1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd">
<refentry id="file.crypttab">
<xi:include href="variables.xml"
xpointer="xpointer(/refentry/refentryinfo)"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
<refmeta>
<refentrytitle>crypttab</refentrytitle>
<manvolnum>5</manvolnum>
<xi:include href="variables.xml"
xpointer="xpointer(/refentry/refmeta/*)"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
</refmeta>
<refnamediv>
<refname>crypttab</refname>
<refpurpose>static information about encrypted filesystems</refpurpose>
</refnamediv>
<refsect1 id="crypttab.description">
<title>DESCRIPTION</title>
<simpara>
The file <filename>/etc/crypttab</filename> contains descriptive
information about encrypted filesystems. <filename>crypttab</filename>
is only read by programs, and not written; it is the duty of the system
administrator to properly create and maintain this file. Each filesystem is
described on a separate line; fields on each line are separated by tabs or
spaces. Lines starting with <quote>#</quote> are comments, empty lines are
ignored. The order of records in <filename>crypttab</filename> is important
because the init scripts sequentially iterate through
<filename>crypttab</filename> doing their thing.
</simpara>
<simpara>
The first field, <emphasis>target</emphasis>, describes the mapped
device name. It must be a plain filename without any directory components.
A mapped device which encrypts/decrypts data to/from the <emphasis>source
device</emphasis> will be created at
<filename class="devicefile">/dev/mapper/target</filename> by
<command moreinfo="refentry">cryptsetup</command>.
</simpara>
<simpara>
The second field, <emphasis>source device</emphasis>, describes either the
block special device or file (which will be automatically mounted as a loop
device) that should hold the encrypted data.
</simpara>
<simpara>
The third field, <emphasis>key file</emphasis>, describes the file to use
as a key for decrypting the data of the <emphasis>source device</emphasis>.
It can also be a device name (e.g.
<filename class="devicefile">/dev/random</filename>), note however that
LUKS requires a persistent key and therefore does <emphasis>not</emphasis>
support random data keys.
</simpara>
<simpara>
If the <emphasis>key file</emphasis> is the string <quote>none</quote>,
a passphrase will be read interactively from the console. In this case, the
options precheck, check, checkargs and tries may be useful.
</simpara>
<simpara>
The fourth field, <emphasis>options</emphasis>, describes the cryptsetup
options associated with the encryption process. At minimum, the field should
contain the string <emphasis>luks</emphasis> or the
<emphasis>cipher</emphasis>, <emphasis>hash</emphasis> and
<emphasis>size</emphasis> options.
</simpara>
<simpara>
Options are in the format: <emphasis>key</emphasis>=<emphasis>value</emphasis>
[,<emphasis>key</emphasis>=<emphasis>value</emphasis> …]. The
supported options are described below.
</simpara>
<simpara>
Note that all four fields are mandatory and that a missing field will lead
to unspecified behaviour.
</simpara>
</refsect1>
<refsect1 id="crypttab.options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term><emphasis>cipher</emphasis>=<cipher></term>
<listitem>
<simpara>
Encryption algorithm. See <command>cryptsetup -c</command>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>size</emphasis>=<size></term>
<listitem>
<simpara>
Encryption key size. See <command>cryptsetup -s</command>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>hash</emphasis>=<hash></term>
<listitem>
<simpara>
Hash algorithm. See <command>cryptsetup -h</command>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>offset</emphasis>=<offset></term>
<listitem>
<simpara>
Start offset. Uses <emphasis role="strong">cryptsetup -o</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>skip</emphasis>=<skip></term>
<listitem>
<simpara>
Skip sectors at the beginning. Uses <emphasis role="strong">cryptsetup -p</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>verify</emphasis></term>
<listitem>
<simpara>
Verify password. Uses <emphasis role="strong">cryptsetup -y</emphasis>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>readonly</emphasis></term>
<listitem>
<simpara>The backing device is read-only (eg: a dvd).</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>luks</emphasis></term>
<listitem>
<simpara>Use device with luks extensions.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>swap</emphasis></term>
<listitem>
<simpara>
Run <command moreinfo="refentry">mkswap</command> on the created device.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>tmp</emphasis>=<tmpfs></term>
<listitem>
<simpara>
Run <command moreinfo="refentry">mkfs</command> with filesystem type
<tmpfs> on the created device. Default is ext2.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>precheck</emphasis>=<precheck></term>
<listitem>
<simpara>Check the source device by suitable program; if the check fails,
the device is not created; <precheck> is a script to check the
source device. The sourcedevice is given as an argument to the script.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>check</emphasis>=<check></term>
<listitem>
<simpara>Check the content of the device by a suitable program; if the
check fails, the device is removed. If a program is provided as an
argument, it is run, giving the decrypted volume (target device) as the
first argument, and the value of the checkargs option as the second
argument. Cryptdisks searches for the given program in
<filename class="directory">/lib/cryptsetup/checks/</filename>.
Default is <filename>vol_id</filename>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>checkargs</emphasis>=<arguments></term>
<listitem>
<simpara>Give <arguments> as the second argument to the check
script. See the CHECKSCRIPTS section for more information.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>tries</emphasis>=<num></term>
<listitem>
<simpara>The input of the passphrase is tried <num> times in case
of failure. If you want to disable retries, pass <quote>tries=1</quote>.
Default is 3. For the root device, <quote>tries=0</quote> enables
infinitive retries due to a special case in the initramfs scripts.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>noearly</emphasis></term>
<listitem>
<simpara>The cryptsetup init scripts are invoked twice during the boot
process - once before lvm, evms, raid, etc. are started and once again
after that. Sometimes you need to start your encrypted disks in a special
order. With this option the device is ignored during the first invokation
of the cryptsetup init scripts.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>noauto</emphasis></term>
<listitem>
<simpara>Entirely ignore the device at the boot process. It's still
possible to map the device manually using cryptdisks_start.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>loud</emphasis></term>
<listitem>
<simpara>Be loud. Print warnings if a device does not exist.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>keyscript</emphasis>=<path></term>
<listitem>
<simpara>
The executable at the indicated path is executed with the
<emphasis>key file</emphasis> from the third field of the crypttab as its
only argument and the output is used as the key. This also works with
encrypted root filesystems via initramfs if the executable is
self-contained (i.e. an executable which does not rely on any external
program which is not present in the initramfs environment).
</simpara>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="crypttab.checkscripts">
<title>CHECKSCRIPTS</title>
<variablelist>
<varlistentry>
<term><emphasis>vol_id</emphasis></term>
<listitem>
<simpara>Checks for any known filesystem. Supports a filesystem type as
argument via<checkargs>:no checkargs - succeeds if any valid
filesystem is found on the device."none" - succeeds if no valid
filesystem is found on the device."ext3" [or any other filesystem type
like xfs, swap, crypto_LUKS, whatever] - succeedsif an ext3 [or another
given] filesystem type is found on the device.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>un_vol_id</emphasis></term>
<listitem>
<simpara>Checks for no known filesystem. Supports a filesystem type as
argument via<checkargs>:no checkargs - succeeds if no valid
filesystem is found on the device."ext3" [or any other filesystem type
like xfs, swap, crypto_LUKS, whatever] - succeedsif no ext3 [or another
given] filesystem type is found on the device.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>ext2</emphasis></term>
<listitem>
<simpara>Checks for a valid ext2/ext3 filesystem.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>xfs</emphasis></term>
<listitem>
<simpara>Checks for a valid xfs filesystem.</simpara>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="crypttab.examples">
<title>EXAMPLES</title>
<para>
<screen>
# Encrypted swap device
cswap /dev/sda6 /dev/random swap
# Encrypted luks disk with interactive password
cdisk0 /dev/hda1 none luks
# Encrypted ext2 disk with interactive password
# - retry 5 times if the check fails
cdisk1 /dev/sda2 none checkargs=ext2,tries=5
# Encrypted disk with interactive password
# - use a nondefault check script
# - no retries
cdisk2 /dev/hdc1 none check=customscript,tries=1
# Encrypted disk with interactive password
# - twofish as the cipher
cdisk3 /dev/sda3 none cipher=twofish
</screen>
</para>
</refsect1>
<refsect1 id="crypttab.environment">
<title>ENVIRONMENT</title>
<variablelist>
<varlistentry>
<term><emphasis>CRYPTDISKS_ENABLE</emphasis></term>
<listitem>
<simpara>
Set to <emphasis>yes</emphasis> to run cryptdisks at startup. Set to
<emphasis>no</emphasis> to disable cryptdisks.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>CRYPTDISKS_MOUNT</emphasis></term>
<listitem>
<simpara>Specifies the mountpoints that are mounted before cryptdisks is
invoked. Useful for keys on removable devices, such as cdrom, usbstick,
flashcard, etc.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>CRYPTDISKS_CHECK</emphasis></term>
<listitem>
<simpara>Specifies the checkscript to be run against the target device,
after cryptdisks has been invoked. The target device is passed as the
first and only argument to the checkscript. Takes effect if the
<emphasis>check</emphasis> option is given in crypttab with no value.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>CRYPTDISKS_PRECHECK</emphasis></term>
<listitem>
<simpara>Specifies the checkscript to be run against the source device,
before cryptdisks has been invoked. The source device is given as the
first and only argument to the checkscript. Takes effect if the
<emphasis>precheck</emphasis> option is given in crypttab with no value.
</simpara>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="crypttab.see_also">
<title>SEE ALSO</title>
<simplelist type="inline">
<member><command moreinfo="refentry">cryptsetup</command>(8)</member>
<member><filename>/etc/crypttab</filename></member>
</simplelist>
</refsect1>
<refsect1 id="crypttab.author">
<title>AUTHOR</title>
<simpara>
This manual page was originally written by
<author>
<firstname>Bastian</firstname>
<surname>Kleineidam</surname>
</author>
<email>calvin@debian.org</email>
for the Debian distribution of cryptsetup. It has been further improved by
<author>
<firstname>Michael</firstname>
<surname>Gebetsroither</surname>
</author>
<email>michael.geb@gmx.at</email>,
<author>
<firstname>Jonas</firstname>
<surname>Meurer</surname>
</author>
<email>jonas@freesources.org</email>
and
<author>
<firstname>David</firstname>
<surname>Härdeman</surname>
</author>
<email>david@hardeman.nu</email>.
</simpara>
</refsect1>
</refentry>
|
