From 45ae1a05f98adfccaa3bdc36f8767322ac79c8e2 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 27 Jun 2012 13:23:12 +0200 Subject: [PATCH] man: document /etc/crypttab --- Makefile.am | 3 +- man/crypttab.xml | 284 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 286 insertions(+), 1 deletion(-) create mode 100644 man/crypttab.xml diff --git a/Makefile.am b/Makefile.am index 3718fa871..55d7e39c2 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2610,7 +2610,8 @@ INSTALL_DATA_HOOKS += \ cryptsetup-install-data-hook MANPAGES += \ - man/systemd-cryptsetup@.service.8 + man/systemd-cryptsetup@.service.8 \ + man/crypttab.5 MANPAGES_ALIAS += \ man/systemd-cryptsetup.8 diff --git a/man/crypttab.xml b/man/crypttab.xml new file mode 100644 index 000000000..d61ec95e4 --- /dev/null +++ b/man/crypttab.xml @@ -0,0 +1,284 @@ + + + + + + + + crypttab + systemd + + + + Documentation + Miloslav + Trmac + mitr@redhat.com + + + Documentation + Lennart + Poettering + lennart@poettering.net + + + + + + crypttab + 5 + + + + crypttab + Configuration for encrypted block devices + + + + /etc/crypttab + + + + Description + + The /etc/crypttab file + describes encrypted block devices that are set up + during system boot. + + Empty lines and lines starting with the # + character are ignored. Each of the remaining lines + describes one encrypted block device, fields on the + line are delimited by white space. The first two + fields are mandatory, the remaining two are + optional. + + The first field contains the name of the + resulting encrypted block device; the device is set up + within /dev/mapper/. + + The second field contains a path to the + underlying block device, or a specification of a block + device via UUID= followed by the + UUID. If the block device contains a LUKS signature, + it is opened as a LUKS encrypted partition; otherwise + it is assumed to be a raw dm-crypt partition. + + The third field specifies the encryption + password. If the field is not present or the password + is set to none, the password has to be manually + entered during system boot. Otherwise the field is + interpreted as a path to a file containing the + encryption password. For swap encryption + /dev/urandom or the hardware + device /dev/hw_random can be used + as the password file; using + /dev/random may prevent boot + completion if the system does not have enough entropy + to generate a truly random encryption key. + + The fourth field, if present, is a + comma-delimited list of options. The following + options are recognized: + + + + cipher= + + Specifies the cipher + to use; see + cryptsetup8 + for possible values and the default + value of this option. A cipher with + unpredictable IV values, such as + aes-cbc-essiv:sha256, + is recommended. + + + + + size= + + Specifies the key size + in bits; see + cryptsetup8 + for possible values and the default + value of this + option. + + + + + hash= + + Specifies the hash to + use for password hashing; see + cryptsetup8 for possible values and + the default value of this + option. + + + + tries= + + Specifies the maximum + number of times the user is queried + for a password. + + + + verify + + If the the encryption + password is read from console, it has + to be entered twice (to prevent + typos). + + + + read-only + + Set up the encrypted + block device in read-only + mode. + + + + allow-discards + + Allow discard requests + to be passed through the encrypted + block device. This improves + performance on SSD storage but has + security + implications. + + + + luks + + Force LUKS mode. + + + + plain + + Force plain encryption + mode. + + + + timeout= + + Specify the timeout + for querying for a password. If not + unit is specified in + seconds. Supported units are s, ms, + us, min, h, d. + + + + noauto + + This device will not + be automatically unlocked on + boot. + + + + nofail + + The system will not + wait for the device to show up and be + unlocked at boot, and not fail the + boot if it doesn't show + up. + + + + swap + + The encrypted block + device will be used as a swap + partition, and will be formatted as a + swap partition after setting up the + encrypted block device, with + mkswap8. + + WARNING: Using the + swap option will + destroy the contents of the named + partition during every boot, so make + sure the underlying block device is + specified + correctly. + + + + tmp + + The encrypted block + device will be prepared for using it + as /tmp + partition: it will be formatted using + mke2fs8. + + WARNING: Using the + tmp option will + destroy the contents of the named + partition during every boot, so make + sure the underlying block device is + specified + correctly. + + + + + + + Example + + /etc/crypttab example + Set up two encrypted block devices with + LUKS: one normal one for storage, and another + one for usage as swap device. + + luks-2505567a-9e27-4efe-a4d5-15ad146c258b UUID=2505567a-9e27-4efe-a4d5-15ad146c258b - timeout=0 +swap /dev/sda7 /dev/urandom swap + + + + + See Also + + systemd1, + systemd-cryptsetup@.service8, + cryptsetup8, + mkswap8, + mke2fs8 + + + + -- 2.30.2