-
Notifications
You must be signed in to change notification settings - Fork 66
Expand file tree
/
Copy pathcrypttab.5
More file actions
179 lines (179 loc) · 4.55 KB
/
crypttab.5
File metadata and controls
179 lines (179 loc) · 4.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
.TH CRYPTTAB 5
.SH NAME
crypttab \- Configuration for encrypted block devices
.SH "SYNOPSIS"
.PP
\fI/etc/crypttab\fR
.SH "DESCRIPTION"
.PP
The file \fBcrypttab\fR contains information about encrypted block devices
that are getting setup during boot process.
.PP
Each line describes one encrypted block device and can have up to 4 fields but
not less than 2 fields. Fields on each line separated by tabs or spaces.
Lines starting with '#' are comments and blank lines are ignored.
.PP
The first two fields are mandatory, the remaining two are optional. Each line
has a form of:
.sp
.RS 4
.NF
\fIvolume\-name\fR \fIencrypted\-device\fR \fIkey\-file\fR \fIoptions\fR
.RE
.sp
.nr step 0 1
.nr PI 3n
The four fields are:
.IP \n+[step]
The first field describes the name of the volume with decrypted data in
\fI/dev/mapper\fR.
.IP \n+[step]
The second field describes the encrypted block device or file. It can be in a
form of a filename, UUID=<uuid>\& or PARTUUID=<partuuid>\&.
.IP \n+[step]
The third field, if present, describes an absolute path to a file with the
encryption key. If the field is empty a passphrase will be read interactively
from the console.
.IP \n+[step]
The fourth field, if present, is a comma\-delimited list of options. See
\fBSUPPORTED OPTIONS\fR\&.
.SH SUPPORTED OPTIONS
.PP
\fBcipher=\fR<cipher>
.RS 4
Specify <cipher> encryption algorithm to use. See \fBcryptsetup\fR(8)\& and
\fBcryptsetup \-c\fR\& for details. \fBcryptsetup \-\-help\fR\& has details about
defaults.
.RE
.PP
\fBdiscard\fR
.RS 4
Allow to use of discard (TRIM) requests for the device. Can have a negative
security impact, please refer to \fBcryptsetup\-open(8)\fR.
.sp
Needs kernel 3.1 or later.
.RE
.PP
\fBhash=\fR<hash>
.RS 4
Use <hash> as the passphrase hash. For more details refer to
\fBcryptsetup\-open(8)\fR.\&
.RE
.PP
\fBheader=\fR<device or file storing the LUKS header>
.RS 4
Use detached header metadata device or file. For more details refer to
\fBcryprsetup\-open(8)\fR.
.RE
.PP
\fBkeyfile\-offset=\fR<value>
.RS 4
Skip <value> bytes at the beginning of the key file.
For more details refer to \fBcryptsetup\-open\fR(8).
.RE
.PP
\fBkeyfile\-size=\fR<value>
.RS 4
Read a maximum of <value> bytes from the key file. The default is to read the
whole file.
For more details refer to \fBcryptsetup\-open(8)\fR.
.RE
.PP
\fBkeyslot=\fR<0\-N>, \fBkey\-slot=\fR<0\-N>
.RS 4
Select a specific key\-slot to compare the passphrase against.
For more details refer to \fBcryptsetup\-open\fR(8).\&
.RE
.PP
\fBoffset=\fR<number of 512 byte sectors>
.RS 4
Start offset in the backend device in 512\-byte sectors.
.RE
.PP
\fBread\-only\fR, \fBreadonly\fR
.RS 4
Set up readonly mapping.
.RE
.PP
\fBskip=\fR<number of 512 byte sectors>
.RS 4
How many 512\-byte sectors of the encrypted data to skip at the beginning. For
details refer to \fBcryptsetup\-open(8)\fR.\&
.RE
.PP
\fBsize=\fR<number of 512 byte sectors>
.RS 4
Set the size of the device in sectors in 512\-bytes. This option is compatible
only with \fIplain\fR device type.
.RE
.PP
\fBluks\fR
.RS 4
Force LUKS mode. The following options are ignored: \fBcipher=\fR,
\fBhash=\fR, \fBsize=\fR, \fBoffset=\fR, \fBskip=\fR, \fBverify\fR.
.RE
.PP
\fBswap\fR
.RS 4
Force swap mode. The following options are ignored: \fBkeyslot=\fR,
\fBkey\-slot=\fR, \fBkeyfile\-size=\fR, \fBkeyfile\-offset=\fR, \fBheader=\fR.
For more details refer to \fBcryptsetup\-open(8)\fR section \fBPLAIN\fR.
.RE
.PP
\fBtries=\fR<tries>
.RS 4
How many tries the user will have to input the correct passphrase.
.RE
.PP
\fBverify\fR
.RS 4
When interactively asking for a passphrase, ask for it twice and complain if
both inputs do not match.
.RE
.PP
\fBperf\-same_cpu_crypt\fR
.RS 4
Perform encryption using the same CPU that IO was submitted on.
.sp
Needs kernel 4.0 or later.
.RE
.PP
\fBperf\-submit_from_crypt_cpus\fR
.RS 4
Disable offloading writes to a separate thread after encryption.
.sp
Needs kernel 4.0 or later.
.RE
.PP
\fBperf\-no_read_workqueue\fR
.RS 4
Bypass dm\-crypt internal workqueue and process read requests
synchronously.
.sp
Needs kernel 5.9 or later.
.RE
.PP
\fBperf\-no_write_workqueue\fR
.RS 4
Bypass dm\-crypt internal workqueue and process write requests
synchronously.
.sp
Needs kernel 5.9 or later.
.RE
.SH "EXAMPLES"
.PP
.RS 4
.nf
# Encrypted LUKS with interactive password
luks UUID=2505567a\-9e27\-4efe\-a4d5\-15ad146c258b
# Encrypted swap
swap /dev/sda7 /dev/urandom swap
# Encrypted LUKS with a key from a file
storage /dev/nvme1n1p1 /disk.key discard,luks
.RE
.SH "SEE ALSO"
.PP
\fBfstab\fR(5),
\fBcryptsetup\fR(8),
\fBmkswap\fR(8),
\fBmke2fs\fR(8)