summaryrefslogtreecommitdiff
path: root/man/crypttab.5
diff options
context:
space:
mode:
Diffstat (limited to 'man/crypttab.5')
-rw-r--r--man/crypttab.5246
1 files changed, 246 insertions, 0 deletions
diff --git a/man/crypttab.5 b/man/crypttab.5
new file mode 100644
index 0000000000..d67884b26a
--- /dev/null
+++ b/man/crypttab.5
@@ -0,0 +1,246 @@
+'\" t
+.TH "CRYPTTAB" "5" "" "systemd 208" "crypttab"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+crypttab \- Configuration for encrypted block devices
+.SH "SYNOPSIS"
+.PP
+/etc/crypttab
+.SH "DESCRIPTION"
+.PP
+The
+/etc/crypttab
+file describes encrypted block devices that are set up during system boot\&.
+.PP
+Empty lines and lines starting with the
+"#"
+character are ignored\&. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space\&. The first two fields are mandatory, the remaining two are optional\&.
+.PP
+Setting up encrypted block devices using this file supports three encryption modes: LUKS, TrueCrypt and plain\&. See
+\fBcryptsetup\fR(8)
+for more information about each mode\&. When no mode is specified in the options field and the block device contains a LUKS signature, it is opened as a LUKS device; otherwise, it is assumed to be in raw dm\-crypt (plain mode) format\&.
+.PP
+The first field contains the name of the resulting encrypted block device; the device is set up within
+/dev/mapper/\&.
+.PP
+The second field contains a path to the underlying block device or file, or a specification of a block device via
+"UUID="
+followed by the UUID\&.
+.PP
+The third field specifies the encryption password\&. If the field is not present or the password is set to
+"none"
+or
+"\-", the password has to be manually entered during system boot\&. Otherwise, the field is interpreted as a absolute path to a file containing the encryption password\&. For swap encryption,
+/dev/urandom
+or the hardware device
+/dev/hw_random
+can be used as the password file; using
+/dev/random
+may prevent boot completion if the system does not have enough entropy to generate a truly random encryption key\&.
+.PP
+The fourth field, if present, is a comma\-delimited list of options\&. The following options are recognized:
+.PP
+\fIdiscard\fR
+.RS 4
+Allow discard requests to be passed through the encrypted block device\&. This improves performance on SSD storage but has security implications\&.
+.RE
+.PP
+\fIcipher=\fR
+.RS 4
+Specifies the cipher to use\&. See
+\fBcryptsetup\fR(8)
+for possible values and the default value of this option\&. A cipher with unpredictable IV values, such as
+"aes\-cbc\-essiv:sha256", is recommended\&.
+.RE
+.PP
+\fIhash=\fR
+.RS 4
+Specifies the hash to use for password hashing\&. See
+\fBcryptsetup\fR(8)
+for possible values and the default value of this option\&.
+.RE
+.PP
+\fIkeyfile\-offset=\fR
+.RS 4
+Specifies the number of bytes to skip at the start of the key file\&. See
+\fBcryptsetup\fR(8)
+for possible values and the default value of this option\&.
+.RE
+.PP
+\fIkeyfile\-size=\fR
+.RS 4
+Specifies the maximum number of bytes to read from the key file\&. See
+\fBcryptsetup\fR(8)
+for possible values and the default value of this option\&. This option is ignored in plain encryption mode, as the key file size is then given by the key size\&.
+.RE
+.PP
+\fIluks\fR
+.RS 4
+Force LUKS mode\&. When this mode is used, the following options are ignored since they are provided by the LUKS header on the device:
+\fIcipher=\fR,
+\fIhash=\fR,
+\fIsize=\fR\&.
+.RE
+.PP
+\fInoauto\fR
+.RS 4
+This device will not be automatically unlocked on boot\&.
+.RE
+.PP
+\fInofail\fR
+.RS 4
+The system will not wait for the device to show up and be unlocked at boot, and not fail the boot if it does not show up\&.
+.RE
+.PP
+\fIplain\fR
+.RS 4
+Force plain encryption mode\&.
+.RE
+.PP
+\fIread\-only\fR, \fIreadonly\fR
+.RS 4
+Set up the encrypted block device in read\-only mode\&.
+.RE
+.PP
+\fIsize=\fR
+.RS 4
+Specifies the key size in bits\&. See
+\fBcryptsetup\fR(8)
+for possible values and the default value of this option\&.
+.RE
+.PP
+\fIswap\fR
+.RS 4
+The encrypted block device will be used as a swap device, and will be formatted accordingly after setting up the encrypted block device, with
+\fBmkswap\fR(8)\&. This option implies
+\fIplain\fR\&.
+.sp
+WARNING: Using the
+\fIswap\fR
+option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly\&.
+.RE
+.PP
+\fItcrypt\fR
+.RS 4
+Use TrueCrypt encryption mode\&. When this mode is used, the following options are ignored since they are provided by the TrueCrypt header on the device or do not apply:
+\fIcipher=\fR,
+\fIhash=\fR,
+\fIkeyfile\-offset=\fR,
+\fIkeyfile\-size=\fR,
+\fIsize=\fR\&.
+.sp
+When this mode is used, the passphrase is read from the key file given in the third field\&. Only the first line of this file is read, excluding the new line character\&.
+.sp
+Note that the TrueCrypt format uses both passphrase and key files to derive a password for the volume\&. Therefore, the passphrase and all key files need to be provided\&. Use
+\fItcrypt\-keyfile=\fR
+to provide the absolute path to all key files\&. When using an empty passphrase in combination with one or more key files, use
+"/dev/null"
+as the password file in the third field\&.
+.RE
+.PP
+\fItcrypt\-hidden\fR
+.RS 4
+Use the hidden TrueCrypt volume\&. This implies
+\fItcrypt\fR\&.
+.sp
+This will map the hidden volume that is inside of the volume provided in the second field\&. Please note that there is no protection for the hidden volume if the outer volume is mounted instead\&. See
+\fBcryptsetup\fR(8)
+for more information on this limitation\&.
+.RE
+.PP
+\fItcrypt\-keyfile=\fR
+.RS 4
+Specifies the absolute path to a key file to use for a TrueCrypt volume\&. This implies
+\fItcrypt\fR
+and can be used more than once to provide several key files\&.
+.sp
+See the entry for
+\fItcrypt\fR
+on the behavior of the passphrase and key files when using TrueCrypt encryption mode\&.
+.RE
+.PP
+\fItcrypt\-system\fR
+.RS 4
+Use TrueCrypt in system encryption mode\&. This implies
+\fItcrypt\fR\&.
+.sp
+Please note that when using this mode, the whole device needs to be given in the second field instead of the partition\&. For example: if
+"/dev/sda2"
+is the system encrypted TrueCrypt patition,
+"/dev/sda"
+has to be given\&.
+.RE
+.PP
+\fItimeout=\fR
+.RS 4
+Specifies the timeout for querying for a password\&. If no unit is specified, seconds is used\&. Supported units are s, ms, us, min, h, d\&. A timeout of 0 waits indefinitely (which is the default)\&.
+.RE
+.PP
+\fItmp\fR
+.RS 4
+The encrypted block device will be prepared for using it as
+/tmp; it will be formatted using
+\fBmke2fs\fR(8)\&. This option implies
+\fIplain\fR\&.
+.sp
+WARNING: Using the
+\fItmp\fR
+option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly\&.
+.RE
+.PP
+\fItries=\fR
+.RS 4
+Specifies the maximum number of times the user is queried for a password\&. The default is 3\&. If set to 0, the user is queried for a password indefinitely\&.
+.RE
+.PP
+\fIverify\fR
+.RS 4
+If the encryption password is read from console, it has to be entered twice to prevent typos\&.
+.RE
+.PP
+At early boot and when the system manager configuration is reloaded, this file is translated into native systemd units by
+\fBsystemd-cryptsetup-generator\fR(8)\&.
+.SH "EXAMPLE"
+.PP
+\fBExample\ \&1.\ \&/etc/crypttab example\fR
+.PP
+Set up four encrypted block devices\&. One using LUKS for normal storage, another one for usage as a swap device and two TrueCrypt volumes\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+luks UUID=2505567a\-9e27\-4efe\-a4d5\-15ad146c258b
+swap /dev/sda7 /dev/urandom swap
+truecrypt /dev/sda2 /etc/container_password tcrypt
+hidden /mnt/tc_hidden /null tcrypt\-hidden,tcrypt\-keyfile=/etc/keyfile
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+\fBsystemd\fR(1),
+\fBsystemd-cryptsetup@.service\fR(8),
+\fBsystemd-cryptsetup-generator\fR(8),
+\fBcryptsetup\fR(8),
+\fBmkswap\fR(8),
+\fBmke2fs\fR(8)
View Lorry Controller Status