname> is honored
	55	only by initial RAM disk (initrd) while
	56	<varname>luks=</varname> is honored by both the main system
	57	and the initrd. </para></listitem>
	58	</varlistentry>
	59
	60	<varlistentry>
	61	<term><varname>luks.crypttab=</varname></term>
	62	<term><varname>rd.luks.crypttab=</varname></term>
	63
	64	<listitem><para>Takes a boolean argument. Defaults to
	65	<literal>yes</literal>. If <literal>no</literal>, causes the
	66	generator to ignore any devices configured in
	67	<filename>/etc/crypttab</filename>
	68	(<varname>luks.uuid=</varname> will still work however).
	69	<varname>rd.luks.crypttab=</varname> is honored only by
	70	initial RAM disk (initrd) while
	71	<varname>luks.crypttab=</varname> is honored by both the main
	72	system and the initrd. </para></listitem>
	73	</varlistentry>
	74
	75	<varlistentry>
	76	<term><varname>luks.uuid=</varname></term>
	77	<term><varname>rd.luks.uuid=</varname></term>
	78
	79	<listitem><para>Takes a LUKS superblock UUID as argument. This
	80	will activate the specified device as part of the boot process
	81	as if it was listed in <filename>/etc/crypttab</filename>.
	82	This option may be specified more than once in order to set up
	83	multiple devices. <varname>rd.luks.uuid=</varname> is honored
	84	only by initial RAM disk (initrd) while
	85	<varname>luks.uuid=</varname> is honored by both the main
	86	system and the initrd.</para>
	87	<para>If /etc/crypttab contains entries with the same UUID,
	88	then the name, keyfile and options specified there will be
b938cb90	89	used. Otherwise, the device will have the name
798d3a52 ZJS	90	<literal>luks-UUID</literal>.</para>
	91	<para>If /etc/crypttab exists, only those UUIDs
	92	specified on the kernel command line
	93	will be activated in the initrd or the real root.</para>
	94	</listitem>
	95	</varlistentry>
	96
	97	<varlistentry>
	98	<term><varname>luks.name=</varname></term>
	99	<term><varname>rd.luks.name=</varname></term>
	100
	101	<listitem><para>Takes a LUKS super block UUID followed by an
	102	<literal>=</literal> and a name. This implies
	103	<varname>rd.luks.uuid=</varname> or
	104	<varname>luks.uuid=</varname> and will additionally make the
	105	LUKS device given by the UUID appear under the provided
	106	name.</para>
	107
	108	<para><varname>rd.luks.name=</varname> is honored only by
	109	initial RAM disk (initrd) while <varname>luks.name=</varname>
	110	is honored by both the main system and the initrd.</para>
	111	</listitem>
	112	</varlistentry>
	113
	114	<varlistentry>
	115	<term><varname>luks.options=</varname></term>
	116	<term><varname>rd.luks.options=</varname></term>
	117
	118	<listitem><para>Takes a LUKS super block UUID followed by an
	119	<literal>=</literal> and a string of options separated by
	120	commas as argument. This will override the options for the
	121	given UUID.</para>
	122	<para>If only a list of options, without an UUID, is
	123	specified, they apply to any UUIDs not specified elsewhere,
	124	and without an entry in
	125	<filename>/etc/crypttab</filename>.</para><para>
	126	<varname>rd.luks.options=</varname> is honored only by initial
	127	RAM disk (initrd) while <varname>luks.options=</varname> is
	128	honored by both the main system and the initrd.</para>
	129	</listitem>
	130	</varlistentry>
	131
	132	<varlistentry>
	133	<term><varname>luks.key=</varname></term>
	134	<term><varname>rd.luks.key=</varname></term>
	135
	136	<listitem><para>Takes a password file name as argument or a
	137	LUKS super block UUID followed by a <literal>=</literal> and a
	138	password file name.</para>
	139
	140	<para>For those entries specified with
	141	<varname>rd.luks.uuid=</varname> or
	142	<varname>luks.uuid=</varname>, the password file will be set
	143	to the one specified by <varname>rd.luks.key=</varname> or
	144	<varname>luks.key=</varname> of the corresponding UUID, or the
	145	password file that was specified without a UUID.</para>
70f5f48e MS	146
	147	<para>It is also possible to specify an external device which
	148	should be mounted before we attempt to unlock the LUKS device.
	149	systemd-cryptsetup will use password file stored on that
	150	device. Device containing password file is specified by
	151	appending colon and a device identifier to the password file
	152	path. For example,
	153	<varname>rd.luks.uuid=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40
	154	<varname>rd.luks.key=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40=/keyfile:LABEL=keydev.
	155	Hence, in this case, we will attempt to mount file system
	156	residing on the block device with label <literal>keydev</literal>.
	157	This syntax is for now only supported on a per-device basis,
	158	i.e. you have to specify LUKS device UUID.</para>
	159
798d3a52 ZJS	160	<para><varname>rd.luks.key=</varname>
	161	is honored only by initial RAM disk
	162	(initrd) while
	163	<varname>luks.key=</varname> is
	164	honored by both the main system and
	165	the initrd.</para>
	166	</listitem>
	167	</varlistentry>
	168	</variablelist>
	169	</refsect1>
	170
	171	<refsect1>
	172	<title>See Also</title>
	173	<para>
	174	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	175	<citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	176	<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
3ba3a79d	177	<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
798d3a52 ZJS	178	<citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	179	</para>
	180	</refsect1>
8e129f51 LP	181
8e129f51 LP	182	</refentry>