3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5 This file is part of systemd.
7 Copyright 2012 Lennart Poettering
9 systemd is free software; you can redistribute it and/or modify it
10 under the terms of the GNU Lesser General Public License as published by
11 the Free Software Foundation; either version 2.1 of the License, or
12 (at your option) any later version.
14 systemd is distributed in the hope that it will be useful, but
15 WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Lesser General Public License for more details.
19 You should have received a copy of the GNU Lesser General Public License
20 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 This is based on crypttab(5) from Fedora's initscripts package, which in
23 turn is based on Debian's version.
25 The Red Hat version has been written by Miloslav Trmac <mitr@redhat.com>.
28 <refentry id="crypttab">
31 <title>crypttab</title>
32 <productname>systemd</productname>
36 <contrib>Documentation</contrib>
37 <firstname>Miloslav</firstname>
38 <surname>Trmac</surname>
39 <email>mitr@redhat.com</email>
42 <contrib>Documentation</contrib>
43 <firstname>Lennart</firstname>
44 <surname>Poettering</surname>
45 <email>lennart@poettering.net</email>
51 <refentrytitle>crypttab</refentrytitle>
52 <manvolnum>5</manvolnum>
56 <refname>crypttab</refname>
57 <refpurpose>Configuration for encrypted block devices</refpurpose>
61 <para><filename>/etc/crypttab</filename></para>
65 <title>Description</title>
67 <para>The <filename>/etc/crypttab</filename> file
68 describes encrypted block devices that are set up
69 during system boot.</para>
71 <para>Empty lines and lines starting with the #
72 character are ignored. Each of the remaining lines
73 describes one encrypted block device, fields on the
74 line are delimited by white space. The first two
75 fields are mandatory, the remaining two are
78 <para>The first field contains the name of the
79 resulting encrypted block device; the device is set up
80 within <filename>/dev/mapper/</filename>.</para>
82 <para>The second field contains a path to the
83 underlying block device, or a specification of a block
84 device via <literal>UUID=</literal> followed by the
85 UUID. If the block device contains a LUKS signature,
86 it is opened as a LUKS encrypted partition; otherwise
87 it is assumed to be a raw dm-crypt partition.</para>
89 <para>The third field specifies the encryption
90 password. If the field is not present or the password
91 is set to none, the password has to be manually
92 entered during system boot. Otherwise the field is
93 interpreted as a path to a file containing the
94 encryption password. For swap encryption
95 <filename>/dev/urandom</filename> or the hardware
96 device <filename>/dev/hw_random</filename> can be used
97 as the password file; using
98 <filename>/dev/random</filename> may prevent boot
99 completion if the system does not have enough entropy
100 to generate a truly random encryption key.</para>
102 <para>The fourth field, if present, is a
103 comma-delimited list of options. The following
104 options are recognized:</para>
108 <term><varname>cipher=</varname></term>
110 <listitem><para>Specifies the cipher
112 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
113 for possible values and the default
114 value of this option. A cipher with
115 unpredictable IV values, such as
116 <literal>aes-cbc-essiv:sha256</literal>,
117 is recommended. </para></listitem>
122 <term><varname>size=</varname></term>
124 <listitem><para>Specifies the key size
126 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
127 for possible values and the default
129 option. </para></listitem>
134 <term><varname>keyfile-offset=</varname></term>
136 <listitem><para>Specifies the number
137 of bytes to skip at the start of
139 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
140 for possible values and the default
141 value of this option.</para></listitem>
146 <term><varname>hash=</varname></term>
148 <listitem><para>Specifies the hash to
149 use for password hashing; see
150 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> for possible values and
151 the default value of this
152 option. </para></listitem>
156 <term><varname>tries=</varname></term>
158 <listitem><para>Specifies the maximum
159 number of times the user is queried
160 for a password.</para></listitem>
164 <term><varname>verify</varname></term>
166 <listitem><para> If the the encryption
167 password is read from console, it has
168 to be entered twice (to prevent
169 typos). </para></listitem>
173 <term><varname>read-only</varname></term>
175 <listitem><para>Set up the encrypted
176 block device in read-only
177 mode.</para></listitem>
181 <term><varname>allow-discards</varname></term>
183 <listitem><para>Allow discard requests
184 to be passed through the encrypted
185 block device. This improves
186 performance on SSD storage but has
188 implications.</para></listitem>
192 <term><varname>luks</varname></term>
194 <listitem><para>Force LUKS mode.</para></listitem>
198 <term><varname>plain</varname></term>
200 <listitem><para>Force plain encryption
201 mode.</para></listitem>
205 <term><varname>timeout=</varname></term>
207 <listitem><para>Specify the timeout
208 for querying for a password. If not
210 seconds. Supported units are s, ms,
211 us, min, h, d.</para></listitem>
215 <term><varname>noauto</varname></term>
217 <listitem><para> This device will not
218 be automatically unlocked on
219 boot. </para></listitem>
223 <term><varname>nofail</varname></term>
225 <listitem><para>The system will not
226 wait for the device to show up and be
227 unlocked at boot, and not fail the
228 boot if it doesn't show
229 up.</para></listitem>
233 <term><varname>swap</varname></term>
235 <listitem><para> The encrypted block
236 device will be used as a swap
237 partition, and will be formatted as a
238 swap partition after setting up the
239 encrypted block device, with
240 <citerefentry><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
242 <para>WARNING: Using the
243 <varname>swap</varname> option will
244 destroy the contents of the named
245 partition during every boot, so make
246 sure the underlying block device is
248 correctly. </para></listitem>
252 <term><varname>tmp</varname></term>
254 <listitem><para>The encrypted block
255 device will be prepared for using it
256 as <filename>/tmp</filename>
257 partition: it will be formatted using
258 <citerefentry><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
260 <para>WARNING: Using the
261 <varname>tmp</varname> option will
262 destroy the contents of the named
263 partition during every boot, so make
264 sure the underlying block device is
266 correctly. </para></listitem>
270 <para>At early boot and when the system manager
271 configuration is reloaded this file is translated into
273 by <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
277 <title>Example</title>
279 <title>/etc/crypttab example</title>
280 <para>Set up two encrypted block devices with
281 LUKS: one normal one for storage, and another
282 one for usage as swap device.</para>
284 <programlisting>luks-2505567a-9e27-4efe-a4d5-15ad146c258b UUID=2505567a-9e27-4efe-a4d5-15ad146c258b - timeout=0
285 swap /dev/sda7 /dev/urandom swap</programlisting>
290 <title>See Also</title>
292 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
293 <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
294 <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
295 <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
296 <citerefentry><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
297 <citerefentry><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>