1SYSTEMD-CRYPTSETUP@.SERVICEs(y8s)temd-cryptsetup@.serSvYiScTeEMD-CRYPTSETUP@.SERVICE(8)
2
3
4

NAME

6       systemd-cryptsetup@.service, systemd-cryptsetup - Full disk decryption
7       logic
8

SYNOPSIS

10       systemd-cryptsetup@.service
11
12       system-systemd\x2dcryptsetup.slice
13
14       /usr/lib/systemd/systemd-cryptsetup
15

DESCRIPTION

17       systemd-cryptsetup@.service is a service responsible for setting up
18       encrypted block devices. It is instantiated for each device that
19       requires decryption for access.
20
21       systemd-cryptsetup@.service instances are part of the
22       system-systemd\x2dcryptsetup.slice slice, which is destroyed only very
23       late in the shutdown procedure. This allows the encrypted devices to
24       remain up until filesystems have been unmounted.
25
26       systemd-cryptsetup@.service will ask for hard disk passwords via the
27       password agent logic[1], in order to query the user for the password
28       using the right mechanism at boot and during runtime.
29
30       At early boot and when the system manager configuration is reloaded,
31       /etc/crypttab is translated into systemd-cryptsetup@.service units by
32       systemd-cryptsetup-generator(8).
33
34       In order to unlock a volume a password or binary key is required.
35       systemd-cryptsetup@.service tries to acquire a suitable password or
36       binary key via the following mechanisms, tried in order:
37
38        1. If a key file is explicitly configured (via the third column in
39           /etc/crypttab), a key read from it is used. If a PKCS#11 token,
40           FIDO2 token or TPM2 device is configured (using the pkcs11-uri=,
41           fido2-device=, tpm2-device= options) the key is decrypted before
42           use.
43
44        2. If no key file is configured explicitly this way, a key file is
45           automatically loaded from /etc/cryptsetup-keys.d/volume.key and
46           /run/cryptsetup-keys.d/volume.key, if present. Here too, if a
47           PKCS#11/FIDO2/TPM2 token/device is configured, any key found this
48           way is decrypted before use.
49
50        3. If the try-empty-password option is specified it is then attempted
51           to unlock the volume with an empty password.
52
53        4. The kernel keyring is then checked for a suitable cached password
54           from previous attempts.
55
56        5. Finally, the user is queried for a password, possibly multiple
57           times, unless the headless option is set.
58
59       If no suitable key may be acquired via any of the mechanisms describes
60       above, volume activation fails.
61

SEE ALSO

63       systemd(1), systemd-cryptsetup-generator(8), crypttab(5), systemd-
64       cryptenroll(1), cryptsetup(8)
65

NOTES

67        1. password agent logic
68           https://systemd.io/PASSWORD_AGENTS/
69
70
71
72systemd 250                                     SYSTEMD-CRYPTSETUP@.SERVICE(8)