crypttab - static information about crypted filesystems

crypttab

<target device> <source device> [key file] [options]

The file crypttab (usually located at /etc/crypttab) contains descriptive information about encrypted file systems. crypttab is only read by programs, and not written; it is the duty of the system administrator to properly create and maintain this file. Each file system is described on a separate line; fields on each line are separated by tabs or spaces. Lines starting with "#" are comments, empty lines are ignored. The order of records in crypttab is important because the /etc/init.d/cryptdisks script sequentially iterates through crypttab doing its thing.

The first field target device describes the mapped device name. It must be a plain filename without any directories. A mapped device /dev/mapper/device name will be created by cryptsetup(8) crypting data from and onto the source device.

The second field source device describes the block special device that should hold the encrypted data.

The third field key file describes the file to use for decrypting the encrypted data of the source device.

It can also be a device name (eg. /dev/random, which is useful for encrypted swap devices). Warning: luks does not support random data keys (like /dev/random), it requires a persistent key.

If the key file is empty or the string none, the key data (ie. a password) will be read interactively from the console. In this case, the options precheck, check and retry may be useful.

The fourth field options describes the cryptsetup options associated with the encryption process. Options are in the format: key=value[,key=value ...] The following options are supported:

cipher=<cipher>

Encryption algorithm. See cryptsetup -c.

size=<size>

Encryption key size. See cryptsetup -s.

hash=<hash>

Hash algorithm. See cryptsetup -h.

verify

Verify password. Uses cryptsetup -y.

readonly

The backing device is read-only (eg: a dvd).

luks

Use device with luks extensions.

swap

Run mkswap on the created device.

tmp

Run mke2fs on the created device.

precheck=<precheck>

Check the source device by suitable program; if the check fails the device is not created; If a program is provided as argument, it is run, using the decrypted volume as first argument. The program is assumed to be a script in /lib/cryptsetup/checks.

check=<check>

Check the content of the device by suitable program; if the check fails the device is removed; if the retry option is given, the creation is repeated. If a program is provided as argument, it is run, using the decrypted volume as first argument. Cryptdisks searches for the given program in /lib/cryptsetup/checks.

retry=<num>

If the device creation fails, or if the check program fails, remove the device, and try again to create it: if key is "none" this will ask for the password again. This is repeated <num> times. Default is 3.

timeout=<sec>

If key is "none", the cryptdisks script interactively prompts for a password. The timeout option specifies the time in seconds to wait for the password before timing out.

loud

Be loud. Print warnings if a device does not exist.

ssl

Decrypt the keyfile with openssl before actually using it for cryptsetup. This requires /usr/bin/openssl to be available. Thus it doesn't work for encrypted root filesystems or if /usr is a seperate filesystem.

gpg

Decrypt the keyfile with gnupg before actually using it for cryptsetup. This requires /usr/bin/gnupg to be available. Thus it doesn't work for encrypted root filesystems or if /usr is a seperate filesystem.

Encrypted swap device

cswap /dev/sda6 /dev/random swap

Encrypted luks disk with interactive password

cdisk1 /dev/hda1 none luks

Encrypted ext2 disk with interactive password, retry 3 times if the check fails

cdisk0 /dev/sda2 none check=ext2,retry=3

Encrypted disk with twofish as cipher

cdisk2 /dev/sda3 none cipher=twofish

Encrypted luks disk with a openssl-encrypted keyfile

cdisk3 /dev/hda2 /etc/keys/keyfile luks,ssl

cryptsetup(8), /etc/crypttab

This manual page was converted to asciidoc from Michael Gebetsroither <michael.geb@gmx.at>. This manual page was originally written by Bastian Kleineidam <calvin@debian.org> for the Debian distribution of cryptsetup (but can be used by others). It has been improved by Jonas Meurer <jonas@freesources.org>. Parts of this manual are taken and adapted from the fstab(5) manual page.