Ubuntu manuals

Provided by: cryptsetup_1.0.5-2ubuntu12_i386

NAME

       crypttab - static information about crypted filesystems

SYNOPSIS

       crypttab

           <target device> <source device> <key file> <options>

DESCRIPTION

       The file crypttab (usually located at /etc/crypttab) contains
       descriptive information about encrypted file systems. crypttab is only
       read by programs, and not written; it is the duty of the system
       administrator to properly create and maintain this file. Each file
       system is described on a separate line; fields on each line are
       separated by tabs or spaces. Lines starting with "#" are comments,
       empty lines are ignored. The order of records in crypttab is important
       because the /etc/init.d/cryptdisks script sequentially iterates through
       crypttab doing its thing. Note that all four fields are mandatory and
       that a missing field will lead to unspecified behaviour.

       The first field target device describes the mapped device name. It must
       be a plain filename without any directories. A mapped device
       /dev/mapper/device name will be created by cryptsetup(8) crypting data
       from and onto the source device.

       The second field source device describes the block special device that
       should hold the encrypted data.

       The third field key file describes the file to use for decrypting the
       encrypted data of the source device.

       It can also be a device name (eg. /dev/random, which is useful for
       encrypted swap devices). Warning: luks does not support random data
       keys (like /dev/random), it requires a persistent key.

       If the key file is the string none, the key data (ie. a password) will
       be read interactively from the console. In this case, the options
       precheck, check, checkargs and tries may be useful.

       The fourth field options describes the cryptsetup options associated
       with the encryption process. At minimum, the field should contain the
       string luks or the cipher, hash and size options.

       Options are in the format: key=value[,key=value ...] The following
       options are supported:

OPTIONS

       cipher=<cipher>
           Encryption algorithm. See cryptsetup -c.

       size=<size>
           Encryption key size. See cryptsetup -s.

       hash=<hash>
           Hash algorithm. See cryptsetup -h.

       verify
           Verify password. Uses cryptsetup -y.

       readonly
           The backing device is read-only (eg: a dvd).

       luks
           Use device with luks extensions.

       swap
           Run mkswap on the created device.

       tmp
           Run mke2fs on the created device.

       precheck=<precheck>
           Check the source device by suitable program; if the check fails the
           device is not created; <precheck> is a script to check the source
           device. The source device is given as argument to the script.

       check=<check>
           Check the content of the device by a suitable program; if the check
           fails the device is removed. If a program is provided as argument,
           it is run, giving the decrypted volume (target device) as first,
           and the value of the checkargs option as second argument.
           Cryptdisks searches for the given program in
           /lib/cryptsetup/checks/. Default is vol_id.

       checkargs=<arguments>
           Give <arguments> as second argument to the check script. See
           description for CHECKSCRIPTS for more information.

       tries=<num>
           The input of the passphrase is tried <num> times in case that it
           fails. If you want to disable retries, give tries=1 as argument.
           Default is 3.

       timeout=<sec>
           If key is "none", the cryptdisks script interactively prompts for a
           password. The timeout option specifies the time in seconds to wait
           for the password before timing out.

       loud
           Be loud. Print warnings if a device does not exist.

       keyscript=<path>
           The executable at the indicated path is executed with the key file
           from the third field of the crypttab as its only argument and the
           output is used as the key. This also works with encrypted root
           filesystems via initramfs if the executable is self-contained (i.e.
           not a shell script which relies on external programs).

CHECKSCRIPTS

       vol_id
           Checks for any known filesystem. Supports a filesystem type as
           argument via <checkargs>: no checkargs - succeeds if any valid
           filesystem is found on the device. "none" - succeeds if no valid
           filesystem is found on the device. "ext3" [or any other filesystem
           type like xfs, swap, crypto_LUKS, whatever] - succeeds if an ext3
           [or another given] filesystem type is found on the device.

       un_vol_id
           Checks for no known filesystem. Supports a filesystem type as
           argument via <checkargs>: no checkargs - succeeds if no valid
           filesystem is found on the device. "ext3" [or any other filesystem
           type like xfs, swap, crypto_LUKS, whatever] - succeeds if no ext3
           [or another given] filesystem type is found on the device.

       ext2
           Checks for a valid ext2/ext3 filesystem.

       xfs
           Checks for a valid xfs filesystem.

EXAMPLES

       Encrypted swap device
           cswap /dev/sda6 /dev/random swap

       Encrypted luks disk with interactive password
           cdisk0 /dev/hda1 none luks

       Encrypted ext2 disk with interactive password, retry 5 times if the
       check fails
           cdisk1 /dev/sda2 none checkargs=ext2,tries=5

       Encrypted disk with interactive password, use a non-default check
       script, no retries
           cdisk2 /dev/hdc1 none check=customscript,tries=1

       Encrypted disk with interactive password and twofish as cipher
           cdisk3 /dev/sda3 none cipher=twofish

ENVIRONMENT

       CRYPTDISKS_ENABLE
           Set to yes to run cryptdisks at startup. Set to no to disable
           cryptdisks.

       CRYPTDISKS_MOUNT
           Specifies the mount points that are mounted before cryptdisks is
           invoked. Useful for keys on removable devices, such as cdrom,
           usbstick, flashcard, ...

       CRYPTDISKS_CHECK
           Specifies the checkscript to be run against the target device,
           after cryptdisks has been invoked. The target device is given as
           only argument to the checkscript. Takes effect, if the check option
           is given in crypttab with no value.

       CRYPTDISKS_PRECHECK
           Specifies the checkscript to be run against the source device,
           before cryptdisks has been invoked. The source device is given as
           only argument to the checkscript. Takes effect, if the precheck
           option is given in crypttab with no value.

       CRYPTDISKS_TIMEOUT
           Specifies the time in seconds to wait for the password before
           timing out. Takes effect, if the timeout option is given in
           crypttab with no value.

SEE ALSO

       cryptsetup(8), /etc/crypttab

AUTHOR

       This manual page was converted to asciidoc from Michael Gebetsroither
       <michael.geb@gmx.at>. This manual page was originally written by
       Bastian Kleineidam <calvin@debian.org> for the Debian distribution of
       cryptsetup (but can be used by others). It has been improved by Jonas
       Meurer <jonas@freesources.org>. Parts of this manual are taken and
       adapted from the fstab(5) manual page.

                                  04/11/2008                       CRYPTTAB(5)