crypttab - static information about crypted filesystems
<target device> <source device> <key file> <options>
The file crypttab (usually located at /etc/crypttab) contains descriptive information about encrypted file systems. crypttab is only read by programs, and not written; it is the duty of the system administrator to properly create and maintain this file. Each file system is described on a separate line; fields on each line are separated by tabs or spaces. Lines starting with "#" are comments, empty lines are ignored. The order of records in crypttab is important because the /etc/init.d/cryptdisks script sequentially iterates through crypttab doing its thing. Note that all four fields are mandatory and that a missing field will lead to unspecified behaviour. The first field target device describes the mapped device name. It must be a plain filename without any directories. A mapped device /dev/mapper/device name will be created by cryptsetup(8) crypting data from and onto the source device. The second field source device describes the block special device that should hold the encrypted data. The third field key file describes the file to use for decrypting the encrypted data of the source device. It can also be a device name (eg. /dev/random, which is useful for encrypted swap devices). Warning: luks does not support random data keys (like /dev/random), it requires a persistent key. If the key file is the string none, the key data (ie. a password) will be read interactively from the console. In this case, the options precheck, check, checkargs and tries may be useful. The fourth field options describes the cryptsetup options associated with the encryption process. At minimum, the field should contain the string luks or the cipher, hash and size options. Options are in the format: key=value[,key=value ...] The following options are supported:
Encryption algorithm. See cryptsetup -c.
Encryption key size. See cryptsetup -s.
Hash algorithm. See cryptsetup -h.
Verify password. Uses cryptsetup -y.
The backing device is read-only (eg: a dvd).
Use device with luks extensions.
Run mkswap on the created device.
Run mke2fs on the created device.
Check the source device by suitable program; if the check fails the device is not created; <precheck> is a script to check the source device. The source device is given as argument to the script.
Check the content of the device by a suitable program; if the check fails the device is removed. If a program is provided as argument, it is run, giving the decrypted volume (target device) as first, and the value of the checkargs option as second argument. Cryptdisks searches for the given program in /lib/cryptsetup/checks/. Default is vol_id.
Give <arguments> as second argument to the check script. See description for CHECKSCRIPTS for more information.
The input of the passphrase is tried <num> times in case that it fails. If you want to disable retries, give tries=1 as argument. Default is 3.
If key is "none", the cryptdisks script interactively prompts for a password. The timeout option specifies the time in seconds to wait for the password before timing out.
Be loud. Print warnings if a device does not exist.
The executable at the inidicated path is executed with the key file from the third field of the crypttab as its only argument and the output is used as the key. This also works with encrypted root filesystems via initramfs if the executable is self-contained (i.e. not a shell script which relies on external programs).
Checks for any known filesystem. Supports a filesystem type as argument via <checkargs>: no checkargs - succeeds if any valid filesystem is found on the device. "none" - succeeds if no valid filesystem is found on the device. "ext3" [or any other filesystem type like xfs, swap, crypto_LUKS, whatever] - succeeds if an ext3 [or another given] filesystem type is found on the device.
Checks for no known filesystem. Supports a filesystem type as argument via <checkargs>: no checkargs - succeeds if no valid filesystem is found on the device. "ext3" [or any other filesystem type like xfs, swap, crypto_LUKS, whatever] - succeeds if no ext3 [or another given] filesystem type is found on the device.
Checks for a valid ext2/ext3 filesystem.
Checks for a valid xfs filesystem.
Encrypted swap device
cswap /dev/sda6 /dev/random swap
Encrypted luks disk with interactive password
cdisk0 /dev/hda1 none luks
Encrypted ext2 disk with interactive password, retry 5 times if the check fails
cdisk1 /dev/sda2 none checkargs=ext2,tries=5
Encrypted disk with interactive password, use a nondefault check script, no retries
cdisk2 /dev/hdc1 none check=customscript,tries=1
Encrypted disk with interactive password and twofish as cipher
cdisk3 /dev/sda3 none cipher=twofish
Set to yes to run cryptdisks at startup. Set to no to disable cryptdisks.
Specifies the mountpoints that are mounted before cryptdisks is invoked. Useful for keys on removable devices, such as cdrom, usbstick, flashcard, ...
Specifies the checkscript to be run against the target device, after cryptdisks has been invoked. The target device is given as only argument to the checkscript. Takes effect, if the check option is given in crypttab with no value.
Specifies the checkscript to be run against the source device, before cryptdisks has been invoked. The source device is given as only argument to the checkscript. Takes effect, if the precheck option is given in crypttab with no value.
Specifies the time in seconds to wait for the password before timing out. Takes effect, if the timeout option is given in crypttab with no value.
This manual page was converted to asciidoc from Michael Gebetsroither <firstname.lastname@example.org>. This manual page was originally written by Bastian Kleineidam <email@example.com> for the Debian distribution of cryptsetup (but can be used by others). It has been improved by Jonas Meurer <firstname.lastname@example.org>. Parts of this manual are taken and adapted from the fstab(5) manual page.