crypttab(5)crypttab(5)NAME
/etc/crypttab - encrypted block device table
DESCRIPTION
The /etc/crypttab file describes encrypted block devices that are set
up during system boot.
Empty lines and lines starting with the # character are ignored. Each
of the remaining lines describes one encrypted block device, fields on
the line are delimited by white space. The first two fields are manda‐
tory, the remaining two are optional.
The first field contains the name of the resulting encrypted block
device; the device is set up at /dev/mapper/name.
The second field contains a path to the underlying block device, or a
specification of a block device via UUID=<device uuid>. If the block
device contains a LUKS signature, it is opened as a LUKS encrypted par‐
tition; otherwise it is assumed to be a raw dm-crypt partition.
The third field specifies the encryption password. If the field is not
present or the password is set to none, the password has to be manually
entered during system boot. Otherwise the field is interpreted as a
path to a file containing the encryption password. For swap encryption
/dev/urandom or the hardware device /dev/hw_random can be used as the
password file; using /dev/random may prevent boot completion if the
system does not have enough entropy to generate a truly random encryp‐
tion key.
The fourth field, if present, is a comma-delimited list of options.
The following options are recognized:
cipher=cipher
Specifies the cipher to use; see cryptsetup(8) for possible val‐
ues and the default value of this option. A cipher with unpre‐
dictable IV values, such as aes-cbc-essiv:sha256, is recom‐
mended.
size=size
Specifies the key size in bits; see cryptsetup(8) for possible
values and the default value of this option.
hash=hash
Specifies the hash to use for password hashing; see crypt‐
setup(8) for possible values and the default value of this
option.
verify If the the encryption password is read from console, it has to
be entered twice (to prevent typos).
noauto This device will not be automatically unlocked on boot.
swap The encrypted block device will be used as a swap partition, and
will be formatted as a swap partition after setting up the
encrypted block device. The underlying block device will be
formatted again as an unencrypted swap partition after destroy‐
ing the encrypted block device. (This allows sharing a single
swap partition between operating system installations, with some
of them encrypting the swap partitions and some of them not.)
WARNING: Using the swap option will destroy the contents of the
named partition during every boot, so make sure the underlying
block device is specified correctly.
tmp The encrypted block device will be prepared for using it as tmp
partition: it will be formatted using mke2fs and its root direc‐
tory will be set to mode 01777. The warning about the swap
option applies here as well.
No options can be specified for LUKS encrypted partitions.
COMPATIBILITY
The /etc/crypttab file format is based on the Debian cryptsetup pack‐
age, and is intended to be compatible.
SEE ALSOcryptsetup(8)
Jul 2006 crypttab(5)
