X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fcrypttab.xml;h=aeacc579733f137a92457047f6ca190c9fd92241;hp=acc702961d4b89b0a1191d13fb5b1d82a6bc76f5;hb=4a6970c5354cd367b1fa62114057d8e084a20403;hpb=c93350728e822c3da7522664cf0a0e0ee10509fa diff --git a/man/crypttab.xml b/man/crypttab.xml index acc702961..aeacc5797 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -25,290 +25,368 @@ The Red Hat version has been written by Miloslav Trmac . --> - - - - crypttab - systemd - - - - Documentation - Miloslav - Trmac - mitr@redhat.com - - - Documentation - Lennart - Poettering - lennart@poettering.net - - - - - - crypttab - 5 - - - - crypttab - Configuration for encrypted block devices - - - - /etc/crypttab - - - - Description - - The /etc/crypttab file - describes encrypted block devices that are set up - during system boot. - - Empty lines and lines starting with the # - character are ignored. Each of the remaining lines - describes one encrypted block device, fields on the - line are delimited by white space. The first two - fields are mandatory, the remaining two are - optional. - - The first field contains the name of the - resulting encrypted block device; the device is set up - within /dev/mapper/. - - The second field contains a path to the - underlying block device, or a specification of a block - device via UUID= followed by the - UUID. If the block device contains a LUKS signature, - it is opened as a LUKS encrypted partition; otherwise - it is assumed to be a raw dm-crypt partition. - - The third field specifies the encryption - password. If the field is not present or the password - is set to none, the password has to be manually - entered during system boot. Otherwise the field is - interpreted as a path to a file containing the - encryption password. For swap encryption - /dev/urandom or the hardware - device /dev/hw_random can be used - as the password file; using - /dev/random may prevent boot - completion if the system does not have enough entropy - to generate a truly random encryption key. - - The fourth field, if present, is a - comma-delimited list of options. The following - options are recognized: - - - - cipher= - - Specifies the cipher - to use; see - cryptsetup8 - for possible values and the default - value of this option. A cipher with - unpredictable IV values, such as - aes-cbc-essiv:sha256, - is recommended. - - - - - size= - - Specifies the key size - in bits; see - cryptsetup8 - for possible values and the default - value of this - option. - - - - - keyfile-size= - - Specifies the maximum number - of bytes to read from the keyfile; see - cryptsetup8 - for possible values and the default - value of this option. This option is ignored - in plain encryption mode, as the keyfile-size is then given by the key size. - - - - - keyfile-offset= - - Specifies the number - of bytes to skip at the start of - the keyfile; see - cryptsetup8 - for possible values and the default - value of this option. - - - - - hash= - - Specifies the hash to - use for password hashing; see - cryptsetup8 for possible values and - the default value of this - option. - - - - tries= - - Specifies the maximum - number of times the user is queried - for a password. - - - - verify - - If the encryption - password is read from console, it has - to be entered twice (to prevent - typos). - - - - read-only - - Set up the encrypted - block device in read-only - mode. - - - - allow-discards - - Allow discard requests - to be passed through the encrypted - block device. This improves - performance on SSD storage but has - security - implications. - - - - luks - - Force LUKS mode. - - - - plain - - Force plain encryption - mode. - - - - timeout= - - Specify the timeout - for querying for a password. If no - unit is specified seconds is used. - Supported units are s, ms, - us, min, h, d. A timeout of 0 waits - indefinitely. - - - - noauto - - This device will not - be automatically unlocked on - boot. - - - - nofail - - The system will not - wait for the device to show up and be - unlocked at boot, and not fail the - boot if it doesn't show - up. - - - - swap - - The encrypted block - device will be used as a swap - partition, and will be formatted as a - swap partition after setting up the - encrypted block device, with - mkswap8. - - WARNING: Using the - swap option will - destroy the contents of the named - partition during every boot, so make - sure the underlying block device is - specified - correctly. - - - - tmp - - The encrypted block - device will be prepared for using it - as /tmp - partition: it will be formatted using - mke2fs8. - - WARNING: Using the - tmp option will - destroy the contents of the named - partition during every boot, so make - sure the underlying block device is - specified - correctly. - - - - At early boot and when the system manager - configuration is reloaded this file is translated into - native systemd units - by systemd-cryptsetup-generator8. - - - - Example - - /etc/crypttab example - Set up two encrypted block devices with - LUKS: one normal one for storage, and another - one for usage as swap device. - - luks-2505567a-9e27-4efe-a4d5-15ad146c258b UUID=2505567a-9e27-4efe-a4d5-15ad146c258b - timeout=0 -swap /dev/sda7 /dev/urandom swap - - - - - See Also - - systemd1, - systemd-cryptsetup@.service8, - systemd-cryptsetup-generator8, - cryptsetup8, - mkswap8, - mke2fs8 - - + + + + crypttab + systemd + + + + Documentation + Miloslav + Trmac + mitr@redhat.com + + + Documentation + Lennart + Poettering + lennart@poettering.net + + + + + + crypttab + 5 + + + + crypttab + Configuration for encrypted block devices + + + + /etc/crypttab + + + + Description + + The /etc/crypttab file describes + encrypted block devices that are set up during system boot. + + Empty lines and lines starting with the # + character are ignored. Each of the remaining lines describes one + encrypted block device, fields on the line are delimited by white + space. The first two fields are mandatory, the remaining two are + optional. + + Setting up encrypted block devices using this file supports + three encryption modes: LUKS, TrueCrypt and plain. See + cryptsetup8 + for more information about each mode. When no mode is specified in + the options field and the block device contains a LUKS signature, + it is opened as a LUKS device; otherwise, it is assumed to be in + raw dm-crypt (plain mode) format. + + The first field contains the name of the resulting encrypted + block device; the device is set up within + /dev/mapper/. + + The second field contains a path to the underlying block + device or file, or a specification of a block device via + UUID= followed by the UUID. + + The third field specifies the encryption password. If the + field is not present or the password is set to + none or -, the password has + to be manually entered during system boot. Otherwise, the field is + interpreted as a absolute path to a file containing the encryption + password. For swap encryption, /dev/urandom + or the hardware device /dev/hw_random can be + used as the password file; using /dev/random + may prevent boot completion if the system does not have enough + entropy to generate a truly random encryption key. + + The fourth field, if present, is a comma-delimited list of + options. The following options are recognized: + + + + + + + Allow discard requests to be passed through + the encrypted block device. This improves performance on SSD + storage but has security implications. + + + + + + Specifies the cipher to use. See + cryptsetup8 + for possible values and the default value of this option. A + cipher with unpredictable IV values, such as + aes-cbc-essiv:sha256, is + recommended. + + + + + + Specifies the hash to use for password + hashing. See + cryptsetup8 + for possible values and the default value of this + option. + + + + + + Use a detached (separated) metadata device or + file where the LUKS header is stored. This option is only + relevant for LUKS devices. See + cryptsetup8 + for possible values and the default value of this + option. + + + + + + Specifies the number of bytes to skip at the + start of the key file. See + cryptsetup8 + for possible values and the default value of this + option. + + + + + + Specifies the maximum number of bytes to read + from the key file. See + cryptsetup8 + for possible values and the default value of this option. This + option is ignored in plain encryption mode, as the key file + size is then given by the key size. + + + + + + Specifies the key slot to compare the + passphrase or key against. If the key slot does not match the + given passphrase or key, but another would, the setup of the + device will fail regardless. This option implies + . See + cryptsetup8 + for possible values. The default is to try all key slots in + sequential order. + + + + + + Force LUKS mode. When this mode is used, the + following options are ignored since they are provided by the + LUKS header on the device: , + , + . + + + + + + This device will not be automatically unlocked + on boot. + + + + + + The system will not wait for the device to + show up and be unlocked at boot, and not fail the boot if it + does not show up. + + + + + + Force plain encryption mode. + + + + + + Set up the encrypted block device in read-only + mode. + + + + + + Specifies the key size in bits. See + cryptsetup8 + for possible values and the default value of this + option. + + + + + + The encrypted block device will be used as a + swap device, and will be formatted accordingly after setting + up the encrypted block device, with + mkswap8. + This option implies . + + WARNING: Using the option will + destroy the contents of the named partition during every boot, + so make sure the underlying block device is specified + correctly. + + + + + + Use TrueCrypt encryption mode. When this mode + is used, the following options are ignored since they are + provided by the TrueCrypt header on the device or do not + apply: + , + , + , + , + . + + When this mode is used, the passphrase is read from the + key file given in the third field. Only the first line of this + file is read, excluding the new line character. + + Note that the TrueCrypt format uses both passphrase and + key files to derive a password for the volume. Therefore, the + passphrase and all key files need to be provided. Use + to provide the absolute path + to all key files. When using an empty passphrase in + combination with one or more key files, use + /dev/null as the password file in the third + field. + + + + + + Use the hidden TrueCrypt volume. This option + implies . + + This will map the hidden volume that is inside of the + volume provided in the second field. Please note that there is + no protection for the hidden volume if the outer volume is + mounted instead. See + cryptsetup8 + for more information on this limitation. + + + + + + Specifies the absolute path to a key file to + use for a TrueCrypt volume. This implies + and can be used more than once to + provide several key files. + + See the entry for on the + behavior of the passphrase and key files when using TrueCrypt + encryption mode. + + + + + + Use TrueCrypt in system encryption mode. This + option implies . + + + + + + Specifies the timeout for querying for a + password. If no unit is specified, seconds is used. Supported + units are s, ms, us, min, h, d. A timeout of 0 waits + indefinitely (which is the default). + + + + + + Specifies how long systemd should wait for a + device to show up before giving up on the entry. The argument + is a time in seconds or explicitly specified units of + s, + min, + h, + ms. + + + + + + + The encrypted block device will be prepared + for using it as /tmp; it will be + formatted using + mke2fs8. + This option implies . + + WARNING: Using the option will + destroy the contents of the named partition during every boot, + so make sure the underlying block device is specified + correctly. + + + + + + Specifies the maximum number of times the user + is queried for a password. The default is 3. If set to 0, the + user is queried for a password indefinitely. + + + + + + If the encryption password is read from + console, it has to be entered twice to prevent + typos. + + + + + At early boot and when the system manager configuration is + reloaded, this file is translated into native systemd units by + systemd-cryptsetup-generator8. + + + + Example + + /etc/crypttab example + Set up four encrypted block devices. One using LUKS for + normal storage, another one for usage as a swap device and two + TrueCrypt volumes. + + luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b +swap /dev/sda7 /dev/urandom swap +truecrypt /dev/sda2 /etc/container_password tcrypt +hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile + + + + + See Also + + systemd1, + systemd-cryptsetup@.service8, + systemd-cryptsetup-generator8, + cryptsetup8, + mkswap8, + mke2fs8 + +