1SYSTEMD-CRYPTSETUP-GENERATsOyRs(t8e)md-cryptsetup-geneSrYaStToErMD-CRYPTSETUP-GENERATOR(8)
2
3
4

NAME

6       systemd-cryptsetup-generator - Unit generator for /etc/crypttab
7

SYNOPSIS

9       /usr/lib/systemd/system-generators/systemd-cryptsetup-generator
10

DESCRIPTION

12       systemd-cryptsetup-generator is a generator that translates
13       /etc/crypttab into native systemd units early at boot and when
14       configuration of the system manager is reloaded. This will create
15       systemd-cryptsetup@.service(8) units as necessary.
16
17       systemd-cryptsetup-generator implements systemd.generator(7).
18

KERNEL COMMAND LINE

20       systemd-cryptsetup-generator understands the following kernel command
21       line parameters:
22
23       luks=, rd.luks=
24           Takes a boolean argument. Defaults to "yes". If "no", disables the
25           generator entirely.  rd.luks= is honored only in the initrd while
26           luks= is honored by both the main system and in the initrd.
27
28       luks.crypttab=, rd.luks.crypttab=
29           Takes a boolean argument. Defaults to "yes". If "no", causes the
30           generator to ignore any devices configured in /etc/crypttab
31           (luks.uuid= will still work however).  rd.luks.crypttab= is honored
32           only in initrd while luks.crypttab= is honored by both the main
33           system and in the initrd.
34
35       luks.uuid=, rd.luks.uuid=
36           Takes a LUKS superblock UUID as argument. This will activate the
37           specified device as part of the boot process as if it was listed in
38           /etc/crypttab. This option may be specified more than once in order
39           to set up multiple devices.  rd.luks.uuid= is honored only in the
40           initrd, while luks.uuid= is honored by both the main system and in
41           the initrd.
42
43           If /etc/crypttab contains entries with the same UUID, then the
44           name, keyfile and options specified there will be used. Otherwise,
45           the device will have the name "luks-UUID".
46
47           If /etc/crypttab exists, only those UUIDs specified on the kernel
48           command line will be activated in the initrd or the real root.
49
50       luks.name=, rd.luks.name=
51           Takes a LUKS super block UUID followed by an "=" and a name. This
52           implies rd.luks.uuid= or luks.uuid= and will additionally make the
53           LUKS device given by the UUID appear under the provided name.
54
55           This parameter is the analogue of the first crypttab(5) field
56           volume-name.
57
58           rd.luks.name= is honored only in the initrd, while luks.name= is
59           honored by both the main system and in the initrd.
60
61       luks.data=, rd.luks.data=
62           Takes a LUKS super block UUID followed by a "=" and a block device
63           specification for device hosting encrypted data.
64
65           For those entries specified with rd.luks.uuid= or luks.uuid=, the
66           data device will be set to the one specified by rd.luks.data= or
67           luks.data= of the corresponding UUID.
68
69           LUKS data device parameter is useful for specifying encrypted data
70           devices with detached headers specified in luks.options entry
71           containing "header=" argument. For example,
72           rd.luks.uuid=b40f1abf-2a53-400a-889a-2eccc27eaa40
73           rd.luks.options=b40f1abf-2a53-400a-889a-2eccc27eaa40=header=/path/to/luks.hdr
74           rd.luks.data=b40f1abf-2a53-400a-889a-2eccc27eaa40=/dev/sdx. Hence,
75           in this case, we will attempt to unlock LUKS device assembled from
76           data device "/dev/sdx" and LUKS header (metadata) put in
77           "/path/to/luks.hdr" file. This syntax is for now only supported on
78           a per-device basis, i.e. you have to specify LUKS device UUID.
79
80           This parameter is the analogue of the second crypttab(5) field
81           encrypted-device.
82
83           rd.luks.data= is honored only in the initrd, while luks.data= is
84           honored by both the main system and in the initrd.
85
86       luks.key=, rd.luks.key=
87           Takes a password file name as argument or a LUKS super block UUID
88           followed by a "=" and a password file name.
89
90           For those entries specified with rd.luks.uuid= or luks.uuid=, the
91           password file will be set to the one specified by rd.luks.key= or
92           luks.key= of the corresponding UUID, or the password file that was
93           specified without a UUID.
94
95           It is also possible to specify an external device which should be
96           mounted before we attempt to unlock the LUKS device.
97           systemd-cryptsetup will use password file stored on that device.
98           Device containing password file is specified by appending colon and
99           a device identifier to the password file path. For example,
100           rd.luks.uuid=b40f1abf-2a53-400a-889a-2eccc27eaa40
101           rd.luks.key=b40f1abf-2a53-400a-889a-2eccc27eaa40=/keyfile:LABEL=keydev.
102           Hence, in this case, we will attempt to mount file system residing
103           on the block device with label "keydev". This syntax is for now
104           only supported on a per-device basis, i.e. you have to specify LUKS
105           device UUID.
106
107           This parameter is the analogue of the third crypttab(5) field
108           key-file.
109
110           rd.luks.key= is honored only in the initrd, while luks.key= is
111           honored by both the main system and in the initrd.
112
113       luks.options=, rd.luks.options=
114           Takes a LUKS super block UUID followed by an "=" and a string of
115           options separated by commas as argument. This will override the
116           options for the given UUID.
117
118           If only a list of options, without an UUID, is specified, they
119           apply to any UUIDs not specified elsewhere, and without an entry in
120           /etc/crypttab.
121
122           This parameter is the analogue of the fourth crypttab(5) field
123           options.
124
125           It is possible to specify an external device which should be
126           mounted before we attempt to unlock the LUKS device.
127           systemd-cryptsetup will assemble LUKS device by combining data
128           device specified in luks.data with detached LUKS header found in
129           "header=" argument. For example,
130           rd.luks.uuid=b40f1abf-2a53-400a-889a-2eccc27eaa40
131           rd.luks.options=b40f1abf-2a53-400a-889a-2eccc27eaa40=header=/luks.hdr:LABEL=hdrdev
132           rd.luks.data=b40f1abf-2a53-400a-889a-2eccc27eaa40=/dev/sdx. Hence,
133           in this case, we will attempt to mount file system residing on the
134           block device with label "hdrdev", and look for "luks.hdr" on that
135           file system. Said header will be used to unlock (decrypt) encrypted
136           data stored on /dev/sdx. This syntax is for now only supported on a
137           per-device basis, i.e. you have to specify LUKS device UUID.
138
139           rd.luks.options= is honored only by initial RAM disk (initrd) while
140           luks.options= is honored by both the main system and in the initrd.
141

SEE ALSO

143       systemd(1), crypttab(5), systemd-cryptsetup@.service(8), systemd-
144       cryptenroll(1), cryptsetup(8), systemd-fstab-generator(8)
145
146
147
148systemd 253                                    SYSTEMD-CRYPTSETUP-GENERATOR(8)
Impressum