]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/crypttab.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
cryptsetup: Support key-slot option
[thirdparty/systemd.git] / man / crypttab.xml
1 <?xml version="1.0"?>
2 <!--*-nxml-*-->
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4 <!--
5 This file is part of systemd.
6
7 Copyright 2012 Lennart Poettering
8
9 systemd is free software; you can redistribute it and/or modify it
10 under the terms of the GNU Lesser General Public License as published by
11 the Free Software Foundation; either version 2.1 of the License, or
12 (at your option) any later version.
13
14 systemd is distributed in the hope that it will be useful, but
15 WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Lesser General Public License for more details.
18
19 You should have received a copy of the GNU Lesser General Public License
20 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21
22 This is based on crypttab(5) from Fedora's initscripts package, which in
23 turn is based on Debian's version.
24
25 The Red Hat version has been written by Miloslav Trmac <mitr@redhat.com>.
26
27 -->
28 <refentry id="crypttab" conditional='HAVE_LIBCRYPTSETUP'>
29
30 <refentryinfo>
31 <title>crypttab</title>
32 <productname>systemd</productname>
33
34 <authorgroup>
35 <author>
36 <contrib>Documentation</contrib>
37 <firstname>Miloslav</firstname>
38 <surname>Trmac</surname>
39 <email>mitr@redhat.com</email>
40 </author>
41 <author>
42 <contrib>Documentation</contrib>
43 <firstname>Lennart</firstname>
44 <surname>Poettering</surname>
45 <email>lennart@poettering.net</email>
46 </author>
47 </authorgroup>
48 </refentryinfo>
49
50 <refmeta>
51 <refentrytitle>crypttab</refentrytitle>
52 <manvolnum>5</manvolnum>
53 </refmeta>
54
55 <refnamediv>
56 <refname>crypttab</refname>
57 <refpurpose>Configuration for encrypted block devices</refpurpose>
58 </refnamediv>
59
60 <refsynopsisdiv>
61 <para><filename>/etc/crypttab</filename></para>
62 </refsynopsisdiv>
63
64 <refsect1>
65 <title>Description</title>
66
67 <para>The <filename>/etc/crypttab</filename> file
68 describes encrypted block devices that are set up
69 during system boot.</para>
70
71 <para>Empty lines and lines starting with the <literal>#</literal>
72 character are ignored. Each of the remaining lines
73 describes one encrypted block device, fields on the
74 line are delimited by white space. The first two
75 fields are mandatory, the remaining two are
76 optional.</para>
77
78 <para>Setting up encrypted block devices using this file
79 supports three encryption modes: LUKS, TrueCrypt and plain.
80 See <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
81 for more information about each mode. When no mode is specified
82 in the options field and the block device contains a LUKS
83 signature, it is opened as a LUKS device; otherwise, it is
84 assumed to be in raw dm-crypt (plain mode) format.</para>
85
86 <para>The first field contains the name of the
87 resulting encrypted block device; the device is set up
88 within <filename>/dev/mapper/</filename>.</para>
89
90 <para>The second field contains a path to the
91 underlying block device or file, or a specification of a block
92 device via <literal>UUID=</literal> followed by the
93 UUID.</para>
94
95 <para>The third field specifies the encryption
96 password. If the field is not present or the password
97 is set to <literal>none</literal> or <literal>-</literal>,
98 the password has to be manually entered during system boot.
99 Otherwise, the field is interpreted as a absolute path to
100 a file containing the encryption password. For swap encryption,
101 <filename>/dev/urandom</filename> or the hardware
102 device <filename>/dev/hw_random</filename> can be used
103 as the password file; using
104 <filename>/dev/random</filename> may prevent boot
105 completion if the system does not have enough entropy
106 to generate a truly random encryption key.</para>
107
108 <para>The fourth field, if present, is a
109 comma-delimited list of options. The following
110 options are recognized:</para>
111
112 <variablelist class='crypttab-options'>
113
114 <varlistentry>
115 <term><varname>discard</varname></term>
116
117 <listitem><para>Allow discard requests to be
118 passed through the encrypted block device. This
119 improves performance on SSD storage but has
120 security implications.</para></listitem>
121 </varlistentry>
122
123 <varlistentry>
124 <term><varname>cipher=</varname></term>
125
126 <listitem><para>Specifies the cipher to use. See
127 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
128 for possible values and the default value of
129 this option. A cipher with unpredictable IV
130 values, such as <literal>aes-cbc-essiv:sha256</literal>,
131 is recommended.</para></listitem>
132 </varlistentry>
133
134 <varlistentry>
135 <term><varname>hash=</varname></term>
136
137 <listitem><para>Specifies the hash to use for
138 password hashing. See
139 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
140 for possible values and the default value of
141 this option.</para></listitem>
142 </varlistentry>
143
144 <varlistentry>
145 <term><varname>keyfile-offset=</varname></term>
146
147 <listitem><para>Specifies the number of bytes to
148 skip at the start of the key file. See
149 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
150 for possible values and the default value of
151 this option.</para></listitem>
152 </varlistentry>
153
154 <varlistentry>
155 <term><varname>keyfile-size=</varname></term>
156
157 <listitem><para>Specifies the maximum number
158 of bytes to read from the key file. See
159 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
160 for possible values and the default value of
161 this option. This option is ignored in plain
162 encryption mode, as the key file size is then
163 given by the key size.</para></listitem>
164 </varlistentry>
165
166 <varlistentry>
167 <term><varname>key-slot=</varname></term>
168
169 <listitem><para>Specifies the key slot to
170 compare the passphrase or key against.
171 If the key slot does not match the given
172 passphrase or key, but another would, the
173 setup of the device will fail regardless.
174 This implies <varname>luks</varname>. See
175 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
176 for possible values. The default is to try
177 all key slots in sequential order.</para></listitem>
178 </varlistentry>
179
180 <varlistentry>
181 <term><varname>luks</varname></term>
182
183 <listitem><para>Force LUKS mode. When this mode
184 is used, the following options are ignored since
185 they are provided by the LUKS header on the
186 device: <varname>cipher=</varname>,
187 <varname>hash=</varname>,
188 <varname>size=</varname>.</para></listitem>
189 </varlistentry>
190
191 <varlistentry>
192 <term><varname>noauto</varname></term>
193
194 <listitem><para>This device will not be
195 automatically unlocked on boot.</para></listitem>
196 </varlistentry>
197
198 <varlistentry>
199 <term><varname>nofail</varname></term>
200
201 <listitem><para>The system will not wait for the
202 device to show up and be unlocked at boot, and
203 not fail the boot if it does not show up.</para></listitem>
204 </varlistentry>
205
206 <varlistentry>
207 <term><varname>plain</varname></term>
208
209 <listitem><para>Force plain encryption mode.</para></listitem>
210 </varlistentry>
211
212 <varlistentry>
213 <term><varname>read-only</varname></term><term><varname>readonly</varname></term>
214
215 <listitem><para>Set up the encrypted block
216 device in read-only mode.</para></listitem>
217 </varlistentry>
218
219 <varlistentry>
220 <term><varname>size=</varname></term>
221
222 <listitem><para>Specifies the key size
223 in bits. See
224 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
225 for possible values and the default value of
226 this option.</para></listitem>
227 </varlistentry>
228
229 <varlistentry>
230 <term><varname>swap</varname></term>
231
232 <listitem><para>The encrypted block device will
233 be used as a swap device, and will be formatted
234 accordingly after setting up the encrypted
235 block device, with
236 <citerefentry><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
237 This option implies <varname>plain</varname>.</para>
238
239 <para>WARNING: Using the <varname>swap</varname>
240 option will destroy the contents of the named
241 partition during every boot, so make sure the
242 underlying block device is specified correctly.</para></listitem>
243 </varlistentry>
244
245 <varlistentry>
246 <term><varname>tcrypt</varname></term>
247
248 <listitem><para>Use TrueCrypt encryption mode.
249 When this mode is used, the following options are
250 ignored since they are provided by the TrueCrypt
251 header on the device or do not apply:
252 <varname>cipher=</varname>,
253 <varname>hash=</varname>,
254 <varname>keyfile-offset=</varname>,
255 <varname>keyfile-size=</varname>,
256 <varname>size=</varname>.</para>
257
258 <para>When this mode is used, the passphrase is
259 read from the key file given in the third field.
260 Only the first line of this file is read,
261 excluding the new line character.</para>
262
263 <para>Note that the TrueCrypt format uses both
264 passphrase and key files to derive a password
265 for the volume. Therefore, the passphrase and
266 all key files need to be provided. Use
267 <varname>tcrypt-keyfile=</varname> to provide
268 the absolute path to all key files. When using
269 an empty passphrase in combination with one or
270 more key files, use <literal>/dev/null</literal>
271 as the password file in the third field.</para></listitem>
272 </varlistentry>
273
274 <varlistentry>
275 <term><varname>tcrypt-hidden</varname></term>
276
277 <listitem><para>Use the hidden TrueCrypt volume.
278 This implies <varname>tcrypt</varname>.</para>
279
280 <para>This will map the hidden volume that is
281 inside of the volume provided in the second
282 field. Please note that there is no protection
283 for the hidden volume if the outer volume is
284 mounted instead. See
285 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
286 for more information on this limitation.</para></listitem>
287 </varlistentry>
288
289 <varlistentry>
290 <term><varname>tcrypt-keyfile=</varname></term>
291
292 <listitem><para>Specifies the absolute path to a
293 key file to use for a TrueCrypt volume. This
294 implies <varname>tcrypt</varname> and can be
295 used more than once to provide several key
296 files.</para>
297
298 <para>See the entry for <varname>tcrypt</varname>
299 on the behavior of the passphrase and key files
300 when using TrueCrypt encryption mode.</para></listitem>
301 </varlistentry>
302
303 <varlistentry>
304 <term><varname>tcrypt-system</varname></term>
305
306 <listitem><para>Use TrueCrypt in system
307 encryption mode. This implies
308 <varname>tcrypt</varname>.</para>
309
310 <para>Please note that when using this mode, the
311 whole device needs to be given in the second
312 field instead of the partition. For example: if
313 <literal>/dev/sda2</literal> is the system
314 encrypted TrueCrypt patition, <literal>/dev/sda</literal>
315 has to be given.</para></listitem>
316 </varlistentry>
317
318 <varlistentry>
319 <term><varname>timeout=</varname></term>
320
321 <listitem><para>Specifies the timeout for
322 querying for a password. If no unit is
323 specified, seconds is used. Supported units are
324 s, ms, us, min, h, d. A timeout of 0 waits
325 indefinitely (which is the default).</para></listitem>
326 </varlistentry>
327
328 <varlistentry>
329 <term><varname>tmp</varname></term>
330
331 <listitem><para>The encrypted block device will
332 be prepared for using it as <filename>/tmp</filename>;
333 it will be formatted using
334 <citerefentry><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
335 This option implies <varname>plain</varname>.</para>
336
337 <para>WARNING: Using the <varname>tmp</varname>
338 option will destroy the contents of the named
339 partition during every boot, so make sure the
340 underlying block device is specified correctly.</para></listitem>
341 </varlistentry>
342
343 <varlistentry>
344 <term><varname>tries=</varname></term>
345
346 <listitem><para>Specifies the maximum number of
347 times the user is queried for a password.
348 The default is 3. If set to 0, the user is
349 queried for a password indefinitely.</para></listitem>
350 </varlistentry>
351
352 <varlistentry>
353 <term><varname>verify</varname></term>
354
355 <listitem><para> If the encryption password is
356 read from console, it has to be entered twice to
357 prevent typos.</para></listitem>
358 </varlistentry>
359
360 </variablelist>
361
362 <para>At early boot and when the system manager
363 configuration is reloaded, this file is translated into
364 native systemd units
365 by <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
366 </refsect1>
367
368 <refsect1>
369 <title>Example</title>
370 <example>
371 <title>/etc/crypttab example</title>
372 <para>Set up four encrypted block devices. One using
373 LUKS for normal storage, another one for usage as a swap
374 device and two TrueCrypt volumes.</para>
375
376 <programlisting>luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b
377 swap /dev/sda7 /dev/urandom swap
378 truecrypt /dev/sda2 /etc/container_password tcrypt
379 hidden /mnt/tc_hidden /null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile</programlisting>
380 </example>
381 </refsect1>
382
383 <refsect1>
384 <title>See Also</title>
385 <para>
386 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
387 <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
388 <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
389 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
390 <citerefentry><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
391 <citerefentry><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
392 </para>
393 </refsect1>
394
395 </refentry>
Unnamed repository; edit this file 'description' to name the repository.