Provided by: cryptsetup_1.0.3-0ubuntu1_i386 bug

NAME
       crypttab - static information about crypted filesystems


SYNOPSIS
       crypttab
               <target device>  <source device>  [key file]  [options]


DESCRIPTION
       The   file   crypttab   (usually  located  at  /etc/crypttab)  contains
       descriptive information about encrypted file systems. crypttab is  only
       read  by  programs,  and  not  written;  it  is  the duty of the system
       administrator to properly create and  maintain  this  file.  Each  file
       system  is  described  on  a  separate  line;  fields  on each line are
       separated by tabs or spaces. Lines  starting  with  "#"  are  comments,
       empty  lines are ignored. The order of records in crypttab is important
       because the /etc/init.d/cryptdisks script sequentially iterates through
       crypttab doing its thing.

       The first field target device describes the mapped device name. It must
       be  a  plain  filename  without  any  directories.  A   mapped   device
       /dev/mapper/device  name will be created by cryptsetup(8) crypting data
       from and onto the source device.

       The second field source device describes the block special device  that
       should hold the encrypted data.

       The  third  field key file describes the file to use for decrypting the
       encrypted data of the source device.

       It can also be a device name (eg.  /dev/random,  which  is  useful  for
       encrypted  swap  devices).  Warning:  luks does not support random data
       keys (like /dev/random), it requires a persistent key.

       If the key file is empty or the  string  none,  the  key  data  (ie.  a
       password)  will  be  read interactively from the console. In this case,
       the options precheck, check and retry may be useful.

       The fourth field options describes the  cryptsetup  options  associated
       with   the   encryption   process.   Options   are   in   the   format:
       key=value[,key=value ...] The following options are supported:


OPTIONS
       cipher=<cipher>
              Encryption algorithm. See cryptsetup -c.

       size=<size>
              Encryption key size. See cryptsetup -s.

       hash=<hash>
              Hash algorithm. See cryptsetup -h.

       verify Verify password. Uses cryptsetup -y.

       readonly
              The backing device is read-only (eg: a dvd).

       luks   Use device with luks extensions.

       swap   Run mkswap on the created device.

       tmp    Run mke2fs on the created device.

       precheck=<precheck>
              Check the source device by suitable program; if the check  fails
              the device is not created; If a program is provided as argument,
              it is run, using the decrypted volume  as  first  argument.  The
              program is assumed to be a script in /lib/cryptsetup/checks.

       check=<check>
              Check  the  content  of  the  device by suitable program; if the
              check fails the device is removed; if the retry option is given,
              the  creation is repeated. If a program is provided as argument,
              it is  run,  using  the  decrypted  volume  as  first  argument.
              Cryptdisks     searches     for    the    given    program    in
              /lib/cryptsetup/checks.

       retry=<num>
              If the device creation fails, or if  the  check  program  fails,
              remove  the device, and try again to create it: if key is "none"
              this will ask for the password again.  This  is  repeated  <num>
              times. Default is 3.

       timeout=<sec>
              If  key  is  "none", the cryptdisks script interactively prompts
              for a password. The timeout option specifies the time in seconds
              to wait for the password before timing out.

       loud   Be loud. Print warnings if a device does not exist.

       ssl    Decrypt  the  keyfile  with openssl before actually using it for
              cryptsetup. This requires /usr/bin/openssl to be available. Thus
              it  doesn’t  work for encrypted root filesystems or if /usr is a
              seperate filesystem.

       gpg    Decrypt the keyfile with gnupg  before  actually  using  it  for
              cryptsetup.  This  requires /usr/bin/gnupg to be available. Thus
              it doesn’t work for encrypted root filesystems or if /usr  is  a
              seperate filesystem.


EXAMPLES
       Encrypted swap device
              cswap /dev/sda6 /dev/random swap

       Encrypted luks disk with interactive password
              cdisk1 /dev/hda1 none luks

       Encrypted  ext2  disk  with  interactive password, retry 3 times if the
       check fails
              cdisk0 /dev/sda2 none check=ext2,retry=3

       Encrypted disk with twofish as cipher
              cdisk2 /dev/sda3 none cipher=twofish

       Encrypted luks disk with a openssl-encrypted keyfile
              cdisk3 /dev/hda2 /etc/keys/keyfile luks,ssl


SEE ALSO
       cryptsetup(8), /etc/crypttab


AUTHOR
       This  manual  page was converted to asciidoc from Michael Gebetsroither
       <michael.geb@gmx.at>.  This  manual  page  was  originally  written  by
       Bastian  Kleineidam  <calvin@debian.org> for the Debian distribution of
       cryptsetup (but can be used by others). It has been improved  by  Jonas
       Meurer  <jonas@freesources.org>.  Parts  of  this  manual are taken and
       adapted from the fstab(5) manual page.

                                                                   CRYPTTAB(5)