]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/crypttab.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
core: introduce new Type=exec service type
[thirdparty/systemd.git] / man / crypttab.xml
1 <?xml version="1.0"?>
2 <!--*-nxml-*-->
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4 <!--
5 SPDX-License-Identifier: LGPL-2.1+
6
7 This is based on crypttab(5) from Fedora's initscripts package, which in
8 turn is based on Debian's version.
9
10 The Red Hat version has been written by Miloslav Trmac <mitr@redhat.com>.
11 -->
12 <refentry id="crypttab" conditional='HAVE_LIBCRYPTSETUP'>
13
14 <refentryinfo>
15 <title>crypttab</title>
16 <productname>systemd</productname>
17 </refentryinfo>
18
19 <refmeta>
20 <refentrytitle>crypttab</refentrytitle>
21 <manvolnum>5</manvolnum>
22 </refmeta>
23
24 <refnamediv>
25 <refname>crypttab</refname>
26 <refpurpose>Configuration for encrypted block devices</refpurpose>
27 </refnamediv>
28
29 <refsynopsisdiv>
30 <para><filename>/etc/crypttab</filename></para>
31 </refsynopsisdiv>
32
33 <refsect1>
34 <title>Description</title>
35
36 <para>The <filename>/etc/crypttab</filename> file describes
37 encrypted block devices that are set up during system boot.</para>
38
39 <para>Empty lines and lines starting with the <literal>#</literal>
40 character are ignored. Each of the remaining lines describes one
41 encrypted block device. Fields are delimited by white space.</para>
42
43 <para>Each line is in the form<programlisting><replaceable>name</replaceable> <replaceable>encrypted-device</replaceable> <replaceable>password</replaceable> <replaceable>options</replaceable></programlisting>
44 The first two fields are mandatory, the remaining two are
45 optional.</para>
46
47 <para>Setting up encrypted block devices using this file supports
48 three encryption modes: LUKS, TrueCrypt and plain. See
49 <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
50 for more information about each mode. When no mode is specified in
51 the options field and the block device contains a LUKS signature,
52 it is opened as a LUKS device; otherwise, it is assumed to be in
53 raw dm-crypt (plain mode) format.</para>
54
55 <para>The first field contains the name of the resulting encrypted
56 block device; the device is set up within
57 <filename>/dev/mapper/</filename>.</para>
58
59 <para>The second field contains a path to the underlying block
60 device or file, or a specification of a block device via
61 <literal>UUID=</literal> followed by the UUID.</para>
62
63 <para>The third field specifies the encryption password. If the
64 field is not present or the password is set to
65 <literal>none</literal> or <literal>-</literal>, the password has
66 to be manually entered during system boot. Otherwise, the field is
67 interpreted as an absolute path to a file containing the encryption
68 password. For swap encryption, <filename>/dev/urandom</filename>
69 or the hardware device <filename>/dev/hw_random</filename> can be
70 used as the password file; using <filename>/dev/random</filename>
71 may prevent boot completion if the system does not have enough
72 entropy to generate a truly random encryption key.</para>
73
74 <para>The fourth field, if present, is a comma-delimited list of
75 options. The following options are recognized:</para>
76
77 <variablelist class='fstab-options'>
78
79 <varlistentry>
80 <term><option>cipher=</option></term>
81
82 <listitem><para>Specifies the cipher to use. See
83 <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
84 for possible values and the default value of this option. A
85 cipher with unpredictable IV values, such as
86 <literal>aes-cbc-essiv:sha256</literal>, is
87 recommended.</para></listitem>
88 </varlistentry>
89
90 <varlistentry>
91 <term><option>discard</option></term>
92
93 <listitem><para>Allow discard requests to be passed through the encrypted block
94 device. This improves performance on SSD storage but has security implications.
95 </para></listitem>
96 </varlistentry>
97
98 <varlistentry>
99 <term><option>hash=</option></term>
100
101 <listitem><para>Specifies the hash to use for password
102 hashing. See
103 <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
104 for possible values and the default value of this
105 option.</para></listitem>
106 </varlistentry>
107
108 <varlistentry>
109 <term><option>header=</option></term>
110
111 <listitem><para>Use a detached (separated) metadata device or
112 file where the LUKS header is stored. This option is only
113 relevant for LUKS devices. See
114 <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
115 for possible values and the default value of this
116 option.</para></listitem>
117 </varlistentry>
118
119 <varlistentry>
120 <term><option>keyfile-offset=</option></term>
121
122 <listitem><para>Specifies the number of bytes to skip at the
123 start of the key file. See
124 <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
125 for possible values and the default value of this
126 option.</para></listitem>
127 </varlistentry>
128
129 <varlistentry>
130 <term><option>keyfile-size=</option></term>
131
132 <listitem><para>Specifies the maximum number of bytes to read
133 from the key file. See
134 <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
135 for possible values and the default value of this option. This
136 option is ignored in plain encryption mode, as the key file
137 size is then given by the key size.</para></listitem>
138 </varlistentry>
139
140 <varlistentry>
141 <term><option>key-slot=</option></term>
142
143 <listitem><para>Specifies the key slot to compare the
144 passphrase or key against. If the key slot does not match the
145 given passphrase or key, but another would, the setup of the
146 device will fail regardless. This option implies
147 <option>luks</option>. See
148 <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
149 for possible values. The default is to try all key slots in
150 sequential order.</para></listitem>
151 </varlistentry>
152
153 <varlistentry>
154 <term><option>luks</option></term>
155
156 <listitem><para>Force LUKS mode. When this mode is used, the
157 following options are ignored since they are provided by the
158 LUKS header on the device: <option>cipher=</option>,
159 <option>hash=</option>,
160 <option>size=</option>.</para></listitem>
161 </varlistentry>
162
163 <varlistentry>
164 <term><option>_netdev</option></term>
165
166 <listitem><para>Marks this cryptsetup device as requiring network. It will be
167 started after the network is available, similarly to
168 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
169 units marked with <option>_netdev</option>. The service unit to set up this device
170 will be ordered between <filename>remote-fs-pre.target</filename> and
171 <filename>remote-cryptsetup.target</filename>, instead of
172 <filename>cryptsetup-pre.target</filename> and
173 <filename>cryptsetup.target</filename>.</para>
174
175 <para>Hint: if this device is used for a mount point that is specified in
176 <citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
177 the <option>_netdev</option> option should also be used for the mount
178 point. Otherwise, a dependency loop might be created where the mount point
179 will be pulled in by <filename>local-fs.target</filename>, while the
180 service to configure the network is usually only started <emphasis>after</emphasis>
181 the local file system has been mounted.</para>
182 </listitem>
183 </varlistentry>
184
185 <varlistentry>
186 <term><option>noauto</option></term>
187
188 <listitem><para>This device will not be added to <filename>cryptsetup.target</filename>.
189 This means that it will not be automatically unlocked on boot, unless something else pulls
190 it in. In particular, if the device is used for a mount point, it'll be unlocked
191 automatically during boot, unless the mount point itself is also disabled with
192 <option>noauto</option>.</para></listitem>
193 </varlistentry>
194
195 <varlistentry>
196 <term><option>nofail</option></term>
197
198 <listitem><para>This device will not be a hard dependency of
199 <filename>cryptsetup.target</filename>. It'll be still pulled in and started, but the system
200 will not wait for the device to show up and be unlocked, and boot will not fail if this is
201 unsuccessful. Note that other units that depend on the unlocked device may still fail. In
202 particular, if the device is used for a mount point, the mount point itself is also needs to
203 have <option>noauto</option> option, or the boot will fail if the device is not unlocked
204 successfully.</para></listitem>
205 </varlistentry>
206
207 <varlistentry>
208 <term><option>offset=</option></term>
209
210 <listitem><para>Start offset in the backend device, in 512-byte sectors. This
211 option is only relevant for plain devices.</para></listitem>
212 </varlistentry>
213
214 <varlistentry>
215 <term><option>plain</option></term>
216
217 <listitem><para>Force plain encryption mode.</para></listitem>
218 </varlistentry>
219
220 <varlistentry>
221 <term><option>read-only</option></term><term><option>readonly</option></term>
222
223 <listitem><para>Set up the encrypted block device in read-only
224 mode.</para></listitem>
225 </varlistentry>
226
227 <varlistentry>
228 <term><option>skip=</option></term>
229
230 <listitem><para>How many 512-byte sectors of the encrypted data to skip at the
231 beginning. This is different from the <option>offset=</option> option with respect
232 to the sector numbers used in initialization vector (IV) calculation. Using
233 <option>offset=</option> will shift the IV calculation by the same negative
234 amount. Hence, if <option>offset=<replaceable>n</replaceable></option> is given,
235 sector <replaceable>n</replaceable> will get a sector number of 0 for the IV
236 calculation. Using <option>skip=</option> causes sector
237 <replaceable>n</replaceable> to also be the first sector of the mapped device, but
238 with its number for IV generation being <replaceable>n</replaceable>.</para>
239
240 <para>This option is only relevant for plain devices.</para>
241 </listitem>
242 </varlistentry>
243
244 <varlistentry>
245 <term><option>size=</option></term>
246
247 <listitem><para>Specifies the key size in bits. See
248 <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
249 for possible values and the default value of this
250 option.</para></listitem>
251 </varlistentry>
252
253 <varlistentry>
254 <term><option>swap</option></term>
255
256 <listitem><para>The encrypted block device will be used as a
257 swap device, and will be formatted accordingly after setting
258 up the encrypted block device, with
259 <citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
260 This option implies <option>plain</option>.</para>
261
262 <para>WARNING: Using the <option>swap</option> option will
263 destroy the contents of the named partition during every boot,
264 so make sure the underlying block device is specified
265 correctly.</para></listitem>
266 </varlistentry>
267
268 <varlistentry>
269 <term><option>tcrypt</option></term>
270
271 <listitem><para>Use TrueCrypt encryption mode. When this mode
272 is used, the following options are ignored since they are
273 provided by the TrueCrypt header on the device or do not
274 apply:
275 <option>cipher=</option>,
276 <option>hash=</option>,
277 <option>keyfile-offset=</option>,
278 <option>keyfile-size=</option>,
279 <option>size=</option>.</para>
280
281 <para>When this mode is used, the passphrase is read from the
282 key file given in the third field. Only the first line of this
283 file is read, excluding the new line character.</para>
284
285 <para>Note that the TrueCrypt format uses both passphrase and
286 key files to derive a password for the volume. Therefore, the
287 passphrase and all key files need to be provided. Use
288 <option>tcrypt-keyfile=</option> to provide the absolute path
289 to all key files. When using an empty passphrase in
290 combination with one or more key files, use
291 <literal>/dev/null</literal> as the password file in the third
292 field.</para></listitem>
293 </varlistentry>
294
295 <varlistentry>
296 <term><option>tcrypt-hidden</option></term>
297
298 <listitem><para>Use the hidden TrueCrypt volume. This option
299 implies <option>tcrypt</option>.</para>
300
301 <para>This will map the hidden volume that is inside of the
302 volume provided in the second field. Please note that there is
303 no protection for the hidden volume if the outer volume is
304 mounted instead. See
305 <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
306 for more information on this limitation.</para></listitem>
307 </varlistentry>
308
309 <varlistentry>
310 <term><option>tcrypt-keyfile=</option></term>
311
312 <listitem><para>Specifies the absolute path to a key file to
313 use for a TrueCrypt volume. This implies
314 <option>tcrypt</option> and can be used more than once to
315 provide several key files.</para>
316
317 <para>See the entry for <option>tcrypt</option> on the
318 behavior of the passphrase and key files when using TrueCrypt
319 encryption mode.</para></listitem>
320 </varlistentry>
321
322 <varlistentry>
323 <term><option>tcrypt-system</option></term>
324
325 <listitem><para>Use TrueCrypt in system encryption mode. This
326 option implies <option>tcrypt</option>.</para></listitem>
327 </varlistentry>
328
329 <varlistentry>
330 <term><option>tcrypt-veracrypt</option></term>
331
332 <listitem><para>Check for a VeraCrypt volume. VeraCrypt is a fork of
333 TrueCrypt that is mostly compatible, but uses different, stronger key
334 derivation algorithms that cannot be detected without this flag.
335 Enabling this option could substantially slow down unlocking, because
336 VeraCrypt's key derivation takes much longer than TrueCrypt's. This
337 option implies <option>tcrypt</option>.</para></listitem>
338 </varlistentry>
339
340 <varlistentry>
341 <term><option>timeout=</option></term>
342
343 <listitem><para>Specifies the timeout for querying for a
344 password. If no unit is specified, seconds is used. Supported
345 units are s, ms, us, min, h, d. A timeout of 0 waits
346 indefinitely (which is the default).</para></listitem>
347 </varlistentry>
348
349 <varlistentry>
350 <term><option>tmp</option></term>
351
352 <listitem><para>The encrypted block device will be prepared
353 for using it as <filename>/tmp</filename>; it will be
354 formatted using
355 <citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
356 This option implies <option>plain</option>.</para>
357
358 <para>WARNING: Using the <option>tmp</option> option will
359 destroy the contents of the named partition during every boot,
360 so make sure the underlying block device is specified
361 correctly.</para></listitem>
362 </varlistentry>
363
364 <varlistentry>
365 <term><option>tries=</option></term>
366
367 <listitem><para>Specifies the maximum number of times the user
368 is queried for a password. The default is 3. If set to 0, the
369 user is queried for a password indefinitely.</para></listitem>
370 </varlistentry>
371
372 <varlistentry>
373 <term><option>verify</option></term>
374
375 <listitem><para> If the encryption password is read from
376 console, it has to be entered twice to prevent
377 typos.</para></listitem>
378 </varlistentry>
379
380 <varlistentry>
381 <term><option>x-systemd.device-timeout=</option></term>
382
383 <listitem><para>Specifies how long systemd should wait for a device to show up
384 before giving up on the entry. The argument is a time in seconds or explicitly
385 specified units of
386 <literal>s</literal>,
387 <literal>min</literal>,
388 <literal>h</literal>,
389 <literal>ms</literal>.
390 </para></listitem>
391 </varlistentry>
392
393 </variablelist>
394
395 <para>At early boot and when the system manager configuration is
396 reloaded, this file is translated into native systemd units by
397 <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
398 </refsect1>
399
400 <refsect1>
401 <title>Example</title>
402 <example>
403 <title>/etc/crypttab example</title>
404 <para>Set up four encrypted block devices. One using LUKS for
405 normal storage, another one for usage as a swap device and two
406 TrueCrypt volumes.</para>
407
408 <programlisting>luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b
409 swap /dev/sda7 /dev/urandom swap
410 truecrypt /dev/sda2 /etc/container_password tcrypt
411 hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile</programlisting>
412 </example>
413 </refsect1>
414
415 <refsect1>
416 <title>See Also</title>
417 <para>
418 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
419 <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
420 <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
421 <citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
422 <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
423 <citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
424 <citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
425 </para>
426 </refsect1>
427
428 </refentry>
Unnamed repository; edit this file 'description' to name the repository.