X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fcrypttab.xml;h=aeacc579733f137a92457047f6ca190c9fd92241;hp=90d8ce95fe5710f9fcb180f5f50cec7553f94046;hb=4a6970c5354cd367b1fa62114057d8e084a20403;hpb=404dac4d96f4aaf66026e8b412c4b67e8773cffa diff --git a/man/crypttab.xml b/man/crypttab.xml index 90d8ce95f..aeacc5797 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -27,355 +27,366 @@ --> - - crypttab - systemd - - - - Documentation - Miloslav - Trmac - mitr@redhat.com - - - Documentation - Lennart - Poettering - lennart@poettering.net - - - - - - crypttab - 5 - - - - crypttab - Configuration for encrypted block devices - - - - /etc/crypttab - - - - Description - - The /etc/crypttab file - describes encrypted block devices that are set up - during system boot. - - Empty lines and lines starting with the # - character are ignored. Each of the remaining lines - describes one encrypted block device, fields on the - line are delimited by white space. The first two - fields are mandatory, the remaining two are - optional. - - Setting up encrypted block devices using this file - supports three encryption modes: LUKS, TrueCrypt and plain. - See cryptsetup8 - for more information about each mode. When no mode is specified - in the options field and the block device contains a LUKS - signature, it is opened as a LUKS device; otherwise, it is - assumed to be in raw dm-crypt (plain mode) format. - - The first field contains the name of the - resulting encrypted block device; the device is set up - within /dev/mapper/. - - The second field contains a path to the - underlying block device or file, or a specification of a block - device via UUID= followed by the - UUID. - - The third field specifies the encryption - password. If the field is not present or the password - is set to none or -, - the password has to be manually entered during system boot. - Otherwise, the field is interpreted as a absolute path to - a file containing the encryption password. For swap encryption, - /dev/urandom or the hardware - device /dev/hw_random can be used - as the password file; using - /dev/random may prevent boot - completion if the system does not have enough entropy - to generate a truly random encryption key. - - The fourth field, if present, is a - comma-delimited list of options. The following - options are recognized: - - - - - discard - - Allow discard requests to be - passed through the encrypted block device. This - improves performance on SSD storage but has - security implications. - - - - cipher= - - Specifies the cipher to use. See - cryptsetup8 - for possible values and the default value of - this option. A cipher with unpredictable IV - values, such as aes-cbc-essiv:sha256, - is recommended. - - - - hash= - - Specifies the hash to use for - password hashing. See - cryptsetup8 - for possible values and the default value of - this option. - - - - keyfile-offset= - - Specifies the number of bytes to - skip at the start of the key file. See - cryptsetup8 - for possible values and the default value of - this option. - - - - keyfile-size= - - Specifies the maximum number - of bytes to read from the key file. See - cryptsetup8 - for possible values and the default value of - this option. This option is ignored in plain - encryption mode, as the key file size is then - given by the key size. - - - - luks - - Force LUKS mode. When this mode - is used, the following options are ignored since - they are provided by the LUKS header on the - device: cipher=, - hash=, - size=. - - - - noauto - - This device will not be - automatically unlocked on boot. - - - - nofail - - The system will not wait for the - device to show up and be unlocked at boot, and - not fail the boot if it does not show up. - - - - plain - - Force plain encryption mode. - - - - read-onlyreadonly - - Set up the encrypted block - device in read-only mode. - - - - size= - - Specifies the key size - in bits. See - cryptsetup8 - for possible values and the default value of - this option. - - - - swap - - The encrypted block device will - be used as a swap device, and will be formatted - accordingly after setting up the encrypted - block device, with - mkswap8. - This option implies plain. - - WARNING: Using the swap - option will destroy the contents of the named - partition during every boot, so make sure the - underlying block device is specified correctly. - - - - tcrypt - - Use TrueCrypt encryption mode. - When this mode is used, the following options are - ignored since they are provided by the TrueCrypt - header on the device or do not apply: - cipher=, - hash=, - keyfile-offset=, - keyfile-size=, - size=. - - When this mode is used, the passphrase is - read from the key file given in the third field. - Only the first line of this file is read, - excluding the new line character. - - Note that the TrueCrypt format uses both - passphrase and key files to derive a password - for the volume. Therefore, the passphrase and - all key files need to be provided. Use - tcrypt-keyfile= to provide - the absolute path to all key files. When using - an empty passphrase in combination with one or - more key files, use /dev/null - as the password file in the third field. - - - - tcrypt-hidden - - Use the hidden TrueCrypt volume. - This implies tcrypt. - - This will map the hidden volume that is - inside of the volume provided in the second - field. Please note that there is no protection - for the hidden volume if the outer volume is - mounted instead. See - cryptsetup8 - for more information on this limitation. - - - - tcrypt-keyfile= - - Specifies the absolute path to a - key file to use for a TrueCrypt volume. This - implies tcrypt and can be - used more than once to provide several key - files. - - See the entry for tcrypt - on the behavior of the passphrase and key files - when using TrueCrypt encryption mode. - - - - tcrypt-system - - Use TrueCrypt in system - encryption mode. This implies - tcrypt. - - Please note that when using this mode, the - whole device needs to be given in the second - field instead of the partition. For example: if - /dev/sda2 is the system - encrypted TrueCrypt patition, /dev/sda - has to be given. - - - - timeout= - - Specifies the timeout for - querying for a password. If no unit is - specified, seconds is used. Supported units are - s, ms, us, min, h, d. A timeout of 0 waits - indefinitely (which is the default). - - - - tmp - - The encrypted block device will - be prepared for using it as /tmp; - it will be formatted using - mke2fs8. - This option implies plain. - - WARNING: Using the tmp - option will destroy the contents of the named - partition during every boot, so make sure the - underlying block device is specified correctly. - - - - tries= - - Specifies the maximum number of - times the user is queried for a password. - The default is 3. If set to 0, the user is - queried for a password indefinitely. - - - - verify - - If the encryption password is - read from console, it has to be entered twice to - prevent typos. - - - - - At early boot and when the system manager - configuration is reloaded, this file is translated into - native systemd units - by systemd-cryptsetup-generator8. - - - - Example - - /etc/crypttab example - Set up four encrypted block devices. One using - LUKS for normal storage, another one for usage as a swap - device and two TrueCrypt volumes. - - luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b -swap /dev/sda7 /dev/urandom swap + + crypttab + systemd + + + + Documentation + Miloslav + Trmac + mitr@redhat.com + + + Documentation + Lennart + Poettering + lennart@poettering.net + + + + + + crypttab + 5 + + + + crypttab + Configuration for encrypted block devices + + + + /etc/crypttab + + + + Description + + The /etc/crypttab file describes + encrypted block devices that are set up during system boot. + + Empty lines and lines starting with the # + character are ignored. Each of the remaining lines describes one + encrypted block device, fields on the line are delimited by white + space. The first two fields are mandatory, the remaining two are + optional. + + Setting up encrypted block devices using this file supports + three encryption modes: LUKS, TrueCrypt and plain. See + cryptsetup8 + for more information about each mode. When no mode is specified in + the options field and the block device contains a LUKS signature, + it is opened as a LUKS device; otherwise, it is assumed to be in + raw dm-crypt (plain mode) format. + + The first field contains the name of the resulting encrypted + block device; the device is set up within + /dev/mapper/. + + The second field contains a path to the underlying block + device or file, or a specification of a block device via + UUID= followed by the UUID. + + The third field specifies the encryption password. If the + field is not present or the password is set to + none or -, the password has + to be manually entered during system boot. Otherwise, the field is + interpreted as a absolute path to a file containing the encryption + password. For swap encryption, /dev/urandom + or the hardware device /dev/hw_random can be + used as the password file; using /dev/random + may prevent boot completion if the system does not have enough + entropy to generate a truly random encryption key. + + The fourth field, if present, is a comma-delimited list of + options. The following options are recognized: + + + + + + + Allow discard requests to be passed through + the encrypted block device. This improves performance on SSD + storage but has security implications. + + + + + + Specifies the cipher to use. See + cryptsetup8 + for possible values and the default value of this option. A + cipher with unpredictable IV values, such as + aes-cbc-essiv:sha256, is + recommended. + + + + + + Specifies the hash to use for password + hashing. See + cryptsetup8 + for possible values and the default value of this + option. + + + + + + Use a detached (separated) metadata device or + file where the LUKS header is stored. This option is only + relevant for LUKS devices. See + cryptsetup8 + for possible values and the default value of this + option. + + + + + + Specifies the number of bytes to skip at the + start of the key file. See + cryptsetup8 + for possible values and the default value of this + option. + + + + + + Specifies the maximum number of bytes to read + from the key file. See + cryptsetup8 + for possible values and the default value of this option. This + option is ignored in plain encryption mode, as the key file + size is then given by the key size. + + + + + + Specifies the key slot to compare the + passphrase or key against. If the key slot does not match the + given passphrase or key, but another would, the setup of the + device will fail regardless. This option implies + . See + cryptsetup8 + for possible values. The default is to try all key slots in + sequential order. + + + + + + Force LUKS mode. When this mode is used, the + following options are ignored since they are provided by the + LUKS header on the device: , + , + . + + + + + + This device will not be automatically unlocked + on boot. + + + + + + The system will not wait for the device to + show up and be unlocked at boot, and not fail the boot if it + does not show up. + + + + + + Force plain encryption mode. + + + + + + Set up the encrypted block device in read-only + mode. + + + + + + Specifies the key size in bits. See + cryptsetup8 + for possible values and the default value of this + option. + + + + + + The encrypted block device will be used as a + swap device, and will be formatted accordingly after setting + up the encrypted block device, with + mkswap8. + This option implies . + + WARNING: Using the option will + destroy the contents of the named partition during every boot, + so make sure the underlying block device is specified + correctly. + + + + + + Use TrueCrypt encryption mode. When this mode + is used, the following options are ignored since they are + provided by the TrueCrypt header on the device or do not + apply: + , + , + , + , + . + + When this mode is used, the passphrase is read from the + key file given in the third field. Only the first line of this + file is read, excluding the new line character. + + Note that the TrueCrypt format uses both passphrase and + key files to derive a password for the volume. Therefore, the + passphrase and all key files need to be provided. Use + to provide the absolute path + to all key files. When using an empty passphrase in + combination with one or more key files, use + /dev/null as the password file in the third + field. + + + + + + Use the hidden TrueCrypt volume. This option + implies . + + This will map the hidden volume that is inside of the + volume provided in the second field. Please note that there is + no protection for the hidden volume if the outer volume is + mounted instead. See + cryptsetup8 + for more information on this limitation. + + + + + + Specifies the absolute path to a key file to + use for a TrueCrypt volume. This implies + and can be used more than once to + provide several key files. + + See the entry for on the + behavior of the passphrase and key files when using TrueCrypt + encryption mode. + + + + + + Use TrueCrypt in system encryption mode. This + option implies . + + + + + + Specifies the timeout for querying for a + password. If no unit is specified, seconds is used. Supported + units are s, ms, us, min, h, d. A timeout of 0 waits + indefinitely (which is the default). + + + + + + Specifies how long systemd should wait for a + device to show up before giving up on the entry. The argument + is a time in seconds or explicitly specified units of + s, + min, + h, + ms. + + + + + + + The encrypted block device will be prepared + for using it as /tmp; it will be + formatted using + mke2fs8. + This option implies . + + WARNING: Using the option will + destroy the contents of the named partition during every boot, + so make sure the underlying block device is specified + correctly. + + + + + + Specifies the maximum number of times the user + is queried for a password. The default is 3. If set to 0, the + user is queried for a password indefinitely. + + + + + + If the encryption password is read from + console, it has to be entered twice to prevent + typos. + + + + + At early boot and when the system manager configuration is + reloaded, this file is translated into native systemd units by + systemd-cryptsetup-generator8. + + + + Example + + /etc/crypttab example + Set up four encrypted block devices. One using LUKS for + normal storage, another one for usage as a swap device and two + TrueCrypt volumes. + + luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b +swap /dev/sda7 /dev/urandom swap truecrypt /dev/sda2 /etc/container_password tcrypt -hidden /mnt/tc_hidden /null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile - - - - - See Also - - systemd1, - systemd-cryptsetup@.service8, - systemd-cryptsetup-generator8, - cryptsetup8, - mkswap8, - mke2fs8 - - +hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile + + + + + See Also + + systemd1, + systemd-cryptsetup@.service8, + systemd-cryptsetup-generator8, + cryptsetup8, + mkswap8, + mke2fs8 + +