crypttab man page on SuSE

Man page or keyword search:  
man Server   14857 pages
apropos Keyword Search (all sections)
Output format
SuSE logo
[printable version]

CRYPTTAB(5)		       Cryptsetup Manual		   CRYPTTAB(5)

NAME
       crypttab - static information about crypted filesystems

SYNOPSIS
       crypttab

	   NAME DEVICE KEY OPTIONS

DESCRIPTION
       The file /etc/crypttab contains descriptive informations about
       encrypted volumes. Each volume is described on a separate line; columns
       on each line are separated by tabs or spaces. Lines starting with "#"
       are comments, empty lines are ignored. The order of records in crypttab
       is important because the /etc/init.d/boot.crypto script sequentially
       iterates through crypttab entries. All four columns are mandatory,
       missing or excessive columns will lead to unspecified behaviour.

       ·   The first column, NAME specifies the mapped device name. It must be
	   a plain filename without any directories. A mapped device
	   /dev/mapper/NAME will be created by cryptsetup(8) crypting data
	   from and onto the DEVICE.

	   To actually mount that device it needs to be listed in /etc/fstab.

       ·   The second column DEVICE specifies the block special device that
	   should hold the encrypted data.

       ·   The third column KEY specifies a file containing the raw binary key
	   to use for decrypting the encrypted data of DEVICE. The key file
	   can also be a device name (e.g.  /dev/urandom, which is useful for
	   encrypted swap devices).

	   If KEY is the string none, the key data (i.e. a password or
	   passphrase) will be read interactively from the console. In this
	   case the options precheck, check, checkargs and tries may be
	   useful.

	   Warning: luks does not support infinite streams (like
	   /dev/urandom), it requires a fixed size key. Typically one uses
	   none for luks.

       ·   The fourth field OPTIONS specifies the cryptsetup options
	   associated with the encryption process. At minimum, the field
	   should contain the string luks or the cipher, hash and size
	   options.

	   Options have to be specified in the format: key=value[,key=value
	   ...]

OPTIONS
       cipher=<cipher>
	   Encryption algorithm. See cryptsetup -c.

       size=<size>
	   Encryption key size. See cryptsetup -s.

       hash=<hash>
	   Hash algorithm. See cryptsetup -h.

       verify
	   Verify password. See cryptsetup -y.

       readonly
	   The backing device is read-only (eg: a dvd).

       luks
	   Use device with luks extensions.

       swap
	   Run mkswap on the created device.

       tmp
	   Run mkfs on the created device. The file system to use is specified
	   in /etc/fstab. If /etc/fstab does not list the mapped device, ext2
	   is used as fallback.

       check[=<program>]
	   Check the content of the mapped device by a suitable program; if
	   the check fails the device is removed. The specified program is run
	   giving the decrypted volume (/dev/mapper/NAME) as first and the
	   value of the checkargs option as second argument. Cryptdisks
	   searches for the given program in /lib/cryptsetup/checks/. If no
	   program is specified, vol_id is used.

       checkargs=<argument>
	   Pass <argument> as second argument to the check script

       precheck=<program>
	   Check the source device by suitable program; if the check fails the
	   device is not created; <precheck> is a script to check the source
	   device. The source device is given as argument to the script. See
	   also the check option.

       tries=<num>
	   Prompt for the passphrase at most <num> times if the entered
	   passphrase was wrong. Defaults is 3. Only works for LUKS volumes.

       timeout=<sec>
	   Time out interactive password prompts after <sec> seconds.

       loop
	   Always attach a loop device before mapping the device. Normally a
	   loop device is used automatically only for image files. Useful if
	   the block size of the physical device does not match the block size
	   of the contained file system. E.g. ext2 on a CD.

       noauto
	   Causes boot.crypto to skip this record during boot. To activate
	   this volume later use: /etc/init.d/boot.crypto start <name>

       noearly
	   boot.crypto is invoked two times. The first time as
	   boot.crypto-early before LVM and MD setup and the second time as
	   boot.crypto after mounting local filesystems. This option skips the
	   setup of the device in the first invocation. It might be needed for
	   crypto file container existing on local filesystems other then
	   root.

       initrd
	   tells mkinitrd to activate this device in the initrd already. Only
	   LUKS and no other options are supported. The root partition is
	   detected automatically by mkinitrd and doesn’t need this option
	   explicitly.

       pseed=<string>
	   Set a string that is appended to the passphrase after hashing.
	   Using different seeds for volumes with the same passphrase makes
	   dictionary attacks harder. Use for compatability with loop-AES.

       itercountk=<num>
	   Encrypts the hashed password <num> thousand times using AES-256.
	   Use for compatability with loop-AES.

       loud, ssl, gpg, keyscript
	   not supported. Listed here as they are supported by Debian.

CHECKSCRIPTS
       check scripts are installed in /lib/cryptsetup/checks/ and are called
       either before (precheck option) or after (check option) the dm-crypt
       target is set up.

       vol_id

	   Checks for any known filesystem. Supports a filesystem type as
	   argument via <checkargs>:

       no checkargs
	   succeeds if any valid filesystem is found on the device.

       "none"
	   succeeds if no valid filesystem is found on the device.

       "ext3", "xfs", "swap" etc
	   succeeds if the given filesystem type is found on the device.

UNLOCKING DEVICES AT BOOT TIME
       There are three ways to unlock encrypted partitions during boot

       ·   initrd: the root file system as well as any device listed in
	   crypttab with option initrd are unlocked by the scripts in the
	   initrd already.

       ·   before mounting local file systems: the init script
	   boot.crypto-early runs before the scripts that fsck and mount
	   additional filesystems. This is the preferred way to unlock devices
	   as the normal fsck and mount scripts can handle the device later.

       ·   after mounting local file systems: the boot.crypto init script is
	   the traditional way of unlocking crypto devices. It runs after fsck
	   and mount of local file systems.  boot.crypto should only be used
	   for loop mounted images nowadays.

EXAMPLES
       Encrypted swap device
	   cswap /dev/sda6 /dev/random swap

       Encrypted luks volume with interactive password
	   cdisk0 /dev/hda1 none luks

       Encrypted luks volume with interactive password, use a custom check
       script, no retries
	   cdisk2 /dev/hdc1 none luks,check=customscript,checkargs=foo,tries=1

       Encrypted volume with interactive password and a cryptoloop compatible
       twofish256 cipher
	   cdisk3 /dev/sda3 none cipher=twofish-cbc-plain,size=256,hash=sha512

SEE ALSO
       cryptsetup(8), /etc/crypttab, fstab(8)

AUTHOR
       Manual page converted to asciidoc by Michael Gebetsroither
       <michael.geb@gmx.at>. Originally written by Bastian Kleineidam
       <calvin@debian.org> for the Debian distribution of cryptsetup. Improved
       by Jonas Meurer <jonas@freesources.org>. Modified for SUSE Linux by
       Ludwig Nussel <ludwig.nussel@suse.de>. Parts of this manual were taken
       and adapted from the fstab(5) manual page.

cryptsetup			  01/27/2010			   CRYPTTAB(5)
[top]

List of man pages available for SuSE

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net