5 files changed, 40 insertions, 3 deletions
diff --git a/man/crypttab.xml b/man/crypttab.xml
index e4b1e43e42..e933b2db78 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -431,6 +431,25 @@
         </para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>x-initrd.attach</option></term>
+
+        <listitem><para>Setup this encrypted block device in the initramfs, similarly to
+        <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        units marked with <option>x-initrd.mount</option>.</para>
+
+        <para>Although it's not necessary to mark the mount entry for the root file system with
+        <option>x-initrd.mount</option>, <option>x-initrd.attach</option> is still recommended with
+        the encrypted block device containing the root file system as otherwise systemd will
+        attempt to detach the device during the regular system shutdown while it's still in
+        use. With this option the device will still be detached but later after the root file
+        system is unmounted.</para>
+
+        <para>All other encrypted block devices that contain file systems mounted in the initramfs
+        should use this option.</para>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
 
     <para>At early boot and when the system manager configuration is
diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
index 811a9468c1..82e4314913 100644
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@@ -227,7 +227,7 @@ static int create_disk(
                 *filtered = NULL, *u_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL, *header_path = NULL;
         _cleanup_fclose_ FILE *f = NULL;
         const char *dmname;
-        bool noauto, nofail, tmp, swap, netdev;
+        bool noauto, nofail, tmp, swap, netdev, attach_in_initrd;
         int r, detached_header, keyfile_can_timeout;
 
         assert(name);
@@ -238,6 +238,7 @@ static int create_disk(
         tmp = fstab_test_option(options, "tmp\0");
         swap = fstab_test_option(options, "swap\0");
         netdev = fstab_test_option(options, "_netdev\0");
+        attach_in_initrd = fstab_test_option(options, "x-initrd.attach\0");
 
         keyfile_can_timeout = fstab_filter_options(options, "keyfile-timeout\0", NULL, &keyfile_timeout_value, NULL);
         if (keyfile_can_timeout < 0)
@@ -290,12 +291,15 @@ static int create_disk(
                 "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
                 "SourcePath=%s\n"
                 "DefaultDependencies=no\n"
-                "Conflicts=umount.target\n"
                 "IgnoreOnIsolate=true\n"
                 "After=%s\n",
                 arg_crypttab,
                 netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
 
+        /* If initrd takes care of attaching the disk then it should also detach it during shutdown. */
+        if (!attach_in_initrd)
+                fprintf(f, "Conflicts=umount.target\n");
+
         if (password) {
                 password_escaped = specifier_escape(password);
                 if (!password_escaped)
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 8723eb4c01..19f075dfeb 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -228,7 +228,7 @@ static int parse_one_option(const char *option) {
                 if (r < 0)
                         return log_error_errno(r, "Failed to parse %s: %m", option);
 
-        } else
+        } else if (!streq(option, "x-initrd.attach"))
                 log_warning("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
 
         return 0;
diff --git a/units/meson.build b/units/meson.build
index 6a3a0d0dea..9da60a431c 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -74,6 +74,7 @@ units = [
          'sysinit.target.wants/'],
         ['sysinit.target',                      ''],
         ['syslog.socket',                       ''],
+        ['system-systemd\\x2dcryptsetup.slice', 'HAVE_LIBCRYPTSETUP'],
         ['system-update.target',                ''],
         ['system-update-pre.target',            ''],
         ['system-update-cleanup.service',       ''],
diff --git a/units/system-systemd\x2dcryptsetup.slice b/units/system-systemd\x2dcryptsetup.slice
new file mode 100644
index 0000000000..83310900a7
--- /dev/null
+++ b/units/system-systemd\x2dcryptsetup.slice
@@ -0,0 +1,13 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Cryptsetup Units Slice
+Documentation=man:systemd.special(7)
+DefaultDependencies=no