1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
.\" A man page for /etc/crypttab.
.\"
.\" Copyright (C) 2006 Red Hat, Inc. All rights reserved.
.\"
.\" This copyrighted material is made available to anyone wishing to use,
.\" modify, copy, or redistribute it subject to the terms and conditions of the
.\" GNU General Public License v.2.
.\"
.\" This program is distributed in the hope that it will be useful, but WITHOUT
.\" ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
.\" FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
.\" more details.
.\"
.\" You should have received a copy of the GNU General Public License along
.\" with this program; if not, write to the Free Software Foundation, Inc.,
.\" 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
.\"
.\" Author: Miloslav Trmac <mitr@redhat.com>
.TH crypttab 5 "Jul 2006"
.SH NAME
/etc/crypttab - encrypted block device table
.SH DESCRIPTION
The
.B /etc/crypttab
file describes encrypted block devices that are set up during system boot.
Empty lines and lines starting with the
.B #
character are ignored.
Each of the remaining lines describes one encrypted block device,
fields on the line are delimited by white space.
The first two fields are mandatory, the remaining two are optional.
The first field contains the
.I name
of the resulting encrypted block device;
the device is set up at
\fB/dev/mapper/\fIname\fR.
The second field contains a path to the underlying block device.
If the block device contains a LUKS signature,
it is opened as a LUKS encrypted partition;
otherwise it is assumed to be a raw dm-crypt partition.
The third field specifies the encryption password.
If the field is not present or the password is set to \fBnone\fR,
the password has to be manually entered during system boot.
Otherwise the field is interpreted as a path to a file
containing the encryption password.
This field does not support spaces, whether escaped with back slashes
or quotes. Back slashes or quotes will cause this field
to be interpreted as a path to a password file. If you wish
to use a password with spaces in it, please use a password file.
If using a password file, please note that the entire contents of the
password file is used, including new lines and non-printable characters.
A password file without a line feed can be created with the "echo" command's "-n"
option. For example: echo -n "pass phrase" > MyPasswordFile
For swap encryption
.B /dev/urandom
can be used as the password file;
using
.B /dev/random
may prevent boot completion
if the system does not have enough entropy
to generate a truly random encryption key.
The fourth field, if present, is a comma-delimited list of options.
The following options are recognized:
.TP
\fBcipher=\fIcipher\fR
Specifies the cipher to use; see
.BR cryptsetup (8)
for possible values and the default value of this option.
A cipher with unpredictable IV values, such as
\fBaes-cbc-essiv:sha256\fR, is recommended.
.TP
\fBsize=\fIsize\fR
Specifies the key size in bits; see
.BR cryptsetup (8)
for possible values and the default value of this option.
.TP
\fBhash=\fIhash\fR
Specifies the hash to use for password hashing; see
.BR cryptsetup (8)
for possible values and the default value of this option.
.TP
\fBverify\fR
If the the encryption password is read from console,
it has to be entered twice (to prevent typos).
.TP
\fBswap\fR
The encrypted block device will be used as a swap partition,
and will be formatted as a swap partition
after setting up the encrypted block device.
The underlying block device
will be formatted again as an unencrypted swap partition
after destroying the encrypted block device.
(This allows sharing a single swap partition between operating
system installations,
with some of them encrypting the swap partitions and some of them not.)
\fIWARNING\fR: Using the
.B swap
option will destroy the contents of the named partition during every boot, so
make sure the underlying block device is specified correctly.
.TP
\fBtmp\fR
The encrypted block device will be prepared for using it as tmp partition:
it will be formatted using
.B mke2fs
and its root directory will be set to mode 01777.
The warning about the
.B swap
option applies here as well.
.PP
No options can be specified for LUKS encrypted partitions.
.SH COMPATIBILITY
The
.B /etc/crypttab
file format is based on the Debian cryptsetup package,
and is intended to be compatible.
.SH SEE ALSO
.BR cryptsetup (8)
|
