NAME
crypttab - static information about crypted filesystems
SYNOPSIS
crypttab
<target device>
<source device>
<key file>
<options>
DESCRIPTION
The file crypttab (usually located at /etc/crypttab) contains descriptive information about encrypted file systems. crypttab is only read by programs, and not written; it is the duty of the system administrator to properly create and maintain this file. Each file system is described on a separate line; fields on each line are separated by tabs or spaces. Lines starting with "#" are comments, empty lines are ignored. The order of records in crypttab is important because the /etc/init.d/cryptdisks script sequentially iterates through crypttab doing its thing. Note that all four fields are mandatory and that a missing field will lead to unspecified behaviour.
The first field target device describes the mapped device name. It must be a plain filename without any directories. A mapped device /dev/mapper/device name will be created by cryptsetup(8) crypting data from and onto the source device.
The second field source device describes the block special device that should hold the encrypted data.
The third field key file describes the file to use for decrypting the encrypted data of the source device.
It can also be a device name (eg. /dev/random, which is useful for encrypted swap devices). Warning: luks does not support random data keys (like /dev/random), it requires a persistent key.
If the key file is the string none, the key data (ie. a password) will be read interactively from the console. In this case, the options precheck, check, checkargs and tries may be useful.
The fourth field options describes the cryptsetup options associated with the encryption process. At minimum, the field should contain the string luks or the cipher, hash and size options.
Options are in the format: key=value[,key=value ...] The following options are supported:
OPTIONS
cipher=<cipher>
Encryption algorithm. See
cryptsetup -c.
size=<size>
Encryption key size. See
cryptsetup -s.
hash=<hash>
Hash algorithm. See
cryptsetup -h.
verify
Verify password. Uses
cryptsetup -y.
readonly
The backing device is read-only (eg: a dvd).
luks
Use device with luks extensions.
swap
Run
mkswap
on the created device.
tmp
Run
mke2fs
on the created device.
precheck=<precheck>
Check the source device by suitable program; if the check fails the device is not created; <precheck> is a script to check the source device. The source device is given as argument to the script.
check=<check>
Check the content of the device by a suitable program; if the check fails the device is removed. If a program is provided as argument, it is run, giving the decrypted volume (target device) as first, and the value of the checkargs option as second argument. Cryptdisks searches for the given program in /lib/cryptsetup/checks/. Default is vol_id.
checkargs=<arguments>
Give <arguments> as second argument to the check script. See description for CHECKSCRIPTS for more information.
tries=<num>
The input of the passphrase is tried <num> times in case that it fails. If you want to disable retries, give tries=1 as argument. Default is 3.
timeout=<sec>
If key is "none", the cryptdisks script interactively prompts for a password. The timeout option specifies the time in seconds to wait for the password before timing out.
loud
Be loud. Print warnings if a device does not exist.
keyscript=<path>
The executable at the inidicated path is executed with the
key file
from the third field of the crypttab as its only argument and the output is used as the key. This also works with encrypted root filesystems via initramfs if the executable is self-contained (i.e. not a shell script which relies on external programs).
CHECKSCRIPTS
vol_id
Checks for any known filesystem. Supports a filesystem type as argument via <checkargs>: no checkargs - succeeds if any valid filesystem is found on the device. "none" - succeeds if no valid filesystem is found on the device. "ext3" [or any other filesystem type like xfs, swap, crypto_LUKS, whatever] - succeeds if an ext3 [or another given] filesystem type is found on the device.
un_vol_id
Checks for no known filesystem. Supports a filesystem type as argument via <checkargs>: no checkargs - succeeds if no valid filesystem is found on the device. "ext3" [or any other filesystem type like xfs, swap, crypto_LUKS, whatever] - succeeds if no ext3 [or another given] filesystem type is found on the device.
ext2
Checks for a valid ext2/ext3 filesystem.
xfs
Checks for a valid xfs filesystem.
EXAMPLES
Encrypted swap device
cswap /dev/sda6 /dev/random swap
Encrypted luks disk with interactive password
cdisk0 /dev/hda1 none luks
Encrypted ext2 disk with interactive password, retry 5 times if the check fails
cdisk1 /dev/sda2 none checkargs=ext2,tries=5
Encrypted disk with interactive password, use a nondefault check script, no retries
cdisk2 /dev/hdc1 none check=customscript,tries=1
Encrypted disk with interactive password and twofish as cipher
cdisk3 /dev/sda3 none cipher=twofish
ENVIRONMENT
CRYPTDISKS_ENABLE
Set to
yes
to run cryptdisks at startup. Set to
no
to disable cryptdisks.
CRYPTDISKS_MOUNT
Specifies the mountpoints that are mounted before cryptdisks is invoked. Useful for keys on removable devices, such as cdrom, usbstick, flashcard, ...
CRYPTDISKS_CHECK
Specifies the checkscript to be run against the target device, after cryptdisks has been invoked. The target device is given as only argument to the checkscript. Takes effect, if the
check
option is given in crypttab with no value.
CRYPTDISKS_PRECHECK
Specifies the checkscript to be run against the source device, before cryptdisks has been invoked. The source device is given as only argument to the checkscript. Takes effect, if the
precheck
option is given in crypttab with no value.
CRYPTDISKS_TIMEOUT
Specifies the time in seconds to wait for the password before timing out. Takes effect, if the
timeout
option is given in crypttab with no value.
SEE ALSO
cryptsetup(8), /etc/crypttab
AUTHOR
This manual page was converted to asciidoc from Michael Gebetsroither <michael.geb@gmx.at>. This manual page was originally written by Bastian Kleineidam <calvin@debian.org> for the Debian distribution of cryptsetup (but can be used by others). It has been improved by Jonas Meurer <jonas@freesources.org>. Parts of this manual are taken and adapted from the fstab(5) manual page.