diff options
author | Lennart Poettering <lennart@poettering.net> | 2020-04-29 23:10:22 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2020-05-19 17:28:47 +0200 |
commit | 6e41f4dd916293f35d7d35cea7eed1807d7ea771 (patch) | |
tree | c14427215513a7fd73321c1f9e25c98dfe531737 /man/systemd-cryptsetup@.service.xml | |
parent | 4eb08bdb71a5a40371de47f6ec958ff3ab279365 (diff) | |
download | systemd-6e41f4dd916293f35d7d35cea7eed1807d7ea771.tar.gz |
man: document the newly acquired cryptsetup features
Diffstat (limited to 'man/systemd-cryptsetup@.service.xml')
-rw-r--r-- | man/systemd-cryptsetup@.service.xml | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/man/systemd-cryptsetup@.service.xml b/man/systemd-cryptsetup@.service.xml index 0324a67440..47051b9cef 100644 --- a/man/systemd-cryptsetup@.service.xml +++ b/man/systemd-cryptsetup@.service.xml @@ -44,6 +44,32 @@ <para>At early boot and when the system manager configuration is reloaded, <filename>/etc/crypttab</filename> is translated into <filename>systemd-cryptsetup@.service</filename> units by <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> + + <para>In order to unlock a volume a password or binary key is + required. <filename>systemd-cryptsetup@.service</filename> tries to acquire a suitable password or binary + key via the following mechanisms, tried in order:</para> + + <orderedlist> + <listitem><para>If a key file is explicitly configured (via the third column in + <filename>/etc/crypttab</filename>), a key read from it is used. If a PKCS#11 token is configured + (using the <varname>pkcs11-uri=</varname> option) the key is decrypted before use.</para></listitem> + + <listitem><para>If no key file is configured explicitly this way, a key file is automatically loaded + from <filename>/etc/cryptsetup-keys.d/<replaceable>volume</replaceable>.key</filename> and + <filename>/run/cryptsetup-keys.d/<replaceable>volume</replaceable>.key</filename>, if present. Here + too, if a PKCS#11 token is configured, any key found this way is decrypted before + use.</para></listitem> + + <listitem><para>If the <varname>try-empty-password</varname> option is specified it is then attempted + to unlock the volume with an empty password.</para></listitem> + + <listitem><para>The kernel keyring is then checked for a suitable cached password from previous + attempts.</para></listitem> + + <listitem><para>Finally, the user is queried for a password, possibly multiple times.</para></listitem> + </orderedlist> + + <para>If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails.</para> </refsect1> <refsect1> |