systemd Documentation Miloslav Trmac mitr@redhat.com Documentation Lennart Poettering lennart@poettering.net crypttab 5 crypttab Configuration for encrypted block devices /etc/crypttab The /etc/crypttab file describes encrypted block devices that are set up during system boot. Empty lines and lines starting with the # character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two are optional. The first field contains the name of the resulting encrypted block device; the device is set up within /dev/mapper/. The second field contains a path to the underlying block device, or a specification of a block device via UUID= followed by the UUID. If the block device contains a LUKS signature, it is opened as a LUKS encrypted partition; otherwise it is assumed to be a raw dm-crypt partition. The third field specifies the encryption password. If the field is not present or the password is set to none, the password has to be manually entered during system boot. Otherwise the field is interpreted as a path to a file containing the encryption password. For swap encryption /dev/urandom or the hardware device /dev/hw_random can be used as the password file; using /dev/random may prevent boot completion if the system does not have enough entropy to generate a truly random encryption key. The fourth field, if present, is a comma-delimited list of options. The following options are recognized: cipher= Specifies the cipher to use; see cryptsetup8 for possible values and the default value of this option. A cipher with unpredictable IV values, such as aes-cbc-essiv:sha256, is recommended. size= Specifies the key size in bits; see cryptsetup8 for possible values and the default value of this option. hash= Specifies the hash to use for password hashing; see cryptsetup8 for possible values and the default value of this option. tries= Specifies the maximum number of times the user is queried for a password. verify If the the encryption password is read from console, it has to be entered twice (to prevent typos). read-only Set up the encrypted block device in read-only mode. allow-discards Allow discard requests to be passed through the encrypted block device. This improves performance on SSD storage but has security implications. luks Force LUKS mode. plain Force plain encryption mode. timeout= Specify the timeout for querying for a password. If not unit is specified in seconds. Supported units are s, ms, us, min, h, d. noauto This device will not be automatically unlocked on boot. nofail The system will not wait for the device to show up and be unlocked at boot, and not fail the boot if it doesn't show up. swap The encrypted block device will be used as a swap partition, and will be formatted as a swap partition after setting up the encrypted block device, with mkswap8. WARNING: Using the swap option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly. tmp The encrypted block device will be prepared for using it as /tmp partition: it will be formatted using mke2fs8. WARNING: Using the tmp option will destroy the contents of the named partition during every boot, so make sure the underlying block device is specified correctly. At early boot and when the system manager configuration is reloaded this file is translated into native systemd units by systemd-cryptsetup-generator8. Set up two encrypted block devices with LUKS: one normal one for storage, and another one for usage as swap device. luks-2505567a-9e27-4efe-a4d5-15ad146c258b UUID=2505567a-9e27-4efe-a4d5-15ad146c258b - timeout=0 swap /dev/sda7 /dev/urandom swap systemd1, systemd-cryptsetup@.service8, systemd-cryptsetup-generator8, cryptsetup8, mkswap8, mke2fs8