1SYSTEMD-CRYPTSETUP-GENERATsOyRs(t8e)md-cryptsetup-geneSrYaStToErMD-CRYPTSETUP-GENERATOR(8)
2
3
4
6 systemd-cryptsetup-generator - Unit generator for /etc/crypttab
7
9 /usr/lib/systemd/system-generators/systemd-cryptsetup-generator
10
12 systemd-cryptsetup-generator is a generator that translates
13 /etc/crypttab into native systemd units early at boot and when
14 configuration of the system manager is reloaded. This will create
15 systemd-cryptsetup@.service(8) units as necessary.
16
17 systemd-cryptsetup-generator implements systemd.generator(7).
18
20 systemd-cryptsetup-generator understands the following kernel command
21 line parameters:
22
23 luks=, rd.luks=
24 Takes a boolean argument. Defaults to "yes". If "no", disables the
25 generator entirely. rd.luks= is honored only in the initrd while
26 luks= is honored by both the main system and in the initrd.
27
28 luks.crypttab=, rd.luks.crypttab=
29 Takes a boolean argument. Defaults to "yes". If "no", causes the
30 generator to ignore any devices configured in /etc/crypttab
31 (luks.uuid= will still work however). rd.luks.crypttab= is honored
32 only in initrd while luks.crypttab= is honored by both the main
33 system and in the initrd.
34
35 luks.uuid=, rd.luks.uuid=
36 Takes a LUKS superblock UUID as argument. This will activate the
37 specified device as part of the boot process as if it was listed in
38 /etc/crypttab. This option may be specified more than once in order
39 to set up multiple devices. rd.luks.uuid= is honored only in the
40 initrd, while luks.uuid= is honored by both the main system and in
41 the initrd.
42
43 If /etc/crypttab contains entries with the same UUID, then the
44 name, keyfile and options specified there will be used. Otherwise,
45 the device will have the name "luks-UUID".
46
47 If /etc/crypttab exists, only those UUIDs specified on the kernel
48 command line will be activated in the initrd or the real root.
49
50 luks.name=, rd.luks.name=
51 Takes a LUKS super block UUID followed by an "=" and a name. This
52 implies rd.luks.uuid= or luks.uuid= and will additionally make the
53 LUKS device given by the UUID appear under the provided name.
54
55 This parameter is the analogue of the first crypttab(5) field
56 volume-name.
57
58 rd.luks.name= is honored only in the initrd, while luks.name= is
59 honored by both the main system and in the initrd.
60
61 luks.data=, rd.luks.data=
62 Takes a LUKS super block UUID followed by a "=" and a block device
63 specification for device hosting encrypted data.
64
65 For those entries specified with rd.luks.uuid= or luks.uuid=, the
66 data device will be set to the one specified by rd.luks.data= or
67 luks.data= of the corresponding UUID.
68
69 LUKS data device parameter is useful for specifying encrypted data
70 devices with detached headers specified in luks.options entry
71 containing "header=" argument. For example,
72 rd.luks.uuid=b40f1abf-2a53-400a-889a-2eccc27eaa40
73 rd.luks.options=b40f1abf-2a53-400a-889a-2eccc27eaa40=header=/path/to/luks.hdr
74 rd.luks.data=b40f1abf-2a53-400a-889a-2eccc27eaa40=/dev/sdx. Hence,
75 in this case, we will attempt to unlock LUKS device assembled from
76 data device "/dev/sdx" and LUKS header (metadata) put in
77 "/path/to/luks.hdr" file. This syntax is for now only supported on
78 a per-device basis, i.e. you have to specify LUKS device UUID.
79
80 This parameter is the analogue of the second crypttab(5) field
81 encrypted-device.
82
83 rd.luks.data= is honored only in the initrd, while luks.data= is
84 honored by both the main system and in the initrd.
85
86 luks.key=, rd.luks.key=
87 Takes a password file name as argument or a LUKS super block UUID
88 followed by a "=" and a password file name.
89
90 For those entries specified with rd.luks.uuid= or luks.uuid=, the
91 password file will be set to the one specified by rd.luks.key= or
92 luks.key= of the corresponding UUID, or the password file that was
93 specified without a UUID.
94
95 It is also possible to specify an external device which should be
96 mounted before we attempt to unlock the LUKS device.
97 systemd-cryptsetup will use password file stored on that device.
98 Device containing password file is specified by appending colon and
99 a device identifier to the password file path. For example,
100 rd.luks.uuid=b40f1abf-2a53-400a-889a-2eccc27eaa40
101 rd.luks.key=b40f1abf-2a53-400a-889a-2eccc27eaa40=/keyfile:LABEL=keydev.
102 Hence, in this case, we will attempt to mount file system residing
103 on the block device with label "keydev". This syntax is for now
104 only supported on a per-device basis, i.e. you have to specify LUKS
105 device UUID.
106
107 This parameter is the analogue of the third crypttab(5) field
108 key-file.
109
110 rd.luks.key= is honored only in the initrd, while luks.key= is
111 honored by both the main system and in the initrd.
112
113 luks.options=, rd.luks.options=
114 Takes a LUKS super block UUID followed by an "=" and a string of
115 options separated by commas as argument. This will override the
116 options for the given UUID.
117
118 If only a list of options, without an UUID, is specified, they
119 apply to any UUIDs not specified elsewhere, and without an entry in
120 /etc/crypttab.
121
122 This parameter is the analogue of the fourth crypttab(5) field
123 options.
124
125 It is possible to specify an external device which should be
126 mounted before we attempt to unlock the LUKS device.
127 systemd-cryptsetup will assemble LUKS device by combining data
128 device specified in luks.data with detached LUKS header found in
129 "header=" argument. For example,
130 rd.luks.uuid=b40f1abf-2a53-400a-889a-2eccc27eaa40
131 rd.luks.options=b40f1abf-2a53-400a-889a-2eccc27eaa40=header=/luks.hdr:LABEL=hdrdev
132 rd.luks.data=b40f1abf-2a53-400a-889a-2eccc27eaa40=/dev/sdx. Hence,
133 in this case, we will attempt to mount file system residing on the
134 block device with label "hdrdev", and look for "luks.hdr" on that
135 file system. Said header will be used to unlock (decrypt) encrypted
136 data stored on /dev/sdx. This syntax is for now only supported on a
137 per-device basis, i.e. you have to specify LUKS device UUID.
138
139 rd.luks.options= is honored only by initial RAM disk (initrd) while
140 luks.options= is honored by both the main system and in the initrd.
141
143 systemd(1), crypttab(5), systemd-cryptsetup@.service(8), systemd-
144 cryptenroll(1), cryptsetup(8), systemd-fstab-generator(8)
145
146
147
148systemd 253 SYSTEMD-CRYPTSETUP-GENERATOR(8)