1SYSTEMD-CRYPTSETUP@.SERVICEs(y8s)temd-cryptsetup@.serSvYiScTeEMD-CRYPTSETUP@.SERVICE(8)
2
3
4

NAME

6       systemd-cryptsetup@.service, systemd-cryptsetup - Full disk decryption
7       logic
8

SYNOPSIS

10       systemd-cryptsetup@.service
11
12       /usr/lib/systemd/systemd-cryptsetup
13

DESCRIPTION

15       systemd-cryptsetup@.service is a service responsible for setting up
16       encrypted block devices. It is instantiated for each device that
17       requires decryption for access.
18
19       systemd-cryptsetup@.service will ask for hard disk passwords via the
20       password agent logic[1], in order to query the user for the password
21       using the right mechanism at boot and during runtime.
22
23       At early boot and when the system manager configuration is reloaded,
24       /etc/crypttab is translated into systemd-cryptsetup@.service units by
25       systemd-cryptsetup-generator(8).
26
27       In order to unlock a volume a password or binary key is required.
28       systemd-cryptsetup@.service tries to acquire a suitable password or
29       binary key via the following mechanisms, tried in order:
30
31        1. If a key file is explicitly configured (via the third column in
32           /etc/crypttab), a key read from it is used. If a PKCS#11 token is
33           configured (using the pkcs11-uri= option) the key is decrypted
34           before use.
35
36        2. If no key file is configured explicitly this way, a key file is
37           automatically loaded from /etc/cryptsetup-keys.d/volume.key and
38           /run/cryptsetup-keys.d/volume.key, if present. Here too, if a
39           PKCS#11 token is configured, any key found this way is decrypted
40           before use.
41
42        3. If the try-empty-password option is specified it is then attempted
43           to unlock the volume with an empty password.
44
45        4. The kernel keyring is then checked for a suitable cached password
46           from previous attempts.
47
48        5. Finally, the user is queried for a password, possibly multiple
49           times.
50
51       If no suitable key may be acquired via any of the mechanisms describes
52       above, volume activation fails.
53

SEE ALSO

55       systemd(1), systemd-cryptsetup-generator(8), crypttab(5), cryptsetup(8)
56

NOTES

58        1. password agent logic
59           https://systemd.io/PASSWORD_AGENTS/
60
61
62
63systemd 246                                     SYSTEMD-CRYPTSETUP@.SERVICE(8)
Impressum