1crypttab(5) File Formats Manual crypttab(5)
2
6 /etc/crypttab - encrypted block device table
7
10 The /etc/crypttab file describes encrypted block devices that are set
11 up during system boot.
12 Empty lines and lines starting with the # character are ignored. Each
14 of the remaining lines describes one encrypted block device, fields on
15 the line are delimited by white space. The first two fields are manda‐
16 tory, the remaining two are optional.
17 The first field contains the name of the resulting encrypted block
19 device; the device is set up at /dev/mapper/name.
20 The second field contains a path to the underlying block device. If
22 the block device contains a LUKS signature, it is opened as a LUKS
23 encrypted partition; otherwise it is assumed to be a raw dm-crypt par‐
24 tition.
25 The third field specifies the encryption password. If the field is not
27 present or the password is set to none, the password has to be manually
28 entered during system boot. Otherwise the field is interpreted as a
29 path to a file containing the encryption password. This field does not
30 support spaces, whether escaped with back slashes or quotes. Back
31 slashes or quotes will cause this field to be interpreted as a path to
32 a password file. If you wish to use a password with spaces in it,
33 please use a password file. If using a password file, please note that
34 the entire contents of the password file is used, including new lines
35 and non-printable characters. A password file without a line feed can
36 be created with the "echo" command's "-n" option. For example: echo -n
37 "pass phrase" > MyPasswordFile For swap encryption /dev/urandom can be
38 used as the password file; using /dev/random may prevent boot comple‐
39 tion if the system does not have enough entropy to generate a truly
40 random encryption key.
41 The fourth field, if present, is a comma-delimited list of options.
43 The following options are recognized:
44 cipher=cipher
46 Specifies the cipher to use; see cryptsetup(8) for possible val‐
47 ues and the default value of this option. A cipher with unpre‐
48 dictable IV values, such as aes-cbc-essiv:sha256, is recom‐
49 mended.
50 size=size
53 Specifies the key size in bits; see cryptsetup(8) for possible
54 values and the default value of this option.
55 hash=hash
58 Specifies the hash to use for password hashing; see crypt‐
59 setup(8) for possible values and the default value of this
60 option.
61 verify If the the encryption password is read from console, it has to
64 be entered twice (to prevent typos).
65 swap The encrypted block device will be used as a swap partition, and
68 will be formatted as a swap partition after setting up the
69 encrypted block device. The underlying block device will be
70 formatted again as an unencrypted swap partition after destroy‐
71 ing the encrypted block device. (This allows sharing a single
72 swap partition between operating system installations, with some
73 of them encrypting the swap partitions and some of them not.)
74 WARNING: Using the swap option will destroy the contents of the
76 named partition during every boot, so make sure the underlying
77 block device is specified correctly.
78 tmp The encrypted block device will be prepared for using it as tmp
81 partition: it will be formatted using mke2fs and its root direc‐
82 tory will be set to mode 01777. The warning about the swap
83 option applies here as well.
84 No options can be specified for LUKS encrypted partitions.
87
90 The /etc/crypttab file format is based on the Debian cryptsetup pack‐
91 age, and is intended to be compatible.
92
95 cryptsetup(8)
96 Jul 2006 crypttab(5)