comma-delimited list of options. The following
options are recognized:</para>
- <variablelist class='crypttab-options'>
+ <variablelist class='fstab-options'>
<varlistentry>
- <term><varname>discard</varname></term>
+ <term><option>discard</option></term>
<listitem><para>Allow discard requests to be
passed through the encrypted block device. This
</varlistentry>
<varlistentry>
- <term><varname>cipher=</varname></term>
+ <term><option>cipher=</option></term>
<listitem><para>Specifies the cipher to use. See
<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</varlistentry>
<varlistentry>
- <term><varname>hash=</varname></term>
+ <term><option>hash=</option></term>
<listitem><para>Specifies the hash to use for
password hashing. See
</varlistentry>
<varlistentry>
- <term><varname>keyfile-offset=</varname></term>
+ <term><option>header=</option></term>
+
+ <listitem><para>Use a detached (separated)
+ metadata device or file where the LUKS header
+ is stored. This option is only relevant for
+ LUKS devices. See
+ <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for possible values and the default value of
+ this option.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>keyfile-offset=</option></term>
<listitem><para>Specifies the number of bytes to
skip at the start of the key file. See
</varlistentry>
<varlistentry>
- <term><varname>keyfile-size=</varname></term>
+ <term><option>keyfile-size=</option></term>
<listitem><para>Specifies the maximum number
of bytes to read from the key file. See
</varlistentry>
<varlistentry>
- <term><varname>luks</varname></term>
+ <term><option>key-slot=</option></term>
+
+ <listitem><para>Specifies the key slot to
+ compare the passphrase or key against.
+ If the key slot does not match the given
+ passphrase or key, but another would, the
+ setup of the device will fail regardless.
+ This option implies <option>luks</option>. See
+ <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for possible values. The default is to try
+ all key slots in sequential order.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>luks</option></term>
<listitem><para>Force LUKS mode. When this mode
is used, the following options are ignored since
they are provided by the LUKS header on the
- device: <varname>cipher=</varname>,
- <varname>hash=</varname>,
- <varname>size=</varname>.</para></listitem>
+ device: <option>cipher=</option>,
+ <option>hash=</option>,
+ <option>size=</option>.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>noauto</varname></term>
+ <term><option>noauto</option></term>
<listitem><para>This device will not be
automatically unlocked on boot.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>nofail</varname></term>
+ <term><option>nofail</option></term>
<listitem><para>The system will not wait for the
device to show up and be unlocked at boot, and
</varlistentry>
<varlistentry>
- <term><varname>plain</varname></term>
+ <term><option>plain</option></term>
<listitem><para>Force plain encryption mode.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>read-only</varname></term><term><varname>readonly</varname></term>
+ <term><option>read-only</option></term><term><option>readonly</option></term>
<listitem><para>Set up the encrypted block
device in read-only mode.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>size=</varname></term>
+ <term><option>size=</option></term>
<listitem><para>Specifies the key size
in bits. See
</varlistentry>
<varlistentry>
- <term><varname>swap</varname></term>
+ <term><option>swap</option></term>
<listitem><para>The encrypted block device will
be used as a swap device, and will be formatted
accordingly after setting up the encrypted
block device, with
- <citerefentry><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
- This option implies <varname>plain</varname>.</para>
+ <citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ This option implies <option>plain</option>.</para>
- <para>WARNING: Using the <varname>swap</varname>
+ <para>WARNING: Using the <option>swap</option>
option will destroy the contents of the named
partition during every boot, so make sure the
underlying block device is specified correctly.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>tcrypt</varname></term>
+ <term><option>tcrypt</option></term>
<listitem><para>Use TrueCrypt encryption mode.
When this mode is used, the following options are
ignored since they are provided by the TrueCrypt
header on the device or do not apply:
- <varname>cipher=</varname>,
- <varname>hash=</varname>,
- <varname>keyfile-offset=</varname>,
- <varname>keyfile-size=</varname>,
- <varname>size=</varname>.</para>
+ <option>cipher=</option>,
+ <option>hash=</option>,
+ <option>keyfile-offset=</option>,
+ <option>keyfile-size=</option>,
+ <option>size=</option>.</para>
<para>When this mode is used, the passphrase is
read from the key file given in the third field.
passphrase and key files to derive a password
for the volume. Therefore, the passphrase and
all key files need to be provided. Use
- <varname>tcrypt-keyfile=</varname> to provide
+ <option>tcrypt-keyfile=</option> to provide
the absolute path to all key files. When using
an empty passphrase in combination with one or
more key files, use <literal>/dev/null</literal>
</varlistentry>
<varlistentry>
- <term><varname>tcrypt-hidden</varname></term>
+ <term><option>tcrypt-hidden</option></term>
<listitem><para>Use the hidden TrueCrypt volume.
- This implies <varname>tcrypt</varname>.</para>
+ This option implies <option>tcrypt</option>.</para>
<para>This will map the hidden volume that is
inside of the volume provided in the second
</varlistentry>
<varlistentry>
- <term><varname>tcrypt-keyfile=</varname></term>
+ <term><option>tcrypt-keyfile=</option></term>
<listitem><para>Specifies the absolute path to a
key file to use for a TrueCrypt volume. This
- implies <varname>tcrypt</varname> and can be
+ implies <option>tcrypt</option> and can be
used more than once to provide several key
files.</para>
- <para>See the entry for <varname>tcrypt</varname>
+ <para>See the entry for <option>tcrypt</option>
on the behavior of the passphrase and key files
when using TrueCrypt encryption mode.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>tcrypt-system</varname></term>
+ <term><option>tcrypt-system</option></term>
<listitem><para>Use TrueCrypt in system
- encryption mode. This implies
- <varname>tcrypt</varname>.</para>
-
- <para>Please note that when using this mode, the
- whole device needs to be given in the second
- field instead of the partition. For example: if
- <literal>/dev/sda2</literal> is the system
- encrypted TrueCrypt patition, <literal>/dev/sda</literal>
- has to be given.</para></listitem>
+ encryption mode. This option implies
+ <option>tcrypt</option>.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>timeout=</varname></term>
+ <term><option>timeout=</option></term>
<listitem><para>Specifies the timeout for
querying for a password. If no unit is
</varlistentry>
<varlistentry>
- <term><varname>tmp</varname></term>
+ <term><option>x-systemd.device-timeout=</option></term>
+
+ <listitem><para>Specifies how long
+ systemd should wait for a device to
+ show up before giving up on the
+ entry. The argument is a time in
+ seconds or explicitly specifified
+ units of <literal>s</literal>,
+ <literal>min</literal>,
+ <literal>h</literal>,
+ <literal>ms</literal>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>tmp</option></term>
<listitem><para>The encrypted block device will
be prepared for using it as <filename>/tmp</filename>;
it will be formatted using
- <citerefentry><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
- This option implies <varname>plain</varname>.</para>
+ <citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ This option implies <option>plain</option>.</para>
- <para>WARNING: Using the <varname>tmp</varname>
+ <para>WARNING: Using the <option>tmp</option>
option will destroy the contents of the named
partition during every boot, so make sure the
underlying block device is specified correctly.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>tries=</varname></term>
+ <term><option>tries=</option></term>
<listitem><para>Specifies the maximum number of
- times the user is queried for a password.</para></listitem>
+ times the user is queried for a password.
+ The default is 3. If set to 0, the user is
+ queried for a password indefinitely.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>verify</varname></term>
+ <term><option>verify</option></term>
<listitem><para> If the encryption password is
read from console, it has to be entered twice to
<programlisting>luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b
swap /dev/sda7 /dev/urandom swap
truecrypt /dev/sda2 /etc/container_password tcrypt
-hidden /mnt/tc_hidden /null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile</programlisting>
+hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile</programlisting>
</example>
</refsect1>
<citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ <citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>